From mitja.mihelic at arnes.si Thu Jun 18 08:07:58 2015
Content-Type: multipart/mixed; boundary="===============6783384258232866214=="
MIME-Version: 1.0
From: =?utf-8?q?Mitja_Miheli=C4=8D_=3Cmitja=2Emihelic_at_arnes=2Esi=3E?=
To: users at ovirt.org
Subject: [ovirt-users] LDAP bind DN generation problem
Date: Thu, 18 Jun 2015 14:07:55 +0200
Message-ID: <5582B49B.6000803@arnes.si>
--===============6783384258232866214==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
This is a multi-part message in MIME format.
--------------040506020505040804040504
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 8bit
Hi!
We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the =
LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for =
authentication in oVirt without Kerberos. The existing setup has worked =
since the days of 3.2.
When we try to validate the domain, we get
[root(a)brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: =
[LDAP: error code 32 - No Such Object]; nested exception is =
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot =
authenticate user to LDAP server.
The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND =
dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128 ve=
rsion=3D3
As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=3D=
si".
Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND =
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=3D3
This looks like a bug.
Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in 3.5 to add =
a domain that uses an LDAP server for its authentication source without =
Kerberos.
Kind regards, Mitja
-- =
--
Mitja Miheli=C4=8D
ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
--------------040506020505040804040504
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 8bit
Hi!
We just upgaded oVirt from 3.4 to 3.5 and now users cannot select
the LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for
authentication in oVirt without Kerberos. The existing setup has
worked since the days of 3.2.
When we try to validate the domain, we get
[root(a)brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si,
details: [LDAP: error code 32 - No Such Object]; nested exception
is javax.naming.AuthenticationException: [LDAP: error code 32 - No
Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot
authenticate user to LDAP server.
The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D=
128
version=3D3
As you can see there is a comma missing before
"dc=3Dguest,dc=3Darnes,dc=3Dsi".
Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 versio=
n=3D3
This looks like a bug.
Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in 3.5
to add a domain that uses an LDAP server for its authentication
source without Kerberos.
Kind regards, Mitja
-- =
--
Mitja Miheli=C4=8D
ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
--------------040506020505040804040504--
--===============6783384258232866214==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"
VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4KLS0tLS0tLS0tLS0t
LS0wNDA1MDYwMjA1MDUwNDA4MDQwNDA1MDQKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PXV0Zi04OyBmb3JtYXQ9Zmxvd2VkCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQK
CkhpIQoKV2UganVzdCB1cGdhZGVkIG9WaXJ0IGZyb20gMy40IHRvIDMuNSBhbmQgbm93IHVzZXJz
IGNhbm5vdCBzZWxlY3QgdGhlIApMREFQIGRvbWFpbiBvbiB0aGUgbG9naW4gc2NyZWVuLiBPbmx5
IGludGVybmFsIGlzIGF2YWlsYWJsZS4KT3VyIExEQVAgc2VydmVyIGlzIGFjdHVhbGx5IGEgMzg5
RFMgaW5zdGFuY2UgYW5kIHdlIGFyZSB1c2luZyBmb3IgCmF1dGhlbnRpY2F0aW9uIGluIG9WaXJ0
IHdpdGhvdXQgS2VyYmVyb3MuIFRoZSBleGlzdGluZyBzZXR1cCBoYXMgd29ya2VkIApzaW5jZSB0
aGUgZGF5cyBvZiAzLjIuCgpXaGVuIHdlIHRyeSB0byB2YWxpZGF0ZSB0aGUgZG9tYWluLCB3ZSBn
ZXQKW3Jvb3RAYnJkYSB+XSMgZW5naW5lLW1hbmFnZS1kb21haW5zIHZhbGlkYXRlCkVycm9yOiBD
YW5ub3QgYXV0aGVudGljYXRlIHVzZXIgb3ZpcnQgdG8gZG9tYWluIGd1ZXN0LmFybmVzLnNpLCBk
ZXRhaWxzOiAKW0xEQVA6IGVycm9yIGNvZGUgMzIgLSBObyBTdWNoIE9iamVjdF07IG5lc3RlZCBl
eGNlcHRpb24gaXMgCmphdmF4Lm5hbWluZy5BdXRoZW50aWNhdGlvbkV4Y2VwdGlvbjogW0xEQVA6
IGVycm9yIGNvZGUgMzIgLSBObyBTdWNoIE9iamVjdF0KRmFpbHVyZSB3aGlsZSB0ZXN0aW5nIGRv
bWFpbiBndWVzdC5hcm5lcy5zaS4gRGV0YWlsczogQ2Fubm90IAphdXRoZW50aWNhdGUgdXNlciB0
byBMREFQIHNlcnZlci4KClRoZSBMREFQIGxvZyByZXBvcnRzClsxOC9KdW4vMjAxNToxMzo1Mjoz
OCArMDIwMF0gY29ubj0zIG9wPTAgQklORCAKZG49InVpZD1vdmlydCxvdT1QZW9wbGVkYz1ndWVz
dCxkYz1hcm5lcyxkYz1zaSIgbWV0aG9kPTEyOCB2ZXJzaW9uPTMKQXMgeW91IGNhbiBzZWUgdGhl
cmUgaXMgYSBjb21tYSBtaXNzaW5nIGJlZm9yZSAiZGM9Z3Vlc3QsZGM9YXJuZXMsZGM9c2kiLgoK
QmVmb3JlIHRoZSB1cGdyYWRlIHRoZSBiaW5kIEROIHdhcyBnZW5lcmF0ZWQgcHJvcGVybHkgYXMK
WzE4L0p1bi8yMDE1OjEyOjQyOjQ1ICswMjAwXSBjb25uPTEwMjE5IG9wPTAgQklORCAKZG49InVp
ZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjggdmVyc2lvbj0zCgpU
aGlzIGxvb2tzIGxpa2UgYSBidWcuCklzIHRoZXJlIGEgcXVpY2sgZml4IHdlIGNhbiBkbyB0byBm
aXggdGhpcyB0eXBvPwoKV2UgYXJlIGFsc28gaW50ZXJlc3RlZCBpbiBrbm93aW5nIHdoYXQgaXMg
dGhlIGNvcnJlY3Qgd2F5IGluIDMuNSB0byBhZGQgCmEgZG9tYWluIHRoYXQgdXNlcyBhbiBMREFQ
IHNlcnZlciBmb3IgaXRzIGF1dGhlbnRpY2F0aW9uIHNvdXJjZSB3aXRob3V0IApLZXJiZXJvcy4K
CktpbmQgcmVnYXJkcywgTWl0amEKCi0tIAotLQpNaXRqYSBNaWhlbGnEjQpBUk5FUywgVGVobm9s
b8Wha2kgcGFyayAxOCwgcC5wLiA3LCBTSS0xMDAxIExqdWJsamFuYSwgU2xvdmVuaWEKdGVsOiAr
Mzg2IDEgNDc5IDg4MDAsIGZheDogKzM4NiAxIDQ3OSA4OCA5OQoKCi0tLS0tLS0tLS0tLS0tMDQw
NTA2MDIwNTA1MDQwODA0MDQwNTA0CkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PXV0
Zi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCjxodG1sPgogIDxoZWFkPgoKICAg
IDxtZXRhIGh0dHAtZXF1aXY9ImNvbnRlbnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFy
c2V0PXV0Zi04Ij4KICA8L2hlYWQ+CiAgPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIgdGV4dD0iIzAw
MDAwMCI+CiAgICA8Zm9udCBzaXplPSItMSI+SGkhPGJyPgogICAgICA8YnI+CiAgICAgIFdlIGp1
c3QgdXBnYWRlZCBvVmlydCBmcm9tIDMuNCB0byAzLjUgYW5kIG5vdyB1c2VycyBjYW5ub3Qgc2Vs
ZWN0CiAgICAgIHRoZSBMREFQIGRvbWFpbiBvbiB0aGUgbG9naW4gc2NyZWVuLiBPbmx5IGludGVy
bmFsIGlzIGF2YWlsYWJsZS48YnI+CiAgICAgIE91ciBMREFQIHNlcnZlciBpcyBhY3R1YWxseSBh
IDM4OURTIGluc3RhbmNlIGFuZCB3ZSBhcmUgdXNpbmcgZm9yCiAgICAgIGF1dGhlbnRpY2F0aW9u
IGluIG9WaXJ0IHdpdGhvdXQgS2VyYmVyb3MuIFRoZSBleGlzdGluZyBzZXR1cCBoYXMKICAgICAg
d29ya2VkIHNpbmNlIHRoZSBkYXlzIG9mIDMuMi48YnI+CiAgICAgIDxicj4KICAgICAgV2hlbiB3
ZSB0cnkgdG8gdmFsaWRhdGUgdGhlIGRvbWFpbiwgd2UgZ2V0PGJyPgogICAgICBbcm9vdEBicmRh
IH5dIyBlbmdpbmUtbWFuYWdlLWRvbWFpbnMgdmFsaWRhdGU8YnI+CiAgICAgIEVycm9yOiBDYW5u
b3QgYXV0aGVudGljYXRlIHVzZXIgb3ZpcnQgdG8gZG9tYWluIGd1ZXN0LmFybmVzLnNpLAogICAg
ICBkZXRhaWxzOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggT2JqZWN0XTsgbmVzdGVk
IGV4Y2VwdGlvbgogICAgICBpcyBqYXZheC5uYW1pbmcuQXV0aGVudGljYXRpb25FeGNlcHRpb246
IFtMREFQOiBlcnJvciBjb2RlIDMyIC0gTm8KICAgICAgU3VjaCBPYmplY3RdPGJyPgogICAgICBG
YWlsdXJlIHdoaWxlIHRlc3RpbmcgZG9tYWluIGd1ZXN0LmFybmVzLnNpLiBEZXRhaWxzOiBDYW5u
b3QKICAgICAgYXV0aGVudGljYXRlIHVzZXIgdG8gTERBUCBzZXJ2ZXIuPGJyPgogICAgICA8YnI+
CiAgICAgIFRoZSBMREFQIGxvZyByZXBvcnRzPGJyPgogICAgICBbMTgvSnVuLzIwMTU6MTM6NTI6
MzggKzAyMDBdIGNvbm49MyBvcD0wIEJJTkQKICAgICAgZG49InVpZD1vdmlydCxvdT1QZW9wbGVk
Yz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIgbWV0aG9kPTEyOAogICAgICB2ZXJzaW9uPTM8YnI+CiAg
ICAgIEFzIHlvdSBjYW4gc2VlIHRoZXJlIGlzIGEgY29tbWEgbWlzc2luZyBiZWZvcmUKICAgICAg
ImRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIi48YnI+CiAgICAgIDxicj4KICAgICAgQmVmb3JlIHRo
ZSB1cGdyYWRlIHRoZSBiaW5kIEROIHdhcyBnZW5lcmF0ZWQgcHJvcGVybHkgYXM8YnI+CiAgICAg
IFsxOC9KdW4vMjAxNToxMjo0Mjo0NSArMDIwMF0gY29ubj0xMDIxOSBvcD0wIEJJTkQKICAgICAg
ZG49InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjggdmVyc2lv
bj0zPGJyPgogICAgICA8YnI+CiAgICAgIFRoaXMgbG9va3MgbGlrZSBhIGJ1Zy48YnI+CiAgICAg
IElzIHRoZXJlIGEgcXVpY2sgZml4IHdlIGNhbiBkbyB0byBmaXggdGhpcyB0eXBvPzxicj4KICAg
ICAgPGJyPgogICAgICBXZSBhcmUgYWxzbyBpbnRlcmVzdGVkIGluIGtub3dpbmcgd2hhdCBpcyB0
aGUgY29ycmVjdCB3YXkgaW4gMy41CiAgICAgIHRvIGFkZCBhIGRvbWFpbiB0aGF0IHVzZXMgYW4g
TERBUCBzZXJ2ZXIgZm9yIGl0cyBhdXRoZW50aWNhdGlvbgogICAgICBzb3VyY2Ugd2l0aG91dCBL
ZXJiZXJvcy48YnI+CiAgICAgIDxicj4KICAgICAgS2luZCByZWdhcmRzLCBNaXRqYTxicj4KICAg
IDwvZm9udD4KICAgIDxwcmUgY2xhc3M9Im1vei1zaWduYXR1cmUiIGNvbHM9IjcyIj4KLS0gCi0t
Ck1pdGphIE1paGVsacSNCkFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcsIFNJLTEw
MDEgTGp1YmxqYW5hLCBTbG92ZW5pYQp0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiArMzg2IDEg
NDc5IDg4IDk5PC9wcmU+CiAgPC9ib2R5Pgo8L2h0bWw+CgotLS0tLS0tLS0tLS0tLTA0MDUwNjAy
MDUwNTA0MDgwNDA0MDUwNC0tCg==
--===============6783384258232866214==--
From omachace at redhat.com Thu Jun 18 08:50:00 2015
Content-Type: multipart/mixed; boundary="===============3642831457263853348=="
MIME-Version: 1.0
From: Ondra Machacek
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Thu, 18 Jun 2015 14:49:57 +0200
Message-ID: <5582BE75.2000003@redhat.com>
In-Reply-To: 5582B49B.6000803@arnes.si
--===============3642831457263853348==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
This is a multi-part message in MIME format.
--------------070103020009070604040701
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 8bit
On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
> Hi!
Hi
>
> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the =
> LDAP domain on the login screen. Only internal is available.
> Our LDAP server is actually a 389DS instance and we are using for =
> authentication in oVirt without Kerberos. The existing setup has =
> worked since the days of 3.2.
>
> When we try to validate the domain, we get
> [root(a)brda ~]# engine-manage-domains validate
> Error: Cannot authenticate user ovirt to domain guest.arnes.si, =
> details: [LDAP: error code 32 - No Such Object]; nested exception is =
> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such =
> Object]
> Failure while testing domain guest.arnes.si. Details: Cannot =
> authenticate user to LDAP server.
>
> The LDAP log reports
> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND =
> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128 =
version=3D3
> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=
=3Dsi".
>
> Before the upgrade the bind DN was generated properly as
> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND =
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=3D3
So what is your search user's DN ?
Is it:
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
or
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
>
> This looks like a bug.
> Is there a quick fix we can do to fix this typo?
