----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Wednesday, February 22, 2012 1:03:33 AM Subject: Re: [Users] LDAP
On Sun, 19 Feb 2012, Itamar Heim wrote:
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
Got it installed and setup, I am able to authenticate from linux boxes with the new 389 LDAP so I know that works. However still running into issues getting ovirt-engine to work with it.
http://share.robotics.net/ldap.pcap
As you can see from the pcap, I see a DNS SRV query for _ldap._tcp.blinkmind.net and the box does talk to the LDAP box. I don't see anyting on port 88, or a ldap query for the kerberos or does it try to just use the same IP as ldap?
2012-02-21 16:59:48,411 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server LDAP://ldap-master.hou.blinkmind.net:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticateToKDC(GSSAPIDirContextAuthenticationStrategy.java:150) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.explicitAuth(GSSAPIDirContextAuthenticationStrategy.java:119) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticate(GSSAPIDirContextAuthenticationStrategy.java:111) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPILdapTemplateWrapper.useAuthenticationStrategy(GSSAPILdapTemplateWrapper.java:90) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.PrepareLdapConnectionTask.call(PrepareLdapConnectionTask.java:56) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:108) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) [engine-bll.jar:] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) [utils-3.0.0-0001.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [:1.6.0_22] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.6.0_22] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
2012-02-21 16:59:48,415 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: nathan to domain blinkmind.net. Ldap Query Type is getUserByName 2012-02-21 16:59:48,416 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND : nathan 2012-02-21 16:59:48,416 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND
Hey, This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory. How did you configure the new domain? Using engine-manage-domains utility? Attaching the full server log and the krb5.conf file may help understand the problem. We query for LDAP SRV records in the engine. In the utility we also query for kerberos SRV records, and update the krb5.conf file accordingly. Then, the kerberos authentication uses the host updated in the krb5.conf file to perform the authentication. Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users