----- Original Message -----
From: "Jason Keltz" <jas@cse.yorku.ca> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Friday, August 7, 2015 4:12:40 PM Subject: Re: [ovirt-users] [ATN] LDAP Users please read
Hi Alon.
Thanks for your detailed response.
I decided to give the new system a try. Rather than migrate, I prefer to re-add from scratch, so I did:
# engine-manage-domains delete --domain=EECS.YORKU.CA # systemctl restart ovirt-engine
Good, but you could have first added the new one and only after you have all working delete the legacy one :) Not important right now.
# yum install ovirt-engine-extension-aaa-ldap ... but I ran into my first trouble when I tried the following as per your AAA-LDAP documentation:
QUICK START -----------
USING INSTALLER
Install ovirt-engine-extension-aaa-ldap-setup and execute:
# ovirt-engine-extension-aaa-ldap-setup
The setup will guide you throughout the process of most common use cases.
There's no command ovirt-engine-extension-aaa-ldap-setup. I checked the repository, and I can't find any package that includes that command. I guess that's something in 3.6 only. I don't want to use the manual installation method. The method that I use should match the simplicity of "engine-manage-domains".
Correct this is new in 3.6, in 3.5 you should follow the documentation of 1.0[1] [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
I re-add back my existing domain so that I can "migrate" it. So..
# engine-manage-domains add --domain=EECS.YORKU.CA --provider=ipa --user=ovirtadmin Enter password:
I downloaded the ovirt-engine-kerlab-migration-1.0.2-1.el7ev.noarch.rpm from https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases and installed it:
# rpm -i ovirt-engine-kerbldap-migration-1.0.2-1.el7ev.noarch.rpm
I need to provide to the tool the domain, and the cacert. It's too bad about having to provide the cacert -- the previous method of specifying a provider, username, password, and auto-downloading the cert seemed more user friendly. The documentation doesn't tell me where I might find the cacert. Without much experience using the Red Hat IPA product, it's buried. Is it the /root/cacert.p12 file? I copied that file to /tmp on my engine server, and then:
there is no standard method to get CA certificate. we provided some information at[1] under: "3. [Optional] Obtaining LDAP CA certificate." """ FreeIPA Copy /etc/ipa/ca.crt to your oVirt machine into /tmp. """ [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration
# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert /tmp/cacert.p12
PKCS#12 file should never leave your IPA machine :)
sh-4.2# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert /home/jas/cacert.p12 [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2 (ovirt-engine-kerbldap-migration-1.0.2-1.el7ev) [INFO ] Connecting to database [INFO ] Sanity checks [INFO ] Loading options [ERROR ] Conversion failed: Domain EECS.YORKU.CA not exists in configuration.
(minor correction in that last line: "does not exist" instead of "not exists").
thanks! will fix. can you please add --debug and --log=/tmp/debug.log and send os the debug.log? probably we cannot resolve dns srvrecord correctly. $ dig +noall +answer srv _ldap._tcp.EECS.YORKU.CA should return a set of LDAP servers for your domain, if you do not have srvrecord we can workaround this by specifying a specific ldap server using --ldapserver parameter.
Of course the domain does actually exist. I can login to engine with my domain login.
yes, true, the question is what wrong in our conversion program :)
Jason.