>
> We are also interested in knowing what is the correct way in 3.5 to =
> add a domain that uses an LDAP server for its authentication source =
> without Kerberos.
Please see following links:
*https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME;hb=3DHEAD
*https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME.profile;hb=3DHEAD
*http://www.ovirt.org/Features/AAA
*https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dtree;f=3Dexamples;hb=3DHEAD
*https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME;hb=3DHEAD#l6
*https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> Kind regards, Mitja
> -- =
> --
> Mitja Miheli=C4=8D
> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8800, fax: +386 1 479 88 99
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
--------------070103020009070604040701
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 8bit
On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
Hi!
Hi
We just upgaded oVirt from 3.4 to 3.5 and now users cannot
select the LDAP domain on the login screen. Only internal is
available.
Our LDAP server is actually a 389DS instance and we are using
for authentication in oVirt without Kerberos. The existing setup
has worked since the days of 3.2.
When we try to validate the domain, we get
[root(a)brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si,
details: [LDAP: error code 32 - No Such Object]; nested
exception is javax.naming.AuthenticationException: [LDAP: error
code 32 - No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot
authenticate user to LDAP server.
The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=
=3D128
version=3D3
As you can see there is a comma missing before
"dc=3Dguest,dc=3Darnes,dc=3Dsi".
Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 vers=
ion=3D3
So what is your search user's DN ?
Is it:
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,d=
c=3Dsi"
or
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
This looks like a bug.
Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in 3.5
to add a domain that uses an LDAP server for its authentication
source without Kerberos.
Please see following links:
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension=
-aaa-ldap.git;a=3Dblob;f=3DREADME;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.g=
it;a=3Dblob;f=3DREADME.profile;hb=3DHEAD
* http://www.ovirt.org/Features/AAA
* =
https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dtree;f=3Dexamples;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME;hb=3DHEAD#l6
* https://github.com/machacekondra/ovirt-=
engine-kerbldap-migration
Kind regards, Mitja
-- =
--
Mitja Miheli=C4=8D
ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
_______________________________________________
Users mailing list
Use=
rs(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--------------070103020009070604040701--
--===============3642831457263853348==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"
VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4KLS0tLS0tLS0tLS0t
LS0wNzAxMDMwMjAwMDkwNzA2MDQwNDA3MDEKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PXV0Zi04OyBmb3JtYXQ9Zmxvd2VkCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQK
Ck9uIDA2LzE4LzIwMTUgMDI6MDcgUE0sIE1pdGphIE1paGVsacSNIHdyb3RlOgo+IEhpIQpIaQo+
Cj4gV2UganVzdCB1cGdhZGVkIG9WaXJ0IGZyb20gMy40IHRvIDMuNSBhbmQgbm93IHVzZXJzIGNh
bm5vdCBzZWxlY3QgdGhlIAo+IExEQVAgZG9tYWluIG9uIHRoZSBsb2dpbiBzY3JlZW4uIE9ubHkg
aW50ZXJuYWwgaXMgYXZhaWxhYmxlLgo+IE91ciBMREFQIHNlcnZlciBpcyBhY3R1YWxseSBhIDM4
OURTIGluc3RhbmNlIGFuZCB3ZSBhcmUgdXNpbmcgZm9yIAo+IGF1dGhlbnRpY2F0aW9uIGluIG9W
aXJ0IHdpdGhvdXQgS2VyYmVyb3MuIFRoZSBleGlzdGluZyBzZXR1cCBoYXMgCj4gd29ya2VkIHNp
bmNlIHRoZSBkYXlzIG9mIDMuMi4KPgo+IFdoZW4gd2UgdHJ5IHRvIHZhbGlkYXRlIHRoZSBkb21h
aW4sIHdlIGdldAo+IFtyb290QGJyZGEgfl0jIGVuZ2luZS1tYW5hZ2UtZG9tYWlucyB2YWxpZGF0
ZQo+IEVycm9yOiBDYW5ub3QgYXV0aGVudGljYXRlIHVzZXIgb3ZpcnQgdG8gZG9tYWluIGd1ZXN0
LmFybmVzLnNpLCAKPiBkZXRhaWxzOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggT2Jq
ZWN0XTsgbmVzdGVkIGV4Y2VwdGlvbiBpcyAKPiBqYXZheC5uYW1pbmcuQXV0aGVudGljYXRpb25F
eGNlcHRpb246IFtMREFQOiBlcnJvciBjb2RlIDMyIC0gTm8gU3VjaCAKPiBPYmplY3RdCj4gRmFp
bHVyZSB3aGlsZSB0ZXN0aW5nIGRvbWFpbiBndWVzdC5hcm5lcy5zaS4gRGV0YWlsczogQ2Fubm90
IAo+IGF1dGhlbnRpY2F0ZSB1c2VyIHRvIExEQVAgc2VydmVyLgo+Cj4gVGhlIExEQVAgbG9nIHJl
cG9ydHMKPiBbMTgvSnVuLzIwMTU6MTM6NTI6MzggKzAyMDBdIGNvbm49MyBvcD0wIEJJTkQgCj4g
ZG49InVpZD1vdmlydCxvdT1QZW9wbGVkYz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIgbWV0aG9kPTEy
OCB2ZXJzaW9uPTMKPiBBcyB5b3UgY2FuIHNlZSB0aGVyZSBpcyBhIGNvbW1hIG1pc3NpbmcgYmVm
b3JlICJkYz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIuCj4KPiBCZWZvcmUgdGhlIHVwZ3JhZGUgdGhl
IGJpbmQgRE4gd2FzIGdlbmVyYXRlZCBwcm9wZXJseSBhcwo+IFsxOC9KdW4vMjAxNToxMjo0Mjo0
NSArMDIwMF0gY29ubj0xMDIxOSBvcD0wIEJJTkQgCj4gZG49InVpZD1vdmlydCxvdT1QZW9wbGUs
ZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjggdmVyc2lvbj0zCgpTbyB3aGF0IGlzIHlvdXIgc2Vh
cmNoIHVzZXIncyBETiA/CklzIGl0Ogpkbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1ndWVzdCxk
Yz1hcm5lcyxkYz1zaSIKCm9yCgpkbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1hcm5lcyxkYz1z
aSIKCklzIGl0IHBvc3NpYmxlIGZvciB5b3UgdG8gdHJ5IGlmIGRpZmZlcmVudCB1c2VyIHdvcmtz
IGZpbmU/CkJlY2F1c2UgdXNlciB3aXRoIHZlcnkgc2ltaWxhciBETiB3b3JrcyBmb3IgbWUganVz
dCBPSy4KCj4KPiBUaGlzIGxvb2tzIGxpa2UgYSBidWcuCj4gSXMgdGhlcmUgYSBxdWljayBmaXgg
d2UgY2FuIGRvIHRvIGZpeCB0aGlzIHR5cG8/Cj4KPiBXZSBhcmUgYWxzbyBpbnRlcmVzdGVkIGlu
IGtub3dpbmcgd2hhdCBpcyB0aGUgY29ycmVjdCB3YXkgaW4gMy41IHRvIAo+IGFkZCBhIGRvbWFp
biB0aGF0IHVzZXMgYW4gTERBUCBzZXJ2ZXIgZm9yIGl0cyBhdXRoZW50aWNhdGlvbiBzb3VyY2Ug
Cj4gd2l0aG91dCBLZXJiZXJvcy4KClBsZWFzZSBzZWUgZm9sbG93aW5nIGxpbmtzOgoKKmh0dHBz
Oi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1s
ZGFwLmdpdDthPWJsb2I7Zj1SRUFETUU7aGI9SEVBRAoqaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3Jn
L2dpdHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJF
QURNRS5wcm9maWxlO2hiPUhFQUQKKmh0dHA6Ly93d3cub3ZpcnQub3JnL0ZlYXR1cmVzL0FBQQoq
aHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24t
YWFhLWxkYXAuZ2l0O2E9dHJlZTtmPWV4YW1wbGVzO2hiPUhFQUQKKmh0dHBzOi8vZ2Vycml0Lm92
aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1sZGFwLmdpdDthPWJs
b2I7Zj1SRUFETUU7aGI9SEVBRCNsNgoqaHR0cHM6Ly9naXRodWIuY29tL21hY2hhY2Vrb25kcmEv
b3ZpcnQtZW5naW5lLWtlcmJsZGFwLW1pZ3JhdGlvbgoKCj4KPiBLaW5kIHJlZ2FyZHMsIE1pdGph
Cj4gLS0gCj4gLS0KPiBNaXRqYSBNaWhlbGnEjQo+IEFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4
LCBwLnAuIDcsIFNJLTEwMDEgTGp1YmxqYW5hLCBTbG92ZW5pYQo+IHRlbDogKzM4NiAxIDQ3OSA4
ODAwLCBmYXg6ICszODYgMSA0NzkgODggOTkKPgo+Cj4gX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX18KPiBVc2VycyBtYWlsaW5nIGxpc3QKPiBVc2Vyc0Bvdmly
dC5vcmcKPiBodHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8vdXNlcnMKCgot
LS0tLS0tLS0tLS0tLTA3MDEwMzAyMDAwOTA3MDYwNDA0MDcwMQpDb250ZW50LVR5cGU6IHRleHQv
aHRtbDsgY2hhcnNldD11dGYtOApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA4Yml0Cgo8aHRt
bD4KICA8aGVhZD4KICAgIDxtZXRhIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIg
aHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIj4KICA8L2hlYWQ+CiAgPGJvZHkgYmdjb2xvcj0iI0ZG
RkZGRiIgdGV4dD0iIzAwMDAwMCI+CiAgICBPbiAwNi8xOC8yMDE1IDAyOjA3IFBNLCBNaXRqYSBN
aWhlbGnEjSB3cm90ZTo8YnI+CiAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6NTU4MkI0OUIuNjAw
MDgwM0Bhcm5lcy5zaSIgdHlwZT0iY2l0ZSI+CiAgICAgIDxtZXRhIGh0dHAtZXF1aXY9ImNvbnRl
bnQtdHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4KICAgICAgPGZvbnQg
c2l6ZT0iLTEiPkhpITxicj4KICAgICAgPC9mb250PjwvYmxvY2txdW90ZT4KICAgIDxmb250IHNp
emU9Ii0xIj5IaTwvZm9udD48YnI+CiAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6NTU4MkI0OUIu
NjAwMDgwM0Bhcm5lcy5zaSIgdHlwZT0iY2l0ZSI+PGZvbnQKICAgICAgICBzaXplPSItMSI+IDxi
cj4KICAgICAgICBXZSBqdXN0IHVwZ2FkZWQgb1ZpcnQgZnJvbSAzLjQgdG8gMy41IGFuZCBub3cg
dXNlcnMgY2Fubm90CiAgICAgICAgc2VsZWN0IHRoZSBMREFQIGRvbWFpbiBvbiB0aGUgbG9naW4g
c2NyZWVuLiBPbmx5IGludGVybmFsIGlzCiAgICAgICAgYXZhaWxhYmxlLjxicj4KICAgICAgICBP
dXIgTERBUCBzZXJ2ZXIgaXMgYWN0dWFsbHkgYSAzODlEUyBpbnN0YW5jZSBhbmQgd2UgYXJlIHVz
aW5nCiAgICAgICAgZm9yIGF1dGhlbnRpY2F0aW9uIGluIG9WaXJ0IHdpdGhvdXQgS2VyYmVyb3Mu
IFRoZSBleGlzdGluZyBzZXR1cAogICAgICAgIGhhcyB3b3JrZWQgc2luY2UgdGhlIGRheXMgb2Yg
My4yLjxicj4KICAgICAgICA8YnI+CiAgICAgICAgV2hlbiB3ZSB0cnkgdG8gdmFsaWRhdGUgdGhl
IGRvbWFpbiwgd2UgZ2V0PGJyPgogICAgICAgIFtyb290QGJyZGEgfl0jIGVuZ2luZS1tYW5hZ2Ut
ZG9tYWlucyB2YWxpZGF0ZTxicj4KICAgICAgICBFcnJvcjogQ2Fubm90IGF1dGhlbnRpY2F0ZSB1
c2VyIG92aXJ0IHRvIGRvbWFpbiBndWVzdC5hcm5lcy5zaSwKICAgICAgICBkZXRhaWxzOiBbTERB
UDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggT2JqZWN0XTsgbmVzdGVkCiAgICAgICAgZXhjZXB0
aW9uIGlzIGphdmF4Lm5hbWluZy5BdXRoZW50aWNhdGlvbkV4Y2VwdGlvbjogW0xEQVA6IGVycm9y
CiAgICAgICAgY29kZSAzMiAtIE5vIFN1Y2ggT2JqZWN0XTxicj4KICAgICAgICBGYWlsdXJlIHdo
aWxlIHRlc3RpbmcgZG9tYWluIGd1ZXN0LmFybmVzLnNpLiBEZXRhaWxzOiBDYW5ub3QKICAgICAg
ICBhdXRoZW50aWNhdGUgdXNlciB0byBMREFQIHNlcnZlci48YnI+CiAgICAgICAgPGJyPgogICAg
ICAgIFRoZSBMREFQIGxvZyByZXBvcnRzPGJyPgogICAgICAgIFsxOC9KdW4vMjAxNToxMzo1Mjoz
OCArMDIwMF0gY29ubj0zIG9wPTAgQklORAogICAgICAgIGRuPSJ1aWQ9b3ZpcnQsb3U9UGVvcGxl
ZGM9Z3Vlc3QsZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjgKICAgICAgICB2ZXJzaW9uPTM8YnI+
CiAgICAgICAgQXMgeW91IGNhbiBzZWUgdGhlcmUgaXMgYSBjb21tYSBtaXNzaW5nIGJlZm9yZQog
ICAgICAgICJkYz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIuPGJyPgogICAgICAgIDxicj4KICAgICAg
ICBCZWZvcmUgdGhlIHVwZ3JhZGUgdGhlIGJpbmQgRE4gd2FzIGdlbmVyYXRlZCBwcm9wZXJseSBh
czxicj4KICAgICAgICBbMTgvSnVuLzIwMTU6MTI6NDI6NDUgKzAyMDBdIGNvbm49MTAyMTkgb3A9
MCBCSU5ECiAgICAgICAgZG49InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiIG1l
dGhvZD0xMjggdmVyc2lvbj0zPGJyPgogICAgICA8L2ZvbnQ+PC9ibG9ja3F1b3RlPgogICAgPGJy
PgogICAgU28gd2hhdCBpcyB5b3VyIHNlYXJjaCB1c2VyJ3MgRE4gPzxicj4KICAgIElzIGl0Ojxi
cj4KICAgIDxmb250IHNpemU9Ii0xIj5kbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1ndWVzdCxk
Yz1hcm5lcyxkYz1zaSI8YnI+CiAgICAgIDxicj4KICAgIDwvZm9udD5vcjxicj4KICAgIDxicj4K
ICAgIDxmb250IHNpemU9Ii0xIj5kbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1hcm5lcyxkYz1z
aSI8YnI+CiAgICA8L2ZvbnQ+PGJyPgogICAgSXMgaXQgcG9zc2libGUgZm9yIHlvdSB0byB0cnkg
