On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:


2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object

This is interesting I never saw this error, can I ask you to enable debug?

Edit:
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in

Add the following before the <root-logger> line:
       <logger category="org.ovirt.engineextensions.aaa.ldap">
         <level name="ALL"/>
       </logger>

Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO
      <file-handler name="ENGINE" autoflush="true">
        <level name="ALL"/>

Then restart engine and we should see lots of messages within engine.log.

Thanks!
Alon


Hi,
if you want I send it to you... but I have understood....
I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties
dc=company,dc=com
and changing only the "uid=..." part ;-)

In fact inside IPA log files I see this:

[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32


After putting correct values
dc=localdomain,dc=local
and restarting the engine (without debug symbols)

all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done).

Thanks and sorry for misundersanding...
two questions:
1) What about the legacy still working?

2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode.
What should I configure to enable ldaps:// connection mode as this is sensitive information?

Possibly these lines in ldap1.properties?

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit

but how to use and where to put eventually the IPA certificate?
Do I have to convert IPA ca.crt into some other format?

Gianluca