6:21 p.m.
--=-ab3ttqn+JA1ntsEfrJq5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
=20
----- Original Message -----
> From: "Cameron Christensen" <cameron.christensen(a)uk2group.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org
> Sent: Monday, November 17, 2014 11:43:34 PM
> Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails =
to
IPA
>=20
>=20
>=20
> On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> >=20
> > ----- Original Message -----
> > > From: "Cameron Christensen"
<cameron.christensen(a)uk2group.com>
> > > To: users(a)ovirt.org
> > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails =
to IPA
> > >=20
> > > Hello,
> > >=20
> > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > Starting up ovrit-engine the extension manager fails to properly lo=
ad
> > > the service that handles Kerberos/LDAP.
> >=20
> > This is probably a bug, can you please execute the following and past=
e
> > result:
> >=20
> > # PGPASSWORD=3D"@PASSWORD@" psql -U engine -d engine -c "select
* fro=
m
> > vdc_options where
option_name=3D'LDAPSecurityAuthentication'"
> >=20
>=20
> option_id | option_name | option_value | version
> -----------+----------------------------+-------------------+---------
> 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
>=20
> I replaced my domain name with 'example.org'
>=20
=20
I thought it will be empty... and it contains valid value. Yair?
=20
Looking through the vdc_options table I noticed that many of the LDAP*
and Ad* settings use two different spellings for the Kerberos/LDAP
domain. One in all upper case letters, EXAMPLE.ORG and one in all lower
case, example.org. (I'm guessing this is to handle either spelling of
the domain?)
I updated LDAPSecurityAuthentication and set the option_value to use
both the upper case and lower case domain name,
'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
select * from vdc_options where option_name =3D
'LDAPSecurityAuthentication';
option_id | option_name | option_value
| version=20
-----------+----------------------------+----------------------------------=
---+---------
165 | LDAPSecurityAuthentication |
EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general
Using both domain names I am able to authenticate, authorize and pull
account information from the IPA server once again.
Thanks for pointing me at the right location.
Cameron
--=-ab3ttqn+JA1ntsEfrJq5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABAgAGBQJUa3H+AAoJEM1PCzopIAOthPgIAIIFVSXNKLlmHAwjqVd6qEh7
+ClBsBOhNgKAjFGX7ucV/GPsyOBGPHrMsR4S9zkHHNUy7Jm0GTMPtkR4qjAiboA/
H87Zdas2PMbAIRi7uo/T4s0A4ptxI3q9rnqsNB/SBraefOnPwBbdW2EmAWcPV0lp
8XCssnnXgd9DEW9s9Dsrx/bGP+q+a3g0gGFTtPmWN36Bj9Tt6oKQUpd59lspsaQE
ez2LVGiLt9c3P/TBk0kIdlM9ZisCiNVmYfbdZev96CP9werA73brPRXweyOCSZok
TatV9URortCNHRRR9r6pcQoj70u8RzgnfuJRRP0BMrb3DxLVdZMuynI25D9tIC8=
=do9Z
-----END PGP SIGNATURE-----
--=-ab3ttqn+JA1ntsEfrJq5--