aWYgZGlmZmVyZW50IHVzZXIgd29ya3MgZmluZT88YnI+CiAgICBCZWNhdXNlIHVzZXIgd2l0aCB2
ZXJ5IHNpbWlsYXIgRE4gd29ya3MgZm9yIG1lIGp1c3QgT0suPGJyPgogICAgPGJyPgogICAgPGJs
b2NrcXVvdGUgY2l0ZT0ibWlkOjU1ODJCNDlCLjYwMDA4MDNAYXJuZXMuc2kiIHR5cGU9ImNpdGUi
Pjxmb250CiAgICAgICAgc2l6ZT0iLTEiPiA8YnI+CiAgICAgICAgVGhpcyBsb29rcyBsaWtlIGEg
YnVnLjxicj4KICAgICAgICBJcyB0aGVyZSBhIHF1aWNrIGZpeCB3ZSBjYW4gZG8gdG8gZml4IHRo
aXMgdHlwbz88YnI+CiAgICAgICAgPGJyPgogICAgICAgIFdlIGFyZSBhbHNvIGludGVyZXN0ZWQg
aW4ga25vd2luZyB3aGF0IGlzIHRoZSBjb3JyZWN0IHdheSBpbiAzLjUKICAgICAgICB0byBhZGQg
YSBkb21haW4gdGhhdCB1c2VzIGFuIExEQVAgc2VydmVyIGZvciBpdHMgYXV0aGVudGljYXRpb24K
ICAgICAgICBzb3VyY2Ugd2l0aG91dCBLZXJiZXJvcy48YnI+CiAgICAgIDwvZm9udD48L2Jsb2Nr
cXVvdGU+CiAgICA8YnI+CiAgICBQbGVhc2Ugc2VlIGZvbGxvd2luZyBsaW5rczo8YnI+CiAgICA8
cHJlIHdyYXA9IiI+KiA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRw
czovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lvbi1hYWEt
bGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FO2hiPUhFQUQiPmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9y
Zy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1S
RUFETUU7aGI9SEVBRDwvYT4KKiA8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVm
PSJodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lv
bi1hYWEtbGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FLnByb2ZpbGU7aGI9SEVBRCI+aHR0cHM6Ly9n
ZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAu
Z2l0O2E9YmxvYjtmPVJFQURNRS5wcm9maWxlO2hiPUhFQUQ8L2E+CiogPGEgY2xhc3M9Im1vei10
eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cDovL3d3dy5vdmlydC5vcmcvRmVhdHVyZXMvQUFB
Ij5odHRwOi8vd3d3Lm92aXJ0Lm9yZy9GZWF0dXJlcy9BQUE8L2E+CiogPGEgY2xhc3M9Im1vei10
eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9w
PW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9dHJlZTtmPWV4YW1wbGVzO2hi
PUhFQUQiPmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0
ZW5zaW9uLWFhYS1sZGFwLmdpdDthPXRyZWU7Zj1leGFtcGxlcztoYj1IRUFEPC9hPgoqIDxhIGNs
YXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9y
Zy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1S
RUFETUU7aGI9SEVBRCNsNiI+aHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9wPW92aXJ0
LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJFQURNRTtoYj1IRUFEI2w2
PC9hPgoqIDxhIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBzOi8vZ2l0
aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRhcC1taWdyYXRpb24iPmh0
dHBzOi8vZ2l0aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRhcC1taWdy
YXRpb248L2E+CjwvcHJlPgogICAgPGJyPgogICAgPGJsb2NrcXVvdGUgY2l0ZT0ibWlkOjU1ODJC
NDlCLjYwMDA4MDNAYXJuZXMuc2kiIHR5cGU9ImNpdGUiPjxmb250CiAgICAgICAgc2l6ZT0iLTEi
PiA8YnI+CiAgICAgICAgS2luZCByZWdhcmRzLCBNaXRqYTxicj4KICAgICAgPC9mb250PgogICAg
ICA8cHJlIGNsYXNzPSJtb3otc2lnbmF0dXJlIiBjb2xzPSI3MiI+LS0gCi0tCk1pdGphIE1paGVs
acSNCkFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcsIFNJLTEwMDEgTGp1YmxqYW5h
LCBTbG92ZW5pYQp0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiArMzg2IDEgNDc5IDg4IDk5PC9w
cmU+CiAgICAgIDxicj4KICAgICAgPGZpZWxkc2V0IGNsYXNzPSJtaW1lQXR0YWNobWVudEhlYWRl
ciI+PC9maWVsZHNldD4KICAgICAgPGJyPgogICAgICA8cHJlIHdyYXA9IiI+X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KVXNlcnMgbWFpbGluZyBsaXN0Cjxh
IGNsYXNzPSJtb3otdHh0LWxpbmstYWJicmV2aWF0ZWQiIGhyZWY9Im1haWx0bzpVc2Vyc0Bvdmly
dC5vcmciPlVzZXJzQG92aXJ0Lm9yZzwvYT4KPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4
dCIgaHJlZj0iaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3VzZXJzIj5o
dHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8vdXNlcnM8L2E+CjwvcHJlPgog
ICAgPC9ibG9ja3F1b3RlPgogICAgPGJyPgogIDwvYm9keT4KPC9odG1sPgoKLS0tLS0tLS0tLS0t
LS0wNzAxMDMwMjAwMDkwNzA2MDQwNDA3MDEtLQo=
--===============3642831457263853348==--
From ftp-admin at arnes.si Fri Jun 19 04:25:21 2015
Content-Type: multipart/mixed; boundary="===============9190960533508324414=="
MIME-Version: 1.0
From: =?utf-8?q?Mitja_Miheli=C4=8D_=3Cftp-admin_at_arnes=2Esi=3E?=
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Fri, 19 Jun 2015 10:25:18 +0200
Message-ID: <5583D1EE.7030002@arnes.si>
In-Reply-To: 5582BE75.2000003@redhat.com
--===============9190960533508324414==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
This is a multi-part message in MIME format.
--------------050806000505040700070003
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 8bit
On 18/06/15 14:49, Ondra Machacek wrote:
> On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
>> Hi!
> Hi
>>
>> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the =
>> LDAP domain on the login screen. Only internal is available.
>> Our LDAP server is actually a 389DS instance and we are using for =
>> authentication in oVirt without Kerberos. The existing setup has =
>> worked since the days of 3.2.
>>
>> When we try to validate the domain, we get
>> [root(a)brda ~]# engine-manage-domains validate
>> Error: Cannot authenticate user ovirt to domain guest.arnes.si, =
>> details: [LDAP: error code 32 - No Such Object]; nested exception is =
>> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such =
>> Object]
>> Failure while testing domain guest.arnes.si. Details: Cannot =
>> authenticate user to LDAP server.
>>
>> The LDAP log reports
>> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND =
>> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128=
version=3D3
>> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=
=3Dsi".
>>
>> Before the upgrade the bind DN was generated properly as
>> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND =
>> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=
=3D3
>
> So what is your search user's DN ?
> Is it:
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
>
> or
>
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
>
> Is it possible for you to try if different user works fine?
> Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for the =
spot. The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi".
Although that means that after upgrading to 3.5 the DN for the search =
user is formatted differently when issuing an LDAP bind request.
In the end we noticed that the AAA part of oVirt was reworked in 3.5. We =
deleted the old LDAP domain, that we manually inserted into the database =
back in 3.2 days. Then we added LDAP as an authentication source as per =
AAA instructions, which we found a bit vague. The README on github for =
the AAA extension provided most of the information.
We also found that the format of external_id in the users table had been =
changed from fdfc627c-d875-11e0-90f0-83df133b58cc to =
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log =
in. Instead additional users were created with this new format =
external_id, a namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
We manually deleted the faux users, updated the external_id to the new =
format and added a namespace entry for existing users.
That worked for us.
Kind regards, Mitja
>
>>
>> This looks like a bug.
>> Is there a quick fix we can do to fix this typo?
>>
>> We are also interested in knowing what is the correct way in 3.5 to =
>> add a domain that uses an LDAP server for its authentication source =
>> without Kerberos.
>
> Please see following links:
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME.profile;hb=3DHEAD
> *http://www.ovirt.org/Features/AAA
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dtree;f=3Dexamples;hb=3DHEAD
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD#l6
> *https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
>>
>> Kind regards, Mitja
>> -- =
>> --
>> Mitja Miheli=C4=8D
>> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
>> tel: +386 1 479 8800, fax: +386 1 479 88 99
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
--------------050806000505040700070003
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 8bit
On 18/06/15 14:49, Ondra Machacek wrote:
On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
Hi!
Hi
We just upgaded oVirt from 3.4 to 3.5 and now users cannot
select the LDAP domain on the login screen. Only internal is
available.
Our LDAP server is actually a 389DS instance and we are using
for authentication in oVirt without Kerberos. The existing
setup has worked since the days of 3.2.
When we try to validate the domain, we get
[root(a)brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain
guest.arnes.si, details: [LDAP: error code 32 - No Such
Object]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 32 -
No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot
authenticate user to LDAP server.
The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" metho=
d=3D128
version=3D3
As you can see there is a comma missing before
"dc=3Dguest,dc=3Darnes,dc=3Dsi".
Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 ve=
rsion=3D3
So what is your search user's DN ?
Is it:
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes=
,dc=3Dsi"
or
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for
the spot. The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=
=3Dsi".
Although that means that after upgrading to 3.5 the DN for the
search user is formatted differently when issuing an LDAP bind
request.
In the end we noticed that the AAA part of oVirt was reworked in
3.5. We deleted the old LDAP domain, that we manually inserted into
the database back in 3.2 days. Then we added LDAP as an
authentication source as per AAA instructions, which we found a bit
vague. The README on github for the AAA extension provided most of
the information.
We also found that the format of external_id in the users table had
been changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not
log in. Instead additional users were created with this new format
external_id, a namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
We manually deleted the faux users, updated the external_id to the
new format and added a namespace entry for existing users.
That worked for us.
Kind regards, Mitja
<=
br>
This looks like a bug.
Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in
3.5 to add a domain that uses an LDAP server for its
authentication source without Kerberos.
