=20 ----- Original Message -----
=20 ----- Original Message -----
From: "Cameron Christensen" <cameron.christensen@uk2group.com> To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails = to IPA =20 Hello, =20 I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly lo= ad the service that handles Kerberos/LDAP. =20 This is probably a bug, can you please execute the following and past= e result: =20 # PGPASSWORD=3D"@PASSWORD@" psql -U engine -d engine -c "select * fro= m vdc_options where option_name=3D'LDAPSecurityAuthentication'" =20 =20
From: "Cameron Christensen" <cameron.christensen@uk2group.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails = to IPA =20 =20 =20 On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: option_id | option_name | option_value | version -----------+----------------------------+-------------------+--------- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general =20 I replaced my domain name with 'example.org' =20 =20 I thought it will be empty... and it contains valid value. Yair? =20 Looking through the vdc_options table I noticed that many of the LDAP* and Ad* settings use two different spellings for the Kerberos/LDAP domain. One in all upper case letters, EXAMPLE.ORG and one in all lower case, example.org. (I'm guessing this is to handle either spelling of
--=-ab3ttqn+JA1ntsEfrJq5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: the domain?) I updated LDAPSecurityAuthentication and set the option_value to use both the upper case and lower case domain name, 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. select * from vdc_options where option_name =3D 'LDAPSecurityAuthentication'; option_id | option_name | option_value | version=20 -----------+----------------------------+----------------------------------= ---+--------- 165 | LDAPSecurityAuthentication | EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general Using both domain names I am able to authenticate, authorize and pull account information from the IPA server once again. Thanks for pointing me at the right location. Cameron --=-ab3ttqn+JA1ntsEfrJq5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABAgAGBQJUa3H+AAoJEM1PCzopIAOthPgIAIIFVSXNKLlmHAwjqVd6qEh7 +ClBsBOhNgKAjFGX7ucV/GPsyOBGPHrMsR4S9zkHHNUy7Jm0GTMPtkR4qjAiboA/ H87Zdas2PMbAIRi7uo/T4s0A4ptxI3q9rnqsNB/SBraefOnPwBbdW2EmAWcPV0lp 8XCssnnXgd9DEW9s9Dsrx/bGP+q+a3g0gGFTtPmWN36Bj9Tt6oKQUpd59lspsaQE ez2LVGiLt9c3P/TBk0kIdlM9ZisCiNVmYfbdZev96CP9werA73brPRXweyOCSZok TatV9URortCNHRRR9r6pcQoj70u8RzgnfuJRRP0BMrb3DxLVdZMuynI25D9tIC8= =do9Z -----END PGP SIGNATURE----- --=-ab3ttqn+JA1ntsEfrJq5--