Hello Alon,

I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see:

/etc/ovirt-engine/extensions.d/siee-local-authn.properties:

ovirt.engine.extension.name = siee-local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee
ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties

/etc/ovirt-engine/extensions.d/siee-local-authz.properties:

ovirt.engine.extension.name = siee-local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties

I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name.

I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, "General command validation failure."

Attach engine.log file.

Thanks,

Juanjo.


On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:

Hi!

You have the following errors:

2014-12-05 09:32:31,778 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn'
2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory)
2014-12-05 09:32:31,823 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz'
2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory)

Per my last message, you should provide absolute file names if you use 3.5.0.
Please see inline comments bellow.

Also, you are trying to authenticate with the legacy provider:

2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server

Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion?

Thanks!

----- Original Message -----
> From: "Juan Jose" <jj197005@gmail.com>
> To: "Alon Bar-Lev" <alonbl@redhat.com>
> Cc: "Ondra Machacek" <omachace@redhat.com>, "Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovirt.org
> Sent: Friday, December 5, 2014 10:43:01 AM
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
>
> Hello Alon,
>
> I have done what you have said. My new configuration files are:
>
> /etc/ovirt-engine/extensions.d/siee-local-authn.properties:
>
> ovirt.engine.extension.name = siee-local-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = siee
> ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
> config.profile.file.1 = aaa/siee.properties

should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1.

>
> /etc/ovirt-engine/extensions.d/siee-local-authz.properties:
>
> ovirt.engine.extension.name = siee-local-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = aaa/siee.properties

should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1.