Please see following links:
* https://gerrit.ovirt.org/gitweb=
?p=3Dovirt-engine-extension-aaa-ldap.git;a=3Dblob;f=3DREADME;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-en=
gine-extension-aaa-ldap.git;a=3Dblob;f=3DREADME.profile;hb=3DHEAD
* http://www.ovirt.org/Features/AAA
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-e=
xtension-aaa-ldap.git;a=3Dtree;f=3Dexamples;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-=
extension-aaa-ldap.git;a=3Dblob;f=3DREADME;hb=3DHEAD#l6
* https://github=
.com/machacekondra/ovirt-engine-kerbldap-migration
Kind regards, Mitja
-- =
--
Mitja Miheli=C4=8D
ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/list=
info/users
--------------050806000505040700070003--
--===============9190960533508324414==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"
VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4KLS0tLS0tLS0tLS0t
LS0wNTA4MDYwMDA1MDUwNDA3MDAwNzAwMDMKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PXV0Zi04OyBmb3JtYXQ9Zmxvd2VkCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQK
Ck9uIDE4LzA2LzE1IDE0OjQ5LCBPbmRyYSBNYWNoYWNlayB3cm90ZToKPiBPbiAwNi8xOC8yMDE1
IDAyOjA3IFBNLCBNaXRqYSBNaWhlbGnEjSB3cm90ZToKPj4gSGkhCj4gSGkKPj4KPj4gV2UganVz
dCB1cGdhZGVkIG9WaXJ0IGZyb20gMy40IHRvIDMuNSBhbmQgbm93IHVzZXJzIGNhbm5vdCBzZWxl
Y3QgdGhlIAo+PiBMREFQIGRvbWFpbiBvbiB0aGUgbG9naW4gc2NyZWVuLiBPbmx5IGludGVybmFs
IGlzIGF2YWlsYWJsZS4KPj4gT3VyIExEQVAgc2VydmVyIGlzIGFjdHVhbGx5IGEgMzg5RFMgaW5z
dGFuY2UgYW5kIHdlIGFyZSB1c2luZyBmb3IgCj4+IGF1dGhlbnRpY2F0aW9uIGluIG9WaXJ0IHdp
dGhvdXQgS2VyYmVyb3MuIFRoZSBleGlzdGluZyBzZXR1cCBoYXMgCj4+IHdvcmtlZCBzaW5jZSB0
aGUgZGF5cyBvZiAzLjIuCj4+Cj4+IFdoZW4gd2UgdHJ5IHRvIHZhbGlkYXRlIHRoZSBkb21haW4s
IHdlIGdldAo+PiBbcm9vdEBicmRhIH5dIyBlbmdpbmUtbWFuYWdlLWRvbWFpbnMgdmFsaWRhdGUK
Pj4gRXJyb3I6IENhbm5vdCBhdXRoZW50aWNhdGUgdXNlciBvdmlydCB0byBkb21haW4gZ3Vlc3Qu
YXJuZXMuc2ksIAo+PiBkZXRhaWxzOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggT2Jq
ZWN0XTsgbmVzdGVkIGV4Y2VwdGlvbiBpcyAKPj4gamF2YXgubmFtaW5nLkF1dGhlbnRpY2F0aW9u
RXhjZXB0aW9uOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggCj4+IE9iamVjdF0KPj4g
RmFpbHVyZSB3aGlsZSB0ZXN0aW5nIGRvbWFpbiBndWVzdC5hcm5lcy5zaS4gRGV0YWlsczogQ2Fu
bm90IAo+PiBhdXRoZW50aWNhdGUgdXNlciB0byBMREFQIHNlcnZlci4KPj4KPj4gVGhlIExEQVAg
bG9nIHJlcG9ydHMKPj4gWzE4L0p1bi8yMDE1OjEzOjUyOjM4ICswMjAwXSBjb25uPTMgb3A9MCBC
SU5EIAo+PiBkbj0idWlkPW92aXJ0LG91PVBlb3BsZWRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIiBt
ZXRob2Q9MTI4IHZlcnNpb249Mwo+PiBBcyB5b3UgY2FuIHNlZSB0aGVyZSBpcyBhIGNvbW1hIG1p
c3NpbmcgYmVmb3JlICJkYz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIuCj4+Cj4+IEJlZm9yZSB0aGUg
dXBncmFkZSB0aGUgYmluZCBETiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5IGFzCj4+IFsxOC9KdW4v
MjAxNToxMjo0Mjo0NSArMDIwMF0gY29ubj0xMDIxOSBvcD0wIEJJTkQgCj4+IGRuPSJ1aWQ9b3Zp
cnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNpIiBtZXRob2Q9MTI4IHZlcnNpb249Mwo+Cj4gU28g
d2hhdCBpcyB5b3VyIHNlYXJjaCB1c2VyJ3MgRE4gPwo+IElzIGl0Ogo+IGRuPSJ1aWQ9b3ZpcnQs
b3U9UGVvcGxlLGRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIgo+Cj4gb3IKPgo+IGRuPSJ1aWQ9b3Zp
cnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNpIgo+Cj4gSXMgaXQgcG9zc2libGUgZm9yIHlvdSB0
byB0cnkgaWYgZGlmZmVyZW50IHVzZXIgd29ya3MgZmluZT8KPiBCZWNhdXNlIHVzZXIgd2l0aCB2
ZXJ5IHNpbWlsYXIgRE4gd29ya3MgZm9yIG1lIGp1c3QgT0suCkF0IHRoZSB0aW1lIG9mIHBvc3Rp
bmcgSSBkaWQgbm90IG5vdGljZSB0aGUgZGlmZmVyZW5jZSwgdGhhbmtzIGZvciB0aGUgCnNwb3Qu
IFRoZSBjb3JyZWN0IEROIGlzIGRuPSJ1aWQ9b3ZpcnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNp
Ii4KQWx0aG91Z2ggdGhhdCBtZWFucyB0aGF0IGFmdGVyIHVwZ3JhZGluZyB0byAzLjUgdGhlIERO
IGZvciB0aGUgc2VhcmNoIAp1c2VyIGlzIGZvcm1hdHRlZCBkaWZmZXJlbnRseSB3aGVuIGlzc3Vp
bmcgYW4gTERBUCBiaW5kIHJlcXVlc3QuCgpJbiB0aGUgZW5kIHdlIG5vdGljZWQgdGhhdCB0aGUg
QUFBIHBhcnQgb2Ygb1ZpcnQgd2FzIHJld29ya2VkIGluIDMuNS4gV2UgCmRlbGV0ZWQgdGhlIG9s
ZCBMREFQIGRvbWFpbiwgdGhhdCB3ZSBtYW51YWxseSBpbnNlcnRlZCBpbnRvIHRoZSBkYXRhYmFz
ZSAKYmFjayBpbiAzLjIgZGF5cy4gVGhlbiB3ZSBhZGRlZCBMREFQIGFzIGFuIGF1dGhlbnRpY2F0
aW9uIHNvdXJjZSBhcyBwZXIgCkFBQSBpbnN0cnVjdGlvbnMsIHdoaWNoIHdlIGZvdW5kIGEgYml0
IHZhZ3VlLiBUaGUgUkVBRE1FIG9uIGdpdGh1YiBmb3IgCnRoZSBBQUEgZXh0ZW5zaW9uIHByb3Zp
ZGVkIG1vc3Qgb2YgdGhlIGluZm9ybWF0aW9uLgoKV2UgYWxzbyBmb3VuZCB0aGF0IHRoZSBmb3Jt
YXQgb2YgZXh0ZXJuYWxfaWQgaW4gdGhlIHVzZXJzIHRhYmxlIGhhZCBiZWVuIApjaGFuZ2VkIGZy
b20gZmRmYzYyN2MtZDg3NS0xMWUwLTkwZjAtODNkZjEzM2I1OGNjIHRvIApmZGZjNjI3Yy1kODc1
MTFlMC05MGYwODNkZi0xMzNiNThjYy4gU28gbmF0dXJhbGx5IHVzZXJzIGNvdWxkIG5vdCBsb2cg
CmluLiBJbnN0ZWFkIGFkZGl0aW9uYWwgdXNlcnMgd2VyZSBjcmVhdGVkIHdpdGggdGhpcyBuZXcg
Zm9ybWF0IApleHRlcm5hbF9pZCwgYSBuYW1lc3BhY2Ugd2l0aCAiZGM9YXJuZXMsZGM9c2kiIGFu
ZCBhIG5ldyB1c2VyX2lkLgpXZSBtYW51YWxseSBkZWxldGVkIHRoZSBmYXV4IHVzZXJzLCB1cGRh
dGVkIHRoZSBleHRlcm5hbF9pZCB0byB0aGUgbmV3IApmb3JtYXQgYW5kIGFkZGVkIGEgbmFtZXNw
YWNlIGVudHJ5IGZvciBleGlzdGluZyB1c2Vycy4KVGhhdCB3b3JrZWQgZm9yIHVzLgoKS2luZCBy
ZWdhcmRzLCBNaXRqYQo+Cj4+Cj4+IFRoaXMgbG9va3MgbGlrZSBhIGJ1Zy4KPj4gSXMgdGhlcmUg
YSBxdWljayBmaXggd2UgY2FuIGRvIHRvIGZpeCB0aGlzIHR5cG8/Cj4+Cj4+IFdlIGFyZSBhbHNv
IGludGVyZXN0ZWQgaW4ga25vd2luZyB3aGF0IGlzIHRoZSBjb3JyZWN0IHdheSBpbiAzLjUgdG8g
Cj4+IGFkZCBhIGRvbWFpbiB0aGF0IHVzZXMgYW4gTERBUCBzZXJ2ZXIgZm9yIGl0cyBhdXRoZW50
aWNhdGlvbiBzb3VyY2UgCj4+IHdpdGhvdXQgS2VyYmVyb3MuCj4KPiBQbGVhc2Ugc2VlIGZvbGxv
d2luZyBsaW5rczoKPiAqaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9wPW92aXJ0LWVu
Z2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJFQURNRTtoYj1IRUFECj4gKmh0
dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFh
YS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUUucHJvZmlsZTtoYj1IRUFECj4gKmh0dHA6Ly93d3cu
b3ZpcnQub3JnL0ZlYXR1cmVzL0FBQQo+ICpodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2Vi
P3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT10cmVlO2Y9ZXhhbXBsZXM7
aGI9SEVBRAo+ICpodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5l
LWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FO2hiPUhFQUQjbDYKPiAqaHR0
cHM6Ly9naXRodWIuY29tL21hY2hhY2Vrb25kcmEvb3ZpcnQtZW5naW5lLWtlcmJsZGFwLW1pZ3Jh
dGlvbgo+Cj4+Cj4+IEtpbmQgcmVnYXJkcywgTWl0amEKPj4gLS0gCj4+IC0tCj4+IE1pdGphIE1p
aGVsacSNCj4+IEFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcsIFNJLTEwMDEgTGp1
YmxqYW5hLCBTbG92ZW5pYQo+PiB0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiArMzg2IDEgNDc5
IDg4IDk5Cj4+Cj4+Cj4+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fCj4+IFVzZXJzIG1haWxpbmcgbGlzdAo+PiBVc2Vyc0BvdmlydC5vcmcKPj4gaHR0cDov
L2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3VzZXJzCj4KCgotLS0tLS0tLS0tLS0t
LTA1MDgwNjAwMDUwNTA0MDcwMDA3MDAwMwpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNl
dD11dGYtOApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA4Yml0Cgo8aHRtbD4KICA8aGVhZD4K
ICAgIDxtZXRhIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgaHR0cC1lcXVpdj0i
Q29udGVudC1UeXBlIj4KICA8L2hlYWQ+CiAgPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIgdGV4dD0i
IzAwMDAwMCI+CiAgICBPbiAxOC8wNi8xNSAxNDo0OSwgT25kcmEgTWFjaGFjZWsgd3JvdGU6PGJy
PgogICAgPGJsb2NrcXVvdGUgY2l0ZT0ibWlkOjU1ODJCRTc1LjIwMDAwMDNAcmVkaGF0LmNvbSIg
dHlwZT0iY2l0ZSI+CiAgICAgIDxtZXRhIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYt
OCIgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIj4KICAgICAgT24gMDYvMTgvMjAxNSAwMjowNyBQ
TSwgTWl0amEgTWloZWxpxI0gd3JvdGU6PGJyPgogICAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6
NTU4MkI0OUIuNjAwMDgwM0Bhcm5lcy5zaSIgdHlwZT0iY2l0ZSI+CiAgICAgICAgPG1ldGEgaHR0
cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7CiAgICAgICAgICBjaGFy
c2V0PXV0Zi04Ij4KICAgICAgICA8Zm9udCBzaXplPSItMSI+SGkhPGJyPgogICAgICAgIDwvZm9u
dD48L2Jsb2NrcXVvdGU+CiAgICAgIDxmb250IHNpemU9Ii0xIj5IaTwvZm9udD48YnI+CiAgICAg
IDxibG9ja3F1b3RlIGNpdGU9Im1pZDo1NTgyQjQ5Qi42MDAwODAzQGFybmVzLnNpIiB0eXBlPSJj
aXRlIj48Zm9udAogICAgICAgICAgc2l6ZT0iLTEiPiA8YnI+CiAgICAgICAgICBXZSBqdXN0IHVw
Z2FkZWQgb1ZpcnQgZnJvbSAzLjQgdG8gMy41IGFuZCBub3cgdXNlcnMgY2Fubm90CiAgICAgICAg
ICBzZWxlY3QgdGhlIExEQVAgZG9tYWluIG9uIHRoZSBsb2dpbiBzY3JlZW4uIE9ubHkgaW50ZXJu
YWwgaXMKICAgICAgICAgIGF2YWlsYWJsZS48YnI+CiAgICAgICAgICBPdXIgTERBUCBzZXJ2ZXIg
aXMgYWN0dWFsbHkgYSAzODlEUyBpbnN0YW5jZSBhbmQgd2UgYXJlIHVzaW5nCiAgICAgICAgICBm
b3IgYXV0aGVudGljYXRpb24gaW4gb1ZpcnQgd2l0aG91dCBLZXJiZXJvcy4gVGhlIGV4aXN0aW5n
CiAgICAgICAgICBzZXR1cCBoYXMgd29ya2VkIHNpbmNlIHRoZSBkYXlzIG9mIDMuMi48YnI+CiAg
ICAgICAgICA8YnI+CiAgICAgICAgICBXaGVuIHdlIHRyeSB0byB2YWxpZGF0ZSB0aGUgZG9tYWlu
LCB3ZSBnZXQ8YnI+CiAgICAgICAgICBbcm9vdEBicmRhIH5dIyBlbmdpbmUtbWFuYWdlLWRvbWFp
bnMgdmFsaWRhdGU8YnI+CiAgICAgICAgICBFcnJvcjogQ2Fubm90IGF1dGhlbnRpY2F0ZSB1c2Vy
IG92aXJ0IHRvIGRvbWFpbgogICAgICAgICAgZ3Vlc3QuYXJuZXMuc2ksIGRldGFpbHM6IFtMREFQ
OiBlcnJvciBjb2RlIDMyIC0gTm8gU3VjaAogICAgICAgICAgT2JqZWN0XTsgbmVzdGVkIGV4Y2Vw
dGlvbiBpcwogICAgICAgICAgamF2YXgubmFtaW5nLkF1dGhlbnRpY2F0aW9uRXhjZXB0aW9uOiBb
TERBUDogZXJyb3IgY29kZSAzMiAtCiAgICAgICAgICBObyBTdWNoIE9iamVjdF08YnI+CiAgICAg
ICAgICBGYWlsdXJlIHdoaWxlIHRlc3RpbmcgZG9tYWluIGd1ZXN0LmFybmVzLnNpLiBEZXRhaWxz
OiBDYW5ub3QKICAgICAgICAgIGF1dGhlbnRpY2F0ZSB1c2VyIHRvIExEQVAgc2VydmVyLjxicj4K
ICAgICAgICAgIDxicj4KICAgICAgICAgIFRoZSBMREFQIGxvZyByZXBvcnRzPGJyPgogICAgICAg
ICAgWzE4L0p1bi8yMDE1OjEzOjUyOjM4ICswMjAwXSBjb25uPTMgb3A9MCBCSU5ECiAgICAgICAg
ICBkbj0idWlkPW92aXJ0LG91PVBlb3BsZWRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIiBtZXRob2Q9
MTI4CiAgICAgICAgICB2ZXJzaW9uPTM8YnI+CiAgICAgICAgICBBcyB5b3UgY2FuIHNlZSB0aGVy
ZSBpcyBhIGNvbW1hIG1pc3NpbmcgYmVmb3JlCiAgICAgICAgICAiZGM9Z3Vlc3QsZGM9YXJuZXMs
ZGM9c2kiLjxicj4KICAgICAgICAgIDxicj4KICAgICAgICAgIEJlZm9yZSB0aGUgdXBncmFkZSB0
aGUgYmluZCBETiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5IGFzPGJyPgogICAgICAgICAgWzE4L0p1
bi8yMDE1OjEyOjQyOjQ1ICswMjAwXSBjb25uPTEwMjE5IG9wPTAgQklORAogICAgICAgICAgZG49
InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjggdmVyc2lvbj0z
PGJyPgogICAgICAgIDwvZm9udD48L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgICAgU28gd2hh
dCBpcyB5b3VyIHNlYXJjaCB1c2VyJ3MgRE4gPzxicj4KICAgICAgSXMgaXQ6PGJyPgogICAgICA8
Zm9udCBzaXplPSItMSI+ZG49InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9Z3Vlc3QsZGM9YXJuZXMs
ZGM9c2kiPGJyPgogICAgICAgIDxicj4KICAgICAgPC9mb250Pm9yPGJyPgogICAgICA8YnI+CiAg
ICAgIDxmb250IHNpemU9Ii0xIj5kbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1hcm5lcyxkYz1z
aSI8YnI+CiAgICAgIDwvZm9udD48YnI+CiAgICAgIElzIGl0IHBvc3NpYmxlIGZvciB5b3UgdG8g
dHJ5IGlmIGRpZmZlcmVudCB1c2VyIHdvcmtzIGZpbmU/PGJyPgogICAgICBCZWNhdXNlIHVzZXIg
d2l0aCB2ZXJ5IHNpbWlsYXIgRE4gd29ya3MgZm9yIG1lIGp1c3QgT0suPGJyPgogICAgPC9ibG9j
a3F1b3RlPgogICAgQXQgdGhlIHRpbWUgb2YgcG9zdGluZyBJIGRpZCBub3Qgbm90aWNlIHRoZSBk
aWZmZXJlbmNlLCB0aGFua3MgZm9yCiAgICB0aGUgc3BvdC4gVGhlIGNvcnJlY3QgRE4gaXMgZG49
InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiLjxicj4KICAgIEFsdGhvdWdoIHRo
YXQgbWVhbnMgdGhhdCBhZnRlciB1cGdyYWRpbmcgdG8gMy41IHRoZSBETiBmb3IgdGhlCiAgICBz
ZWFyY2ggdXNlciBpcyBmb3JtYXR0ZWQgZGlmZmVyZW50bHkgd2hlbiBpc3N1aW5nIGFuIExEQVAg
YmluZAogICAgcmVxdWVzdC48YnI+CiAgICA8YnI+CiAgICBJbiB0aGUgZW5kIHdlIG5vdGljZWQg
