Re: [ovirt-users] active directory

8 Jun 2017

      If you are using Active Directory you most probably don't use Anonymous bind.
The question:

           Enter search user DN (for example
uid=username,dc=example,dc=com or leave empty for anonymous):

You should not leave empty but rather specify some user, which can
search in active directory,
you can enter it either in DN format(cn=user,dc=domain,dcom) or UPN
format (user@domain.com).

On Thu, Jun 8, 2017 at 5:32 AM, qinglong.dong@horebdata.cn
<qinglong.dong@horebdata.cn> wrote:
...
Thanks! I excuted "ovirt-engine-extension-aaa-ldap-setup", but I got an
error. Is there anything wrong?
[root@engine ~]# ovirt-engine-extension-aaa-ldap-setup
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files:
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file:
/tmp/ovirt-engine-extension-aaa-ldap-setup-20170608112535-jll8t2.log
          Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3
          Please enter Active Directory Forest name: horebdata.com
[ INFO  ] Resolving Global Catalog SRV record for horebdata.com
[ INFO  ] Resolving LDAP SRV record for horebdata.com
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP
server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to
non standard ldaps protocol.
          Use plain for test environments only.
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
plain
[ INFO  ] Resolving SRV record 'horebdata.com'
[ INFO  ] Connecting to LDAP using
'ldap://win-fvdsocg3abj.horebdata.com:389'
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com
or leave empty for anonymous):
[ INFO  ] Attempting to bind using '[Anonymous]'
          Are you going to use Single Sign-On for Virtual Machines (Yes, No)
[No]: yes
          NOTE:
          Profile name has to match domain name, otherwise Single Sign-On
for Virtual Machines will not work.
          Please specify profile name that will be visible to users
[horebdata.com]:
[ INFO  ] Stage: Setup validation
          The following files are about to be overwritten:
              /etc/ovirt-engine/extensions.d/horebdata.com-authn.properties
              /etc/ovirt-engine/extensions.d/horebdata.com.properties
              /etc/ovirt-engine/aaa/horebdata.com.properties
          Continue and overwrite? (Yes, No) [No]: yes
          NOTE:
          It is highly recommended to test drive the configuration before
applying it into engine.
          Perform at least one Login sequence and one Search sequence.
          Select test sequence to execute (Done, Abort, Login, Search)
[Abort]: login
          Enter user name: horebdata
          Enter user password:
[ INFO  ] Executing login sequence...
          Login output:
          2017-06-08 11:26:09,446+08 INFO
========================================================================
          2017-06-08 11:26:09,463+08 INFO    ============================
Initialization ============================
          2017-06-08 11:26:09,463+08 INFO
========================================================================
          2017-06-08 11:26:09,475+08 INFO    Loading extension
'horebdata.com-authn'
          2017-06-08 11:26:09,517+08 INFO    Extension 'horebdata.com-authn'
loaded
          2017-06-08 11:26:09,522+08 INFO    Loading extension
'horebdata.com'
          2017-06-08 11:26:09,530+08 INFO    Extension 'horebdata.com'
loaded
          2017-06-08 11:26:09,531+08 INFO    Initializing extension
'horebdata.com-authn'
          2017-06-08 11:26:09,532+08 INFO
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP
pool 'authz'
          2017-06-08 11:26:09,620+08 INFO
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
'authz' information: vendor='null' version='null'
          2017-06-08 11:26:09,621+08 INFO
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP
pool 'authn'
          2017-06-08 11:26:09,636+08 INFO
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
'authn' information: vendor='null' version='null'
          2017-06-08 11:26:09,649+08 WARNING
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
initialize LDAP framework, deferring initialization. Error: Unexpected comma
or semicolon found at the end of the DN string.
          2017-06-08 11:26:09,650+08 INFO    Extension 'horebdata.com-authn'
initialized
          2017-06-08 11:26:09,650+08 INFO    Initializing extension
'horebdata.com'
          2017-06-08 11:26:09,651+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
'authz'
          2017-06-08 11:26:09,679+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'authz'
information: vendor='null' version='null'
          2017-06-08 11:26:09,679+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
'gc'
          2017-06-08 11:26:09,694+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'gc'
information: vendor='null' version='null'
          2017-06-08 11:26:09,697+08 WARNING
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Cannot initialize
LDAP framework, deferring initialization. Error: Unexpected comma or
semicolon found at the end of the DN string.
          2017-06-08 11:26:09,697+08 INFO    Extension 'horebdata.com'
initialized
          2017-06-08 11:26:09,697+08 INFO    Start of enabled extensions
list
          2017-06-08 11:26:09,697+08 INFO    Instance name: 'horebdata.com',
Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.1',
Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpHfBhQf/extensions.d/horebdata.com.properties', Initialized: 'true'
          2017-06-08 11:26:09,698+08 INFO    Instance name:
'horebdata.com-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.1', Notes: 'Display
name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/tmp/tmpHfBhQf/extensions.d/horebdata.com-authn.properties', Initialized:
'true'
          2017-06-08 11:26:09,698+08 INFO    End of enabled extensions list
          2017-06-08 11:26:09,698+08 INFO
========================================================================
          2017-06-08 11:26:09,698+08 INFO    ==============================
Execution ===============================
          2017-06-08 11:26:09,698+08 INFO
========================================================================
          2017-06-08 11:26:09,698+08 INFO    Iteration: 0
          2017-06-08 11:26:09,699+08 INFO    Profile='horebdata.com'
authn='horebdata.com-authn' authz='horebdata.com' mapping='null'
          2017-06-08 11:26:09,699+08 INFO    API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='horebdata.com'
user='horebdata'
          2017-06-08 11:26:09,702+08 WARNING
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
initialize LDAP framework, deferring initialization. Error: Unexpected comma
or semicolon found at the end of the DN string.
          2017-06-08 11:26:09,703+08 SEVERE  Unexpected comma or semicolon
found at the end of the DN string.
[ ERROR ] Login sequence failed
          Please investigate details of the failure (search for lines
containing SEVERE log level).
          Select test sequence to execute (Done, Abort, Login, Search)
[Abort]:
From: Ondra Machacek
Date: 2017-06-07 14:47
To: qinglong.dong@horebdata.cn
CC: users
Subject: Re: [ovirt-users] active directory
Or you can try the migration tool:
https://github.com/oVirt/ovirt-engine-kerbldap-migration
Check the README, there are instructions how to procceed.
On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <Latcho@aubg.bg> wrote:
...
This can help you:
http://lists.ovirt.org/pipermail/users/2016-September/042937.html
Best,
Latcho
From: users-bounces@ovirt.org [mailto:users-bounces@ovirt.org] On Behalf
Of
qinglong.dong@horebdata.cn
Sent: Wednesday, June 07, 2017 4:57 AM
To: users
Subject: [ovirt-users] active directory
Hi all,
I used "engine-manage-domains" to add AD to ovirt in earlier
version. What should I do in ovirt 4.1? Hope someone can help. Thanks!
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users