On 19. 06. 2015 12:44, Alon Bar-Lev wrote:
----- Original Message -----
> From: "Mitja Mihelič" <mitja.mihelic(a)arnes.si>
> To: "Ondra Machacek" <omachace(a)redhat.com>, users(a)ovirt.org
> Sent: Friday, June 19, 2015 1:39:14 PM
> Subject: Re: [ovirt-users] LDAP bind DN generation problem
>
> On 18/06/15 14:49, Ondra Machacek wrote:
>
>
> On 06/18/2015 02:07 PM, Mitja Mihelič wrote:
>
>
> Hi!
> Hi
>
>
>
> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP
> domain on the login screen. Only internal is available.
> Our LDAP server is actually a 389DS instance and we are using for
> authentication in oVirt without Kerberos. The existing setup has worked
> since the days of 3.2.
>
> When we try to validate the domain, we get
> [root@brda ~]# engine-manage-domains validate
> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
> [LDAP: error code 32 - No Such Object]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
> Failure while testing domain guest.arnes.si. Details: Cannot authenticate
> user to LDAP server.
>
> The LDAP log reports
> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3
> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".
>
> Before the upgrade the bind DN was generated properly as
> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3
>
> So what is your search user's DN ?
> Is it:
> dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"
>
> or
>
> dn="uid=ovirt,ou=People,dc=arnes,dc=si"
>
> Is it possible for you to try if different user works fine?
> Because user with very similar DN works for me just OK.
> At the time of posting I did not notice the difference, thanks for the spot.
> The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
> Although that means that after upgrading to 3.5 the DN for the search user is
> formatted differently when issuing an LDAP bind request.
>
> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
> deleted the old LDAP domain, that we manually inserted into the database
> back in 3.2 days. Then we added LDAP as an authentication source as per AAA
> instructions, which we found a bit vague. The README on github for the AAA
> extension provided most of the information.
>
> We also found that the format of external_id in the users table had been
> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
> Instead additional users were created with this new format external_id, a
> namespace with "dc=arnes,dc=si" and a new user_id.
> We manually deleted the faux users, updated the external_id to the new format
> and added a namespace entry for existing users.
> That worked for us.
the conversion tool should have taken care of all these. have you tried to use it?
Sorry, no. We didn't know of its existence then. Can you provide a link
to its page?
> Kind regards, Mitja
>
>
>
>
>
>
> This looks like a bug.
> Is there a quick fix we can do to fix this typo?
>
> We are also interested in knowing what is the correct way in 3.5 to add a
> domain that uses an LDAP server for its authentication source without
> Kerberos.
>
> Please see following links:
> *
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> *
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> *
http://www.ovirt.org/Features/AAA *
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> *
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> *
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
>
>
>
> Kind regards, Mitja
> --
> --
> Mitja Mihelič
> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8800, fax: +386 1 479 88 99
>
>
> _______________________________________________
> Users mailing list Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>