dGhhdCB0aGUgQUFBIHBhcnQgb2Ygb1ZpcnQgd2FzIHJld29ya2VkIGluCiAgICAzLjUuIFdlIGRl
bGV0ZWQgdGhlIG9sZCBMREFQIGRvbWFpbiwgdGhhdCB3ZSBtYW51YWxseSBpbnNlcnRlZCBpbnRv
CiAgICB0aGUgZGF0YWJhc2UgYmFjayBpbiAzLjIgZGF5cy4gVGhlbiB3ZSBhZGRlZCBMREFQIGFz
IGFuCiAgICBhdXRoZW50aWNhdGlvbiBzb3VyY2UgYXMgcGVyIEFBQSBpbnN0cnVjdGlvbnMsIHdo
aWNoIHdlIGZvdW5kIGEgYml0CiAgICB2YWd1ZS4gVGhlIFJFQURNRSBvbiBnaXRodWIgZm9yIHRo
ZSBBQUEgZXh0ZW5zaW9uIHByb3ZpZGVkIG1vc3Qgb2YKICAgIHRoZSBpbmZvcm1hdGlvbi48YnI+
CiAgICA8YnI+CiAgICBXZSBhbHNvIGZvdW5kIHRoYXQgdGhlIGZvcm1hdCBvZiBleHRlcm5hbF9p
ZCBpbiB0aGUgdXNlcnMgdGFibGUgaGFkCiAgICBiZWVuIGNoYW5nZWQgZnJvbSBmZGZjNjI3Yy1k
ODc1LTExZTAtOTBmMC04M2RmMTMzYjU4Y2MgdG8KICAgIGZkZmM2MjdjLWQ4NzUxMWUwLTkwZjA4
M2RmLTEzM2I1OGNjLiBTbyBuYXR1cmFsbHkgdXNlcnMgY291bGQgbm90CiAgICBsb2cgaW4uIElu
c3RlYWQgYWRkaXRpb25hbCB1c2VycyB3ZXJlIGNyZWF0ZWQgd2l0aCB0aGlzIG5ldyBmb3JtYXQK
ICAgIGV4dGVybmFsX2lkLCBhIG5hbWVzcGFjZSB3aXRoICJkYz1hcm5lcyxkYz1zaSIgYW5kIGEg
bmV3IHVzZXJfaWQuPGJyPgogICAgV2UgbWFudWFsbHkgZGVsZXRlZCB0aGUgZmF1eCB1c2Vycywg
dXBkYXRlZCB0aGUgZXh0ZXJuYWxfaWQgdG8gdGhlCiAgICBuZXcgZm9ybWF0IGFuZCBhZGRlZCBh
IG5hbWVzcGFjZSBlbnRyeSBmb3IgZXhpc3RpbmcgdXNlcnMuPGJyPgogICAgVGhhdCB3b3JrZWQg
Zm9yIHVzLjxicj4KICAgIDxicj4KICAgIEtpbmQgcmVnYXJkcywgTWl0amE8YnI+CiAgICA8Ymxv
Y2txdW90ZSBjaXRlPSJtaWQ6NTU4MkJFNzUuMjAwMDAwM0ByZWRoYXQuY29tIiB0eXBlPSJjaXRl
Ij4gPGJyPgogICAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6NTU4MkI0OUIuNjAwMDgwM0Bhcm5l
cy5zaSIgdHlwZT0iY2l0ZSI+PGZvbnQKICAgICAgICAgIHNpemU9Ii0xIj4gPGJyPgogICAgICAg
ICAgVGhpcyBsb29rcyBsaWtlIGEgYnVnLjxicj4KICAgICAgICAgIElzIHRoZXJlIGEgcXVpY2sg
Zml4IHdlIGNhbiBkbyB0byBmaXggdGhpcyB0eXBvPzxicj4KICAgICAgICAgIDxicj4KICAgICAg
ICAgIFdlIGFyZSBhbHNvIGludGVyZXN0ZWQgaW4ga25vd2luZyB3aGF0IGlzIHRoZSBjb3JyZWN0
IHdheSBpbgogICAgICAgICAgMy41IHRvIGFkZCBhIGRvbWFpbiB0aGF0IHVzZXMgYW4gTERBUCBz
ZXJ2ZXIgZm9yIGl0cwogICAgICAgICAgYXV0aGVudGljYXRpb24gc291cmNlIHdpdGhvdXQgS2Vy
YmVyb3MuPGJyPgogICAgICAgIDwvZm9udD48L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgICAg
UGxlYXNlIHNlZSBmb2xsb3dpbmcgbGlua3M6PGJyPgogICAgICA8cHJlIHdyYXA9IiI+KiA8YSBt
b3otZG8tbm90LXNlbmQ9InRydWUiIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9
Imh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9u
LWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUU7aGI9SEVBRCI+aHR0cHM6Ly9nZXJyaXQub3Zp
cnQub3JnL2dpdHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9Ymxv
YjtmPVJFQURNRTtoYj1IRUFEPC9hPgoqIDxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9
Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dp
dHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJFQURN
RS5wcm9maWxlO2hiPUhFQUQiPmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmly
dC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUUucHJvZmlsZTto
Yj1IRUFEPC9hPgoqIDxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9Im1vei10eHQtbGlu
ay1mcmVldGV4dCIgaHJlZj0iaHR0cDovL3d3dy5vdmlydC5vcmcvRmVhdHVyZXMvQUFBIj5odHRw
Oi8vd3d3Lm92aXJ0Lm9yZy9GZWF0dXJlcy9BQUE8L2E+CiogPGEgbW96LWRvLW5vdC1zZW5kPSJ0
cnVlIiBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2dlcnJpdC5v
dmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT10
cmVlO2Y9ZXhhbXBsZXM7aGI9SEVBRCI+aHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9w
PW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9dHJlZTtmPWV4YW1wbGVzO2hi
PUhFQUQ8L2E+CiogPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBjbGFzcz0ibW96LXR4dC1saW5r
LWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQt
ZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FO2hiPUhFQUQjbDYi
Pmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9u
LWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUU7aGI9SEVBRCNsNjwvYT4KKiA8YSBtb3otZG8t
bm90LXNlbmQ9InRydWUiIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBz
Oi8vZ2l0aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRhcC1taWdyYXRp
b24iPmh0dHBzOi8vZ2l0aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRh
cC1taWdyYXRpb248L2E+CjwvcHJlPgogICAgICA8YnI+CiAgICAgIDxibG9ja3F1b3RlIGNpdGU9
Im1pZDo1NTgyQjQ5Qi42MDAwODAzQGFybmVzLnNpIiB0eXBlPSJjaXRlIj48Zm9udAogICAgICAg
ICAgc2l6ZT0iLTEiPiA8YnI+CiAgICAgICAgICBLaW5kIHJlZ2FyZHMsIE1pdGphPGJyPgogICAg
ICAgIDwvZm9udD4KICAgICAgICA8cHJlIGNsYXNzPSJtb3otc2lnbmF0dXJlIiBjb2xzPSI3MiI+
LS0gCi0tCk1pdGphIE1paGVsacSNCkFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcs
IFNJLTEwMDEgTGp1YmxqYW5hLCBTbG92ZW5pYQp0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiAr
Mzg2IDEgNDc5IDg4IDk5PC9wcmU+CiAgICAgICAgPGJyPgogICAgICAgIDxmaWVsZHNldCBjbGFz
cz0ibWltZUF0dGFjaG1lbnRIZWFkZXIiPjwvZmllbGRzZXQ+CiAgICAgICAgPGJyPgogICAgICAg
IDxwcmUgd3JhcD0iIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXwpVc2VycyBtYWlsaW5nIGxpc3QKPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBjbGFzcz0i
bW96LXR4dC1saW5rLWFiYnJldmlhdGVkIiBocmVmPSJtYWlsdG86VXNlcnNAb3ZpcnQub3JnIj5V
c2Vyc0BvdmlydC5vcmc8L2E+CjxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9Im1vei10
eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xp
c3RpbmZvL3VzZXJzIj5odHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8vdXNl
cnM8L2E+CjwvcHJlPgogICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgIDwvYmxvY2tx
dW90ZT4KICAgIDxicj4KICA8L2JvZHk+CjwvaHRtbD4KCi0tLS0tLS0tLS0tLS0tMDUwODA2MDAw
NTA1MDQwNzAwMDcwMDAzLS0K
--===============9190960533508324414==--
From mitja.mihelic at arnes.si Fri Jun 19 06:39:16 2015
Content-Type: multipart/mixed; boundary="===============5938311446177619063=="
MIME-Version: 1.0
From: =?utf-8?q?Mitja_Miheli=C4=8D_=3Cmitja=2Emihelic_at_arnes=2Esi=3E?=
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Fri, 19 Jun 2015 12:39:14 +0200
Message-ID: <5583F152.9050204@arnes.si>
In-Reply-To: 5582BE75.2000003@redhat.com
--===============5938311446177619063==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
This is a multi-part message in MIME format.
--------------010809040003060304070904
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 8bit
On 18/06/15 14:49, Ondra Machacek wrote:
> On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
>> Hi!
> Hi
>>
>> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the =
>> LDAP domain on the login screen. Only internal is available.
>> Our LDAP server is actually a 389DS instance and we are using for =
>> authentication in oVirt without Kerberos. The existing setup has =
>> worked since the days of 3.2.
>>
>> When we try to validate the domain, we get
>> [root(a)brda ~]# engine-manage-domains validate
>> Error: Cannot authenticate user ovirt to domain guest.arnes.si, =
>> details: [LDAP: error code 32 - No Such Object]; nested exception is =
>> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such =
>> Object]
>> Failure while testing domain guest.arnes.si. Details: Cannot =
>> authenticate user to LDAP server.
>>
>> The LDAP log reports
>> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND =
>> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128=
version=3D3
>> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=
=3Dsi".
>>
>> Before the upgrade the bind DN was generated properly as
>> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND =
>> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=
=3D3
>
> So what is your search user's DN ?
> Is it:
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
>
> or
>
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
>
> Is it possible for you to try if different user works fine?
> Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for the =
spot. The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi".
Although that means that after upgrading to 3.5 the DN for the search =
user is formatted differently when issuing an LDAP bind request.
In the end we noticed that the AAA part of oVirt was reworked in 3.5. We =
deleted the old LDAP domain, that we manually inserted into the database =
back in 3.2 days. Then we added LDAP as an authentication source as per =
AAA instructions, which we found a bit vague. The README on github for =
the AAA extension provided most of the information.
We also found that the format of external_id in the users table had been =
changed from fdfc627c-d875-11e0-90f0-83df133b58cc to =
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log =
in. Instead additional users were created with this new format =
external_id, a namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
We manually deleted the faux users, updated the external_id to the new =
format and added a namespace entry for existing users.
That worked for us.
Kind regards, Mitja
>
>>
>> This looks like a bug.
>> Is there a quick fix we can do to fix this typo?
>>
>> We are also interested in knowing what is the correct way in 3.5 to =
>> add a domain that uses an LDAP server for its authentication source =
>> without Kerberos.
>
> Please see following links:
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME.profile;hb=3DHEAD
> *http://www.ovirt.org/Features/AAA
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dtree;f=3Dexamples;hb=3DHEAD
> *https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD#l6
> *https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
>>
>> Kind regards, Mitja
>> -- =
>> --
>> Mitja Miheli=C4=8D
>> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
>> tel: +386 1 479 8800, fax: +386 1 479 88 99
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
--------------010809040003060304070904
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 8bit
On 18/06/15 14:49, Ondra Machacek wrote:
On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
Hi!
Hi
We just upgaded oVirt from 3.4 to 3.5 and now users cannot
select the LDAP domain on the login screen. Only internal is
available.
Our LDAP server is actually a 389DS instance and we are using
for authentication in oVirt without Kerberos. The existing
setup has worked since the days of 3.2.
When we try to validate the domain, we get
[root(a)brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain
guest.arnes.si, details: [LDAP: error code 32 - No Such
Object]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 32 -
No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot
authenticate user to LDAP server.
The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" metho=
d=3D128
version=3D3
As you can see there is a comma missing before
"dc=3Dguest,dc=3Darnes,dc=3Dsi".
Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 ve=
rsion=3D3
So what is your search user's DN ?
Is it:
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes=
,dc=3Dsi"
or
dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for
the spot. The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=
=3Dsi".
Although that means that after upgrading to 3.5 the DN for the
search user is formatted differently when issuing an LDAP bind
request.
