On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com> wrote:

On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com> wrote:

On 11/20/2012 09:56 AM, Cristian Falcas wrote:

On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com>> wrote:

On 11/20/2012 09:05 AM, Cristian Falcas wrote:

On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
<yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:

On 11/20/2012 12:39 AM, Cristian Falcas wrote:

On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
<iheim@redhat.com <mailto:iheim@redhat.com>
<mailto:iheim@redhat.com <mailto:iheim@redhat.com>>
<mailto:iheim@redhat.com <mailto:iheim@redhat.com>
<mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote:

On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:

On 11/19/2012 10:01 AM, Cristian Falcas wrote:

Hi,

I'm trying to add some users to ovirt
using an AD.

This is the configuration I used for a
mediawiki
site, which is
working correctly:
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;
$wgLDAPDomainNames = array( "a_domain");
$wgLDAPServerNames = array(
"a_domain"=>"site.example.com <http://site.example.com>
<http://site.example.com>
<http://site.example.com>
<http://site.example.com>");

$wgLDAPEncryptionType = array(
"a_domain"=>"clear");
$wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER-______NAME");
$wgLDAPBaseDNs = array(
"a_domain"=>"dc=company,dc=______com");

Those are the commands I tried using:
engine-manage-domains -action=add
-domain=site.example.com <http://site.example.com>
<http://site.example.com>
<http://site.example.com>
<http://site.example.com>
-provider=ActiveDirectory
-user=user.name <http://user.name>
<http://user.name> <http://user.name>
<http://user.name> -interactive

engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user=user.name@company.com
<mailto:user.name@company.com> <mailto:user.name@company.com
<mailto:user.name@company.com>>
<mailto:user.name@company.com
<mailto:user.name@company.com>
<mailto:user.name@company.com
<mailto:user.name@company.com>>__>
<mailto:user.name@company.com
<mailto:user.name@company.com>
<mailto:user.name@company.com
<mailto:user.name@company.com>>

<mailto:user.name@company.com
<mailto:user.name@company.com>
<mailto:user.name@company.com
<mailto:user.name@company.com>>__>__> -interactive

engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user=user.name@site.example.______com

<mailto:user.name@site.
<mailto:user.name@site.>__examp__le.com <http://example.com>
<mailto:user.name@site.__example.com
<mailto:user.name@site.example.com>>>
<mailto:user.name@site
<mailto:user.name@site>.
<mailto:user.name@site
<mailto:user.name@site>.>__exam__p__le.com
<http://examp__le.com> <http://example.com>

<mailto:user.name@site.
<mailto:user.name@site.>__examp__le.com <http://example.com>
<mailto:user.name@site.__example.com
<mailto:user.name@site.example.com>>>> -interactive

You don't add an user this way. You add the
domain. You
have to
pass the
domain admin user and the domain admin password.

any domain user will do, doesn't have to be an admin.
what does the log say?

Then you can use the domain within the engine.
e.g. search
users, add
access rights for vms etc.
Even login to the engine and assigning rights
within
the engine
you can
handle from the engine itself.

Regards,

And the output on all tries:
Enter password:

Error: Authentication Failed. Please
verify the fully
qualified domain
name that is used for authentication is
correct..
Problematic domain
is: domain_used_in_command
Failure while applying Kerberos
configuration. Details:
Authentication
Failed. Please verify the fully qualified
domain
name that
is used for
authentication is correct.

Can someone help me with the correct
parameters?

Best regards,
Cristian Falcas

_____________________________________________________

Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org

<mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
http://lists.ovirt.org/______mailman/listinfo/users
<http://lists.ovirt.org/____mailman/listinfo/users>

<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>>

<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>>

--
Regards,

Vinzenz Feenstra | Senior Software Engineer
RedHat Engineering Virtualization R & D
Phone: +420 532 294 625
<tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>

IRC: vfeenstr or evilissimo

Better technology. Faster innovation. Powered
by community
collaboration.
See how it works at redhat.com
<http://redhat.com> <http://redhat.com>
<http://redhat.com>

_____________________________________________________

Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org

<mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
http://lists.ovirt.org/______mailman/listinfo/users
<http://lists.ovirt.org/____mailman/listinfo/users>

<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>>

<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>>

_____________________________________________________

Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org

<mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
http://lists.ovirt.org/______mailman/listinfo/users
<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>>

<http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>>

Hi,

This is the command I used (the same error is with
-interactive
parameter):

engine-manage-domains -action=add -domain=example.com
<http://example.com>
<http://example.com>
<http://example.com> -provider=ActiveDirectory
-user=user.name@a_domain

-passwordFile=/tmp/pass

[root@localhost ~]# cat /tmp/pass
qwerty[root@localhost ~]#

This is the log:

2012-11-20 00:30:40,443 INFO

[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Creating

kerberos
configuration for domain(s): example.com
<http://example.com> <http://example.com>
<http://example.com>

2012-11-20 00:30:40,525 INFO

[org.ovirt.engine.core.utils.____kerberos.ManageDomains]

Successfully

created kerberos configuration for domain(s):
example.com <http://example.com>
<http://example.com>
<http://example.com>

2012-11-20 00:30:40,526 INFO

[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Testing

kerberos
configuration for domain: example.com
<http://example.com> <http://example.com>
<http://example.com>

2012-11-20 00:30:40,830 ERROR

[org.ovirt.engine.core.utils.____kerberos.KerberosConfigCheck]

Error:

exception message: Cannot locate KDC
2012-11-20 00:30:40,851 ERROR

[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Failure

while

testing domain example.com <http://example.com>
<http://example.com>
<http://example.com>. Details: Kerberos

error. Please check log for further details.

Hi, the error indicates you don't have kerberos configured.
manage-domains validates by default using GSSAPI/Kerberos (if I
understand correctly, this is equivalent to run ldapsearch
with -Y
gssapi option).
I wonder if -x (simple authentication) will work for you as
well (as
manage-domains contains code for simple authentication as
well).

This is the ldapsearch command that works (it retrieves
users)
from the
same machine:

ldapsearch -H ldap://example.com <http://example.com>
<http://example.com>
<http://example.com> -b

dc=example,dc=com -D user.name@a_domain -w qwerty

Best regards,
Cristian Falcas

___________________________________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>>
http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>

Hi,

I used "-x" for ldapsearch and the result is the same: list
retrieved.
Is there any equivalent for engine-manage-domains?

Cristian

Hi Christian, there is no code allowing to add simple-authentication
domains to Manage-Domains.
In the past we did have the ability to do that, but there are
several problematic issues.
What ldap server are you working against? Maybe I missed that

Hi,

The server is a Microfost AD 2003.

Best regards,
Cristian Falcas

this should work, is the AD also the DNS server for the ovirt engine machine?

yes