On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object
This is interesting I never saw this error, can I ask you to enable debug?
Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Add the following before the <root-logger> line: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/>
Then restart engine and we should see lots of messages within engine.log.
Thanks! Alon
Hi, if you want I send it to you... but I have understood.... I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties dc=company,dc=com and changing only the "uid=..." part ;-) In fact inside IPA log files I see this: [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 After putting correct values dc=localdomain,dc=local and restarting the engine (without debug symbols) all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done). Thanks and sorry for misundersanding... two questions: 1) What about the legacy still working? 2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode. What should I configure to enable ldaps:// connection mode as this is sensitive information? Possibly these lines in ldap1.properties? # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit but how to use and where to put eventually the IPA certificate? Do I have to convert IPA ca.crt into some other format? Gianluca