In the end we noticed that the AAA part of oVirt was reworked in
3.5. We deleted the old LDAP domain, that we manually inserted into
the database back in 3.2 days. Then we added LDAP as an
authentication source as per AAA instructions, which we found a bit
vague. The README on github for the AAA extension provided most of
the information.
We also found that the format of external_id in the users table had
been changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not
log in. Instead additional users were created with this new format
external_id, a namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
We manually deleted the faux users, updated the external_id to the
new format and added a namespace entry for existing users.
That worked for us.
Kind regards, Mitja
<=
br>
This looks like a bug.
Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in
3.5 to add a domain that uses an LDAP server for its
authentication source without Kerberos.
Please see following links:
* https://gerrit.ovirt.org/gitweb=
?p=3Dovirt-engine-extension-aaa-ldap.git;a=3Dblob;f=3DREADME;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-en=
gine-extension-aaa-ldap.git;a=3Dblob;f=3DREADME.profile;hb=3DHEAD
* http://www.ovirt.org/Features/AAA
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-e=
xtension-aaa-ldap.git;a=3Dtree;f=3Dexamples;hb=3DHEAD
* https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-=
extension-aaa-ldap.git;a=3Dblob;f=3DREADME;hb=3DHEAD#l6
* https://github=
.com/machacekondra/ovirt-engine-kerbldap-migration
Kind regards, Mitja
-- =
--
Mitja Miheli=C4=8D
ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/list=
info/users
--------------010809040003060304070904--
--===============5938311446177619063==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"
VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4KLS0tLS0tLS0tLS0t
LS0wMTA4MDkwNDAwMDMwNjAzMDQwNzA5MDQKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PXV0Zi04OyBmb3JtYXQ9Zmxvd2VkCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQK
Ck9uIDE4LzA2LzE1IDE0OjQ5LCBPbmRyYSBNYWNoYWNlayB3cm90ZToKPiBPbiAwNi8xOC8yMDE1
IDAyOjA3IFBNLCBNaXRqYSBNaWhlbGnEjSB3cm90ZToKPj4gSGkhCj4gSGkKPj4KPj4gV2UganVz
dCB1cGdhZGVkIG9WaXJ0IGZyb20gMy40IHRvIDMuNSBhbmQgbm93IHVzZXJzIGNhbm5vdCBzZWxl
Y3QgdGhlIAo+PiBMREFQIGRvbWFpbiBvbiB0aGUgbG9naW4gc2NyZWVuLiBPbmx5IGludGVybmFs
IGlzIGF2YWlsYWJsZS4KPj4gT3VyIExEQVAgc2VydmVyIGlzIGFjdHVhbGx5IGEgMzg5RFMgaW5z
dGFuY2UgYW5kIHdlIGFyZSB1c2luZyBmb3IgCj4+IGF1dGhlbnRpY2F0aW9uIGluIG9WaXJ0IHdp
dGhvdXQgS2VyYmVyb3MuIFRoZSBleGlzdGluZyBzZXR1cCBoYXMgCj4+IHdvcmtlZCBzaW5jZSB0
aGUgZGF5cyBvZiAzLjIuCj4+Cj4+IFdoZW4gd2UgdHJ5IHRvIHZhbGlkYXRlIHRoZSBkb21haW4s
IHdlIGdldAo+PiBbcm9vdEBicmRhIH5dIyBlbmdpbmUtbWFuYWdlLWRvbWFpbnMgdmFsaWRhdGUK
Pj4gRXJyb3I6IENhbm5vdCBhdXRoZW50aWNhdGUgdXNlciBvdmlydCB0byBkb21haW4gZ3Vlc3Qu
YXJuZXMuc2ksIAo+PiBkZXRhaWxzOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggT2Jq
ZWN0XTsgbmVzdGVkIGV4Y2VwdGlvbiBpcyAKPj4gamF2YXgubmFtaW5nLkF1dGhlbnRpY2F0aW9u
RXhjZXB0aW9uOiBbTERBUDogZXJyb3IgY29kZSAzMiAtIE5vIFN1Y2ggCj4+IE9iamVjdF0KPj4g
RmFpbHVyZSB3aGlsZSB0ZXN0aW5nIGRvbWFpbiBndWVzdC5hcm5lcy5zaS4gRGV0YWlsczogQ2Fu
bm90IAo+PiBhdXRoZW50aWNhdGUgdXNlciB0byBMREFQIHNlcnZlci4KPj4KPj4gVGhlIExEQVAg
bG9nIHJlcG9ydHMKPj4gWzE4L0p1bi8yMDE1OjEzOjUyOjM4ICswMjAwXSBjb25uPTMgb3A9MCBC
SU5EIAo+PiBkbj0idWlkPW92aXJ0LG91PVBlb3BsZWRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIiBt
ZXRob2Q9MTI4IHZlcnNpb249Mwo+PiBBcyB5b3UgY2FuIHNlZSB0aGVyZSBpcyBhIGNvbW1hIG1p
c3NpbmcgYmVmb3JlICJkYz1ndWVzdCxkYz1hcm5lcyxkYz1zaSIuCj4+Cj4+IEJlZm9yZSB0aGUg
dXBncmFkZSB0aGUgYmluZCBETiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5IGFzCj4+IFsxOC9KdW4v
MjAxNToxMjo0Mjo0NSArMDIwMF0gY29ubj0xMDIxOSBvcD0wIEJJTkQgCj4+IGRuPSJ1aWQ9b3Zp
cnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNpIiBtZXRob2Q9MTI4IHZlcnNpb249Mwo+Cj4gU28g
d2hhdCBpcyB5b3VyIHNlYXJjaCB1c2VyJ3MgRE4gPwo+IElzIGl0Ogo+IGRuPSJ1aWQ9b3ZpcnQs
b3U9UGVvcGxlLGRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIgo+Cj4gb3IKPgo+IGRuPSJ1aWQ9b3Zp
cnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNpIgo+Cj4gSXMgaXQgcG9zc2libGUgZm9yIHlvdSB0
byB0cnkgaWYgZGlmZmVyZW50IHVzZXIgd29ya3MgZmluZT8KPiBCZWNhdXNlIHVzZXIgd2l0aCB2
ZXJ5IHNpbWlsYXIgRE4gd29ya3MgZm9yIG1lIGp1c3QgT0suCkF0IHRoZSB0aW1lIG9mIHBvc3Rp
bmcgSSBkaWQgbm90IG5vdGljZSB0aGUgZGlmZmVyZW5jZSwgdGhhbmtzIGZvciB0aGUgCnNwb3Qu
IFRoZSBjb3JyZWN0IEROIGlzIGRuPSJ1aWQ9b3ZpcnQsb3U9UGVvcGxlLGRjPWFybmVzLGRjPXNp
Ii4KQWx0aG91Z2ggdGhhdCBtZWFucyB0aGF0IGFmdGVyIHVwZ3JhZGluZyB0byAzLjUgdGhlIERO
IGZvciB0aGUgc2VhcmNoIAp1c2VyIGlzIGZvcm1hdHRlZCBkaWZmZXJlbnRseSB3aGVuIGlzc3Vp
bmcgYW4gTERBUCBiaW5kIHJlcXVlc3QuCgpJbiB0aGUgZW5kIHdlIG5vdGljZWQgdGhhdCB0aGUg
QUFBIHBhcnQgb2Ygb1ZpcnQgd2FzIHJld29ya2VkIGluIDMuNS4gV2UgCmRlbGV0ZWQgdGhlIG9s
ZCBMREFQIGRvbWFpbiwgdGhhdCB3ZSBtYW51YWxseSBpbnNlcnRlZCBpbnRvIHRoZSBkYXRhYmFz
ZSAKYmFjayBpbiAzLjIgZGF5cy4gVGhlbiB3ZSBhZGRlZCBMREFQIGFzIGFuIGF1dGhlbnRpY2F0
aW9uIHNvdXJjZSBhcyBwZXIgCkFBQSBpbnN0cnVjdGlvbnMsIHdoaWNoIHdlIGZvdW5kIGEgYml0
IHZhZ3VlLiBUaGUgUkVBRE1FIG9uIGdpdGh1YiBmb3IgCnRoZSBBQUEgZXh0ZW5zaW9uIHByb3Zp
ZGVkIG1vc3Qgb2YgdGhlIGluZm9ybWF0aW9uLgoKV2UgYWxzbyBmb3VuZCB0aGF0IHRoZSBmb3Jt
YXQgb2YgZXh0ZXJuYWxfaWQgaW4gdGhlIHVzZXJzIHRhYmxlIGhhZCBiZWVuIApjaGFuZ2VkIGZy
b20gZmRmYzYyN2MtZDg3NS0xMWUwLTkwZjAtODNkZjEzM2I1OGNjIHRvIApmZGZjNjI3Yy1kODc1
MTFlMC05MGYwODNkZi0xMzNiNThjYy4gU28gbmF0dXJhbGx5IHVzZXJzIGNvdWxkIG5vdCBsb2cg
CmluLiBJbnN0ZWFkIGFkZGl0aW9uYWwgdXNlcnMgd2VyZSBjcmVhdGVkIHdpdGggdGhpcyBuZXcg
Zm9ybWF0IApleHRlcm5hbF9pZCwgYSBuYW1lc3BhY2Ugd2l0aCAiZGM9YXJuZXMsZGM9c2kiIGFu
ZCBhIG5ldyB1c2VyX2lkLgpXZSBtYW51YWxseSBkZWxldGVkIHRoZSBmYXV4IHVzZXJzLCB1cGRh
dGVkIHRoZSBleHRlcm5hbF9pZCB0byB0aGUgbmV3IApmb3JtYXQgYW5kIGFkZGVkIGEgbmFtZXNw
YWNlIGVudHJ5IGZvciBleGlzdGluZyB1c2Vycy4KVGhhdCB3b3JrZWQgZm9yIHVzLgoKS2luZCBy
ZWdhcmRzLCBNaXRqYQo+Cj4+Cj4+IFRoaXMgbG9va3MgbGlrZSBhIGJ1Zy4KPj4gSXMgdGhlcmUg
YSBxdWljayBmaXggd2UgY2FuIGRvIHRvIGZpeCB0aGlzIHR5cG8/Cj4+Cj4+IFdlIGFyZSBhbHNv
IGludGVyZXN0ZWQgaW4ga25vd2luZyB3aGF0IGlzIHRoZSBjb3JyZWN0IHdheSBpbiAzLjUgdG8g
Cj4+IGFkZCBhIGRvbWFpbiB0aGF0IHVzZXMgYW4gTERBUCBzZXJ2ZXIgZm9yIGl0cyBhdXRoZW50
aWNhdGlvbiBzb3VyY2UgCj4+IHdpdGhvdXQgS2VyYmVyb3MuCj4KPiBQbGVhc2Ugc2VlIGZvbGxv
d2luZyBsaW5rczoKPiAqaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9wPW92aXJ0LWVu
Z2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJFQURNRTtoYj1IRUFECj4gKmh0
dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFh
YS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUUucHJvZmlsZTtoYj1IRUFECj4gKmh0dHA6Ly93d3cu
b3ZpcnQub3JnL0ZlYXR1cmVzL0FBQQo+ICpodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2Vi
P3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT10cmVlO2Y9ZXhhbXBsZXM7
aGI9SEVBRAo+ICpodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5l
LWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FO2hiPUhFQUQjbDYKPiAqaHR0
cHM6Ly9naXRodWIuY29tL21hY2hhY2Vrb25kcmEvb3ZpcnQtZW5naW5lLWtlcmJsZGFwLW1pZ3Jh
dGlvbgo+Cj4+Cj4+IEtpbmQgcmVnYXJkcywgTWl0amEKPj4gLS0gCj4+IC0tCj4+IE1pdGphIE1p
aGVsacSNCj4+IEFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcsIFNJLTEwMDEgTGp1
YmxqYW5hLCBTbG92ZW5pYQo+PiB0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiArMzg2IDEgNDc5
IDg4IDk5Cj4+Cj4+Cj4+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fCj4+IFVzZXJzIG1haWxpbmcgbGlzdAo+PiBVc2Vyc0BvdmlydC5vcmcKPj4gaHR0cDov
L2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3VzZXJzCj4KCgotLS0tLS0tLS0tLS0t
LTAxMDgwOTA0MDAwMzA2MDMwNDA3MDkwNApDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNl
dD11dGYtOApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA4Yml0Cgo8aHRtbD4KICA8aGVhZD4K
ICAgIDxtZXRhIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgaHR0cC1lcXVpdj0i
Q29udGVudC1UeXBlIj4KICA8L2hlYWQ+CiAgPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIgdGV4dD0i
IzAwMDAwMCI+CiAgICBPbiAxOC8wNi8xNSAxNDo0OSwgT25kcmEgTWFjaGFjZWsgd3JvdGU6PGJy
PgogICAgPGJsb2NrcXVvdGUgY2l0ZT0ibWlkOjU1ODJCRTc1LjIwMDAwMDNAcmVkaGF0LmNvbSIg
dHlwZT0iY2l0ZSI+CiAgICAgIDxtZXRhIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYt
OCIgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIj4KICAgICAgT24gMDYvMTgvMjAxNSAwMjowNyBQ
TSwgTWl0amEgTWloZWxpxI0gd3JvdGU6PGJyPgogICAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6
NTU4MkI0OUIuNjAwMDgwM0Bhcm5lcy5zaSIgdHlwZT0iY2l0ZSI+CiAgICAgICAgPG1ldGEgaHR0
cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7CiAgICAgICAgICBjaGFy
c2V0PXV0Zi04Ij4KICAgICAgICA8Zm9udCBzaXplPSItMSI+SGkhPGJyPgogICAgICAgIDwvZm9u
dD48L2Jsb2NrcXVvdGU+CiAgICAgIDxmb250IHNpemU9Ii0xIj5IaTwvZm9udD48YnI+CiAgICAg
IDxibG9ja3F1b3RlIGNpdGU9Im1pZDo1NTgyQjQ5Qi42MDAwODAzQGFybmVzLnNpIiB0eXBlPSJj
aXRlIj48Zm9udAogICAgICAgICAgc2l6ZT0iLTEiPiA8YnI+CiAgICAgICAgICBXZSBqdXN0IHVw
Z2FkZWQgb1ZpcnQgZnJvbSAzLjQgdG8gMy41IGFuZCBub3cgdXNlcnMgY2Fubm90CiAgICAgICAg
ICBzZWxlY3QgdGhlIExEQVAgZG9tYWluIG9uIHRoZSBsb2dpbiBzY3JlZW4uIE9ubHkgaW50ZXJu
YWwgaXMKICAgICAgICAgIGF2YWlsYWJsZS48YnI+CiAgICAgICAgICBPdXIgTERBUCBzZXJ2ZXIg
aXMgYWN0dWFsbHkgYSAzODlEUyBpbnN0YW5jZSBhbmQgd2UgYXJlIHVzaW5nCiAgICAgICAgICBm
b3IgYXV0aGVudGljYXRpb24gaW4gb1ZpcnQgd2l0aG91dCBLZXJiZXJvcy4gVGhlIGV4aXN0aW5n
CiAgICAgICAgICBzZXR1cCBoYXMgd29ya2VkIHNpbmNlIHRoZSBkYXlzIG9mIDMuMi48YnI+CiAg
ICAgICAgICA8YnI+CiAgICAgICAgICBXaGVuIHdlIHRyeSB0byB2YWxpZGF0ZSB0aGUgZG9tYWlu
LCB3ZSBnZXQ8YnI+CiAgICAgICAgICBbcm9vdEBicmRhIH5dIyBlbmdpbmUtbWFuYWdlLWRvbWFp
bnMgdmFsaWRhdGU8YnI+CiAgICAgICAgICBFcnJvcjogQ2Fubm90IGF1dGhlbnRpY2F0ZSB1c2Vy
IG92aXJ0IHRvIGRvbWFpbgogICAgICAgICAgZ3Vlc3QuYXJuZXMuc2ksIGRldGFpbHM6IFtMREFQ
OiBlcnJvciBjb2RlIDMyIC0gTm8gU3VjaAogICAgICAgICAgT2JqZWN0XTsgbmVzdGVkIGV4Y2Vw
dGlvbiBpcwogICAgICAgICAgamF2YXgubmFtaW5nLkF1dGhlbnRpY2F0aW9uRXhjZXB0aW9uOiBb
TERBUDogZXJyb3IgY29kZSAzMiAtCiAgICAgICAgICBObyBTdWNoIE9iamVjdF08YnI+CiAgICAg
ICAgICBGYWlsdXJlIHdoaWxlIHRlc3RpbmcgZG9tYWluIGd1ZXN0LmFybmVzLnNpLiBEZXRhaWxz
OiBDYW5ub3QKICAgICAgICAgIGF1dGhlbnRpY2F0ZSB1c2VyIHRvIExEQVAgc2VydmVyLjxicj4K
ICAgICAgICAgIDxicj4KICAgICAgICAgIFRoZSBMREFQIGxvZyByZXBvcnRzPGJyPgogICAgICAg
ICAgWzE4L0p1bi8yMDE1OjEzOjUyOjM4ICswMjAwXSBjb25uPTMgb3A9MCBCSU5ECiAgICAgICAg
ICBkbj0idWlkPW92aXJ0LG91PVBlb3BsZWRjPWd1ZXN0LGRjPWFybmVzLGRjPXNpIiBtZXRob2Q9
MTI4CiAgICAgICAgICB2ZXJzaW9uPTM8YnI+CiAgICAgICAgICBBcyB5b3UgY2FuIHNlZSB0aGVy
ZSBpcyBhIGNvbW1hIG1pc3NpbmcgYmVmb3JlCiAgICAgICAgICAiZGM9Z3Vlc3QsZGM9YXJuZXMs
ZGM9c2kiLjxicj4KICAgICAgICAgIDxicj4KICAgICAgICAgIEJlZm9yZSB0aGUgdXBncmFkZSB0
aGUgYmluZCBETiB3YXMgZ2VuZXJhdGVkIHByb3Blcmx5IGFzPGJyPgogICAgICAgICAgWzE4L0p1
bi8yMDE1OjEyOjQyOjQ1ICswMjAwXSBjb25uPTEwMjE5IG9wPTAgQklORAogICAgICAgICAgZG49
InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiIG1ldGhvZD0xMjggdmVyc2lvbj0z
PGJyPgogICAgICAgIDwvZm9udD48L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgICAgU28gd2hh
dCBpcyB5b3VyIHNlYXJjaCB1c2VyJ3MgRE4gPzxicj4KICAgICAgSXMgaXQ6PGJyPgogICAgICA8
Zm9udCBzaXplPSItMSI+ZG49InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9Z3Vlc3QsZGM9YXJuZXMs
ZGM9c2kiPGJyPgogICAgICAgIDxicj4KICAgICAgPC9mb250Pm9yPGJyPgogICAgICA8YnI+CiAg
ICAgIDxmb250IHNpemU9Ii0xIj5kbj0idWlkPW92aXJ0LG91PVBlb3BsZSxkYz1hcm5lcyxkYz1z
aSI8YnI+CiAgICAgIDwvZm9udD48YnI+CiAgICAgIElzIGl0IHBvc3NpYmxlIGZvciB5b3UgdG8g
dHJ5IGlmIGRpZmZlcmVudCB1c2VyIHdvcmtzIGZpbmU/PGJyPgogICAgICBCZWNhdXNlIHVzZXIg
d2l0aCB2ZXJ5IHNpbWlsYXIgRE4gd29ya3MgZm9yIG1lIGp1c3QgT0suPGJyPgogICAgPC9ibG9j
a3F1b3RlPgogICAgQXQgdGhlIHRpbWUgb2YgcG9zdGluZyBJIGRpZCBub3Qgbm90aWNlIHRoZSBk
aWZmZXJlbmNlLCB0aGFua3MgZm9yCiAgICB0aGUgc3BvdC4gVGhlIGNvcnJlY3QgRE4gaXMgZG49
InVpZD1vdmlydCxvdT1QZW9wbGUsZGM9YXJuZXMsZGM9c2kiLjxicj4KICAgIEFsdGhvdWdoIHRo
YXQgbWVhbnMgdGhhdCBhZnRlciB1cGdyYWRpbmcgdG8gMy41IHRoZSBETiBmb3IgdGhlCiAgICBz
ZWFyY2ggdXNlciBpcyBmb3JtYXR0ZWQgZGlmZmVyZW50bHkgd2hlbiBpc3N1aW5nIGFuIExEQVAg
YmluZAogICAgcmVxdWVzdC48YnI+CiAgICA8YnI+CiAgICBJbiB0aGUgZW5kIHdlIG5vdGljZWQg
dGhhdCB0aGUgQUFBIHBhcnQgb2Ygb1ZpcnQgd2FzIHJld29ya2VkIGluCiAgICAzLjUuIFdlIGRl
bGV0ZWQgdGhlIG9sZCBMREFQIGRvbWFpbiwgdGhhdCB3ZSBtYW51YWxseSBpbnNlcnRlZCBpbnRv
CiAgICB0aGUgZGF0YWJhc2UgYmFjayBpbiAzLjIgZGF5cy4gVGhlbiB3ZSBhZGRlZCBMREFQIGFz
IGFuCiAgICBhdXRoZW50aWNhdGlvbiBzb3VyY2UgYXMgcGVyIEFBQSBpbnN0cnVjdGlvbnMsIHdo
aWNoIHdlIGZvdW5kIGEgYml0CiAgICB2YWd1ZS4gVGhlIFJFQURNRSBvbiBnaXRodWIgZm9yIHRo
ZSBBQUEgZXh0ZW5zaW9uIHByb3ZpZGVkIG1vc3Qgb2YKICAgIHRoZSBpbmZvcm1hdGlvbi48YnI+
CiAgICA8YnI+CiAgICBXZSBhbHNvIGZvdW5kIHRoYXQgdGhlIGZvcm1hdCBvZiBleHRlcm5hbF9p
ZCBpbiB0aGUgdXNlcnMgdGFibGUgaGFkCiAgICBiZWVuIGNoYW5nZWQgZnJvbSBmZGZjNjI3Yy1k
ODc1LTExZTAtOTBmMC04M2RmMTMzYjU4Y2MgdG8KICAgIGZkZmM2MjdjLWQ4NzUxMWUwLTkwZjA4
M2RmLTEzM2I1OGNjLiBTbyBuYXR1cmFsbHkgdXNlcnMgY291bGQgbm90CiAgICBsb2cgaW4uIElu
c3RlYWQgYWRkaXRpb25hbCB1c2VycyB3ZXJlIGNyZWF0ZWQgd2l0aCB0aGlzIG5ldyBmb3JtYXQK
ICAgIGV4dGVybmFsX2lkLCBhIG5hbWVzcGFjZSB3aXRoICJkYz1hcm5lcyxkYz1zaSIgYW5kIGEg
bmV3IHVzZXJfaWQuPGJyPgogICAgV2UgbWFudWFsbHkgZGVsZXRlZCB0aGUgZmF1eCB1c2Vycywg
dXBkYXRlZCB0aGUgZXh0ZXJuYWxfaWQgdG8gdGhlCiAgICBuZXcgZm9ybWF0IGFuZCBhZGRlZCBh
IG5hbWVzcGFjZSBlbnRyeSBmb3IgZXhpc3RpbmcgdXNlcnMuPGJyPgogICAgVGhhdCB3b3JrZWQg
Zm9yIHVzLjxicj4KICAgIDxicj4KICAgIEtpbmQgcmVnYXJkcywgTWl0amE8YnI+CiAgICA8Ymxv
Y2txdW90ZSBjaXRlPSJtaWQ6NTU4MkJFNzUuMjAwMDAwM0ByZWRoYXQuY29tIiB0eXBlPSJjaXRl
Ij4gPGJyPgogICAgICA8YmxvY2txdW90ZSBjaXRlPSJtaWQ6NTU4MkI0OUIuNjAwMDgwM0Bhcm5l
cy5zaSIgdHlwZT0iY2l0ZSI+PGZvbnQKICAgICAgICAgIHNpemU9Ii0xIj4gPGJyPgogICAgICAg
ICAgVGhpcyBsb29rcyBsaWtlIGEgYnVnLjxicj4KICAgICAgICAgIElzIHRoZXJlIGEgcXVpY2sg
Zml4IHdlIGNhbiBkbyB0byBmaXggdGhpcyB0eXBvPzxicj4KICAgICAgICAgIDxicj4KICAgICAg
ICAgIFdlIGFyZSBhbHNvIGludGVyZXN0ZWQgaW4ga25vd2luZyB3aGF0IGlzIHRoZSBjb3JyZWN0
IHdheSBpbgogICAgICAgICAgMy41IHRvIGFkZCBhIGRvbWFpbiB0aGF0IHVzZXMgYW4gTERBUCBz
ZXJ2ZXIgZm9yIGl0cwogICAgICAgICAgYXV0aGVudGljYXRpb24gc291cmNlIHdpdGhvdXQgS2Vy
YmVyb3MuPGJyPgogICAgICAgIDwvZm9udD48L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgICAg
UGxlYXNlIHNlZSBmb2xsb3dpbmcgbGlua3M6PGJyPgogICAgICA8cHJlIHdyYXA9IiI+KiA8YSBt
b3otZG8tbm90LXNlbmQ9InRydWUiIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9
Imh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9u
LWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUU7aGI9SEVBRCI+aHR0cHM6Ly9nZXJyaXQub3Zp
cnQub3JnL2dpdHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9Ymxv
YjtmPVJFQURNRTtoYj1IRUFEPC9hPgoqIDxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9
Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dp
dHdlYj9wPW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9YmxvYjtmPVJFQURN
RS5wcm9maWxlO2hiPUhFQUQiPmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmly
dC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUUucHJvZmlsZTto
Yj1IRUFEPC9hPgoqIDxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9Im1vei10eHQtbGlu
ay1mcmVldGV4dCIgaHJlZj0iaHR0cDovL3d3dy5vdmlydC5vcmcvRmVhdHVyZXMvQUFBIj5odHRw
Oi8vd3d3Lm92aXJ0Lm9yZy9GZWF0dXJlcy9BQUE8L2E+CiogPGEgbW96LWRvLW5vdC1zZW5kPSJ0
cnVlIiBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2dlcnJpdC5v
dmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQtZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT10
cmVlO2Y9ZXhhbXBsZXM7aGI9SEVBRCI+aHR0cHM6Ly9nZXJyaXQub3ZpcnQub3JnL2dpdHdlYj9w
PW92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLWxkYXAuZ2l0O2E9dHJlZTtmPWV4YW1wbGVzO2hi
PUhFQUQ8L2E+CiogPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBjbGFzcz0ibW96LXR4dC1saW5r
LWZyZWV0ZXh0IiBocmVmPSJodHRwczovL2dlcnJpdC5vdmlydC5vcmcvZ2l0d2ViP3A9b3ZpcnQt
ZW5naW5lLWV4dGVuc2lvbi1hYWEtbGRhcC5naXQ7YT1ibG9iO2Y9UkVBRE1FO2hiPUhFQUQjbDYi
Pmh0dHBzOi8vZ2Vycml0Lm92aXJ0Lm9yZy9naXR3ZWI/cD1vdmlydC1lbmdpbmUtZXh0ZW5zaW9u
LWFhYS1sZGFwLmdpdDthPWJsb2I7Zj1SRUFETUU7aGI9SEVBRCNsNjwvYT4KKiA8YSBtb3otZG8t
bm90LXNlbmQ9InRydWUiIGNsYXNzPSJtb3otdHh0LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBz
Oi8vZ2l0aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRhcC1taWdyYXRp
b24iPmh0dHBzOi8vZ2l0aHViLmNvbS9tYWNoYWNla29uZHJhL292aXJ0LWVuZ2luZS1rZXJibGRh
cC1taWdyYXRpb248L2E+CjwvcHJlPgogICAgICA8YnI+CiAgICAgIDxibG9ja3F1b3RlIGNpdGU9
Im1pZDo1NTgyQjQ5Qi42MDAwODAzQGFybmVzLnNpIiB0eXBlPSJjaXRlIj48Zm9udAogICAgICAg
ICAgc2l6ZT0iLTEiPiA8YnI+CiAgICAgICAgICBLaW5kIHJlZ2FyZHMsIE1pdGphPGJyPgogICAg
ICAgIDwvZm9udD4KICAgICAgICA8cHJlIGNsYXNzPSJtb3otc2lnbmF0dXJlIiBjb2xzPSI3MiI+
LS0gCi0tCk1pdGphIE1paGVsacSNCkFSTkVTLCBUZWhub2xvxaFraSBwYXJrIDE4LCBwLnAuIDcs
IFNJLTEwMDEgTGp1YmxqYW5hLCBTbG92ZW5pYQp0ZWw6ICszODYgMSA0NzkgODgwMCwgZmF4OiAr
Mzg2IDEgNDc5IDg4IDk5PC9wcmU+CiAgICAgICAgPGJyPgogICAgICAgIDxmaWVsZHNldCBjbGFz
cz0ibWltZUF0dGFjaG1lbnRIZWFkZXIiPjwvZmllbGRzZXQ+CiAgICAgICAgPGJyPgogICAgICAg
IDxwcmUgd3JhcD0iIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXwpVc2VycyBtYWlsaW5nIGxpc3QKPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBjbGFzcz0i
bW96LXR4dC1saW5rLWFiYnJldmlhdGVkIiBocmVmPSJtYWlsdG86VXNlcnNAb3ZpcnQub3JnIj5V
c2Vyc0BvdmlydC5vcmc8L2E+CjxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9Im1vei10
eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xp
c3RpbmZvL3VzZXJzIj5odHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8vdXNl
cnM8L2E+CjwvcHJlPgogICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgIDxicj4KICAgIDwvYmxvY2tx
dW90ZT4KICAgIDxicj4KICA8L2JvZHk+CjwvaHRtbD4KCi0tLS0tLS0tLS0tLS0tMDEwODA5MDQw
MDAzMDYwMzA0MDcwOTA0LS0K
--===============5938311446177619063==--
From alonbl at redhat.com Fri Jun 19 06:44:51 2015
Content-Type: multipart/mixed; boundary="===============7082435873117382219=="
MIME-Version: 1.0
From: Alon Bar-Lev
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Fri, 19 Jun 2015 06:44:48 -0400
Message-ID: <1656866571.11495886.1434710688457.JavaMail.zimbra@redhat.com>
In-Reply-To: 5583F152.9050204@arnes.si
--===============7082435873117382219==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
----- Original Message -----
> From: "Mitja Miheli=C4=8D"
> To: "Ondra Machacek" , users(a)ovirt.org
> Sent: Friday, June 19, 2015 1:39:14 PM
> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> =
> On 18/06/15 14:49, Ondra Machacek wrote:
> =
> =
> On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
> =
> =
> Hi!
> Hi
> =
> =
> =
> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP
> domain on the login screen. Only internal is available.
> Our LDAP server is actually a 389DS instance and we are using for
> authentication in oVirt without Kerberos. The existing setup has worked
> since the days of 3.2.
> =
> When we try to validate the domain, we get
> [root(a)brda ~]# engine-manage-domains validate
> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
> [LDAP: error code 32 - No Such Object]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Obje=
ct]
> Failure while testing domain guest.arnes.si. Details: Cannot authenticate
> user to LDAP server.
> =
> The LDAP log reports
> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128 =
version=3D3
> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=
=3Dsi".
> =
> Before the upgrade the bind DN was generated properly as
> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=3D3
> =
> So what is your search user's DN ?
> Is it:
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
> =
> or
> =
> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
> =
> Is it possible for you to try if different user works fine?
> Because user with very similar DN works for me just OK.
> At the time of posting I did not notice the difference, thanks for the sp=
ot.
> The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi".
> Although that means that after upgrading to 3.5 the DN for the search use=
r is
> formatted differently when issuing an LDAP bind request.
> =
> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
> deleted the old LDAP domain, that we manually inserted into the database
> back in 3.2 days. Then we added LDAP as an authentication source as per A=
AA
> instructions, which we found a bit vague. The README on github for the AAA
> extension provided most of the information.
> =
> We also found that the format of external_id in the users table had been
> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
> Instead additional users were created with this new format external_id, a
> namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
> We manually deleted the faux users, updated the external_id to the new fo=
rmat
> and added a namespace entry for existing users.
> That worked for us.
the conversion tool should have taken care of all these. have you tried to =
use it?
> =
> Kind regards, Mitja
> =
> =
> =
> =
> =
> =
> This looks like a bug.
> Is there a quick fix we can do to fix this typo?
> =
> We are also interested in knowing what is the correct way in 3.5 to add a
> domain that uses an LDAP server for its authentication source without
> Kerberos.
> =
> Please see following links:
> *
> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME;hb=3DHEAD
> *
> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME.profile;hb=3DHEAD
> * http://www.ovirt.org/Features/AAA *
> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dtree;f=3Dexamples;hb=3DHEAD
> *
> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;a=
=3Dblob;f=3DREADME;hb=3DHEAD#l6
> * https://github.com/machacekondra/ovirt-engine-kerbldap-migration
> =
> =
> =
> =
> Kind regards, Mitja
> --
> --
> Mitja Miheli=C4=8D
> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8800, fax: +386 1 479 88 99
> =
> =
> _______________________________________________
> Users mailing list Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> =
> =
> =
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>=20
--===============7082435873117382219==--
From mitja.mihelic at arnes.si Fri Jun 19 09:54:34 2015
Content-Type: multipart/mixed; boundary="===============7108818384798958788=="
MIME-Version: 1.0
From: =?utf-8?q?Mitja_Miheli=C4=8D_=3Cmitja=2Emihelic_at_arnes=2Esi=3E?=
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Fri, 19 Jun 2015 15:54:32 +0200
Message-ID: <55841F18.2030707@arnes.si>
In-Reply-To: 1656866571.11495886.1434710688457.JavaMail.zimbra@redhat.com
--===============7108818384798958788==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
On 19. 06. 2015 12:44, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Mitja Miheli=C4=8D"
>> To: "Ondra Machacek" , users(a)ovirt.org
>> Sent: Friday, June 19, 2015 1:39:14 PM
>> Subject: Re: [ovirt-users] LDAP bind DN generation problem
>>
>> On 18/06/15 14:49, Ondra Machacek wrote:
>>
>>
>> On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
>>
>>
>> Hi!
>> Hi
>>
>>
>>
>> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LD=
AP
>> domain on the login screen. Only internal is available.
>> Our LDAP server is actually a 389DS instance and we are using for
>> authentication in oVirt without Kerberos. The existing setup has worked
>> since the days of 3.2.
>>
>> When we try to validate the domain, we get
>> [root(a)brda ~]# engine-manage-domains validate
>> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
>> [LDAP: error code 32 - No Such Object]; nested exception is
>> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Obj=
ect]
>> Failure while testing domain guest.arnes.si. Details: Cannot authenticate
>> user to LDAP server.
>>
>> The LDAP log reports
>> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
>> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D128=
version=3D3
>> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,dc=
=3Dsi".
>>
>> Before the upgrade the bind DN was generated properly as
>> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
>> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=
=3D3
>>
>> So what is your search user's DN ?
>> Is it:
>> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
>>
>> or
>>
>> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
>>
>> Is it possible for you to try if different user works fine?
>> Because user with very similar DN works for me just OK.
>> At the time of posting I did not notice the difference, thanks for the s=
pot.
>> The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi".
>> Although that means that after upgrading to 3.5 the DN for the search us=
er is
>> formatted differently when issuing an LDAP bind request.
>>
>> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
>> deleted the old LDAP domain, that we manually inserted into the database
>> back in 3.2 days. Then we added LDAP as an authentication source as per =
AAA
>> instructions, which we found a bit vague. The README on github for the A=
AA
>> extension provided most of the information.
>>
>> We also found that the format of external_id in the users table had been
>> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
>> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
>> Instead additional users were created with this new format external_id, a
>> namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
>> We manually deleted the faux users, updated the external_id to the new f=
ormat
>> and added a namespace entry for existing users.
>> That worked for us.
> the conversion tool should have taken care of all these. have you tried t=
o use it?
Sorry, no. We didn't know of its existence then. Can you provide a link =
to its page?
>
>> Kind regards, Mitja
>>
>>
>>
>>
>>
>>
>> This looks like a bug.
>> Is there a quick fix we can do to fix this typo?
>>
>> We are also interested in knowing what is the correct way in 3.5 to add a
>> domain that uses an LDAP server for its authentication source without
>> Kerberos.
>>
>> Please see following links:
>> *
>> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD
>> *
>> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME.profile;hb=3DHEAD
>> * http://www.ovirt.org/Features/AAA *
>> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dtree;f=3Dexamples;hb=3DHEAD
>> *
>> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.git;=
a=3Dblob;f=3DREADME;hb=3DHEAD#l6
>> * https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>>
>>
>>
>> Kind regards, Mitja
>> --
>> --
>> Mitja Miheli=C4=8D
>> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
>> tel: +386 1 479 8800, fax: +386 1 479 88 99
>>
>>
>> _______________________________________________
>> Users mailing list Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
--===============7108818384798958788==--
From alonbl at redhat.com Fri Jun 19 10:10:10 2015
Content-Type: multipart/mixed; boundary="===============6946215343161205297=="
MIME-Version: 1.0
From: Alon Bar-Lev
To: users at ovirt.org
Subject: Re: [ovirt-users] LDAP bind DN generation problem
Date: Fri, 19 Jun 2015 10:10:07 -0400
Message-ID: <840594648.11594877.1434723007320.JavaMail.zimbra@redhat.com>
In-Reply-To: 55841F18.2030707@arnes.si
--===============6946215343161205297==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
----- Original Message -----
> From: "Mitja Miheli=C4=8D"
> To: "Alon Bar-Lev"
> Cc: "Ondra Machacek" , users(a)ovirt.org
> Sent: Friday, June 19, 2015 4:54:32 PM
> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> =
> =
> On 19. 06. 2015 12:44, Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> >> From: "Mitja Miheli=C4=8D"
> >> To: "Ondra Machacek" , users(a)ovirt.org
> >> Sent: Friday, June 19, 2015 1:39:14 PM
> >> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> >>
> >> On 18/06/15 14:49, Ondra Machacek wrote:
> >>
> >>
> >> On 06/18/2015 02:07 PM, Mitja Miheli=C4=8D wrote:
> >>
> >>
> >> Hi!
> >> Hi
> >>
> >>
> >>
> >> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the =
LDAP
> >> domain on the login screen. Only internal is available.
> >> Our LDAP server is actually a 389DS instance and we are using for
> >> authentication in oVirt without Kerberos. The existing setup has worked
> >> since the days of 3.2.
> >>
> >> When we try to validate the domain, we get
> >> [root(a)brda ~]# engine-manage-domains validate
> >> Error: Cannot authenticate user ovirt to domain guest.arnes.si, detail=
s:
> >> [LDAP: error code 32 - No Such Object]; nested exception is
> >> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
> >> Object]
> >> Failure while testing domain guest.arnes.si. Details: Cannot authentic=
ate
> >> user to LDAP server.
> >>
> >> The LDAP log reports
> >> [18/Jun/2015:13:52:38 +0200] conn=3D3 op=3D0 BIND
> >> dn=3D"uid=3Dovirt,ou=3DPeopledc=3Dguest,dc=3Darnes,dc=3Dsi" method=3D1=
28 version=3D3
> >> As you can see there is a comma missing before "dc=3Dguest,dc=3Darnes,=
dc=3Dsi".
> >>
> >> Before the upgrade the bind DN was generated properly as
> >> [18/Jun/2015:12:42:45 +0200] conn=3D10219 op=3D0 BIND
> >> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi" method=3D128 version=
=3D3
> >>
> >> So what is your search user's DN ?
> >> Is it:
> >> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Dguest,dc=3Darnes,dc=3Dsi"
> >>
> >> or
> >>
> >> dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi"
> >>
> >> Is it possible for you to try if different user works fine?
> >> Because user with very similar DN works for me just OK.
> >> At the time of posting I did not notice the difference, thanks for the
> >> spot.
> >> The correct DN is dn=3D"uid=3Dovirt,ou=3DPeople,dc=3Darnes,dc=3Dsi".
> >> Although that means that after upgrading to 3.5 the DN for the search =
user
> >> is
> >> formatted differently when issuing an LDAP bind request.
> >>
> >> In the end we noticed that the AAA part of oVirt was reworked in 3.5. =
We
> >> deleted the old LDAP domain, that we manually inserted into the databa=
se
> >> back in 3.2 days. Then we added LDAP as an authentication source as per
> >> AAA
> >> instructions, which we found a bit vague. The README on github for the=
AAA
> >> extension provided most of the information.
> >>
> >> We also found that the format of external_id in the users table had be=
en
> >> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
> >> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log =
in.
> >> Instead additional users were created with this new format external_id=
, a
> >> namespace with "dc=3Darnes,dc=3Dsi" and a new user_id.
> >> We manually deleted the faux users, updated the external_id to the new
> >> format
> >> and added a namespace entry for existing users.
> >> That worked for us.
> > the conversion tool should have taken care of all these. have you tried=
to
> > use it?
> Sorry, no. We didn't know of its existence then. Can you provide a link
> to its page?
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
> >
> >> Kind regards, Mitja
> >>
> >>
> >>
> >>
> >>
> >>
> >> This looks like a bug.
> >> Is there a quick fix we can do to fix this typo?
> >>
> >> We are also interested in knowing what is the correct way in 3.5 to ad=
d a
> >> domain that uses an LDAP server for its authentication source without
> >> Kerberos.
> >>
> >> Please see following links:
> >> *
> >> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.gi=
t;a=3Dblob;f=3DREADME;hb=3DHEAD
> >> *
> >> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.gi=
t;a=3Dblob;f=3DREADME.profile;hb=3DHEAD
> >> * http://www.ovirt.org/Features/AAA *
> >> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.gi=
t;a=3Dtree;f=3Dexamples;hb=3DHEAD
> >> *
> >> https://gerrit.ovirt.org/gitweb?p=3Dovirt-engine-extension-aaa-ldap.gi=
t;a=3Dblob;f=3DREADME;hb=3DHEAD#l6
> >> * https://github.com/machacekondra/ovirt-engine-kerbldap-migration
> >>
> >>
> >>
> >>
> >> Kind regards, Mitja
> >> --
> >> --
> >> Mitja Miheli=C4=8D
> >> ARNES, Tehnolo=C5=A1ki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> >> tel: +386 1 479 8800, fax: +386 1 479 88 99
> >>
> >>
> >> _______________________________________________
> >> Users mailing list Users(a)ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users(a)ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> =
>=20
--===============6946215343161205297==--