>
> /etc/ovirt-engine/extensions.d/aaa/siee.properties:
>
> include = <ad.properties>
>
> #
> # Active directory domain name.
> #
> vars.domain = siee.local
>
> #
> # Search user and its password.
> #
> vars.user = searcher@${global:vars.domain}
> vars.password = xxxxxxx
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> = ${global:vars.dns}
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.domain}.jks
> #pool.default.ssl.truststore.password = changeit
>
> After reconfigure my files with ovirt-engine stopped I have started
> ovirt-engine and I have tried to log in. The error persist,
> "General command validation failure." and after that I have stopped
> ovirt-engine again. I attach my engine.log file.
>
> Many thanks again,
>
> Juanjo.
>
>
> On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Juan Jose" <jj197005@gmail.com>
> > > To: "Alon Bar-Lev" <alonbl@redhat.com>
> > > Cc: "Ondra Machacek" <omachace@redhat.com>, "Yair Zaslavsky" <
> > yzaslavs@redhat.com>, users@ovirt.org
> > > Sent: Tuesday, December 2, 2014 3:48:54 PM
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > >
> > > Hello Alon and everybody,
> > >
> > > I have installed package ovirt-engine-extension-aaa-ldap and configure my
> > > files as the documentation says. The files are:
> > >
> > > /etc/ovirt-engine/extensions.d/siee.local-authn.properties:
> > >
> > > ovirt.engine.extension.name = siee.local-authn
> > > ovirt.engine.extension.bindings.method = jbossmodule
> > > ovirt.engine.extension.binding.jbossmodule.module =
> > > org.ovirt.engine-extensions.aaa.ldap
> > > ovirt.engine.extension.binding.jbossmodule.class =
> > > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > > ovirt.engine.extension.provides =
> > org.ovirt.engine.api.extensions.aaa.Authn
> > > ovirt.engine.aaa.authn.profile.name = siee.local
> > > ovirt.engine.aaa.authn.authz.plugin = siee.local-authz
> > > config.profile.file.1 = aaa/siee.local.properties
> >
> > please use absolute file name for 3.5.0 relative will be available in 3.5.1
> >
> > >
> > > /etc/ovirt-engine/extensions.d/siee.local-authz.properties:
> > >
> > > ovirt.engine.extension.name = siee.local-authz
> > > ovirt.engine.extension.bindings.method = jbossmodule
> > > ovirt.engine.extension.binding.jbossmodule.module =
> > > org.ovirt.engine-extensions.aaa.ldap
> > > ovirt.engine.extension.binding.jbossmodule.class =
> > > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > > ovirt.engine.extension.provides =
> > org.ovirt.engine.api.extensions.aaa.Authz
> > > config.profile.file.1 = aaa/siee.local.properties
> >
> > please use absolute file name for 3.5.0 relative will be available in 3.5.1
> >
> >
> > >
> > > /etc/ovirt-engine/extensions.d/aaa/siee.local.properties:
> > >
> > > include = <ad.properties>
> > >
> > > #
> > > # Active directory domain name.
> > > #
> > > vars.domain = siee.local
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user = juanjo@${global:vars.domain}
> > > vars.password = xxxxxxxx
> >
> > this should be dedicate user for search not your private user.
> >
> > >
> > > #
> > > # Optional DNS servers, if enterprise
> > > # DNS server cannot resolve the domain srvrecord.
> > > #
> > > #vars.dns = dns://dc1.${global:vars.domain}
> > dns://dc2.${global:vars.domain}
> > >
> > > pool.default.serverset.type = srvrecord
> > > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > >
> > > # Uncomment if using custom DNS
> > >
> > #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > > = ${global:vars.dns}
> > > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> > >
> > > # Create keystore, import certificate chain and uncomment
> > > # if using ssl/tls.
> > > #pool.default.ssl.startTLS = true
> > > #pool.default.ssl.truststore.file =
> > > ${local:_basedir}/${global:vars.domain}.jks
> > > #pool.default.ssl.truststore.password = changeit
> > >
> > > And after this configuration I restart ovirt-engine service. When I try
> > to
> > > login in administrator portal I can see the error "The user name or
> > > password is incorrect.". In /var/log/ovirt-engine/engine.log I have the
> > > errors:
> > >
> > > 2014-12-02 14:02:21,983 ERROR
> > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
> > > Event ID: -1, Message: User juanjo cannot login, please verify the
> > username
> > > and password.
> > > 2014-12-02 14:02:21,991 ERROR
> > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
> > > Event ID: -1, Message: User juanjo failed to log in.
> > >
> > > I'm using correct user and password becuase I can login in a Windows
> > client
> > > machine which is inside siee.local domain with this user and its correct
> > > password.
> > >
> > > What do you think it could be the problem?
> > >
> > > If you need more information or I have to configure any other parameters,
> > > please tell me.
> >
> > please attach full engine.log, more correctly, stop engine, remove
> > engine.log start engine, try to login and send log.
> > please make sure you select the "siee.local" domain in dropdown of login
> > screen.
> >
> > when I get the engine.log I will be able to understand who to progress.
> >
> > thanks!
> >
> >
> > >
> > > Many thanks in advanced,
> > >
> > > Juanjo.
> > >
> > >
> > >
> > > On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Juan Jose" <jj197005@gmail.com>
> > > > > To: "Alon Bar-Lev" <alonbl@redhat.com>
> > > > > Cc: "Ondra Machacek" <omachace@redhat.com>, "Yair Zaslavsky" <
> > > > yzaslavs@redhat.com>, users@ovirt.org
> > > > > Sent: Wednesday, November 26, 2014 3:04:14 PM
> > > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > > > >
> > > > > Hello Alon and everybody,
> > > > >
> > > > > Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package
> > and it
> > > > > is not available:
> > > > >
> > > > > yum list "ovirt-engine*"
> > > > > Loaded plugins: fastestmirror, refresh-packagekit, security,
> > versionlock
> > > > > Loading mirror speeds from cached hostfile
> > > > >  * base: ftp.udl.es
> > > > >  * epel: mirror.uv.es
> > > > >  * extras: ftp.udl.es
> > > > >  * ovirt-3.5: ftp.nluug.nl
> > > > >  * ovirt-3.5-epel: mirror.uv.es
> > > > >  * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr
> > > > >  * ovirt-epel: mirror.uv.es
> > > > >  * ovirt-jpackage-6.0-generic: mirror.ibcp.fr
> > > > >  * updates: ftp.udl.es
> > > > > Installed Packages
> > > > > ovirt-engine.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-backend.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-cli.noarch
> > > > > 3.3.0.6-1.el6                         @ovirt-3.3.3
> > > > > ovirt-engine-dbscripts.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-extensions-api-impl.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-jboss-as.x86_64
> > > > > 7.1.1-1.el6                           @ovirt-3.5
> > > > > ovirt-engine-lib.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-restapi.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-sdk-python.noarch
> > > > > 3.5.0.8-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-setup.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-setup-base.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-setup-plugin-ovirt-engine.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-setup-plugin-ovirt-engine-common.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-setup-plugin-websocket-proxy.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-tools.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-userportal.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-webadmin-portal.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > ovirt-engine-websocket-proxy.noarch
> > > > > 3.5.0.1-1.el6                         @ovirt-3.5
> > > > > Available Packages
> > > > > ovirt-engine-cli.noarch
> > > > > 3.5.0.5-1.el6                         ovirt-3.5
> > > > > ovirt-engine-dwh.noarch
> > > > > 3.5.0-1.el6                           ovirt-3.5
> > > > > ovirt-engine-dwh-setup.noarch
> > > > > 3.5.0-1.el6                           ovirt-3.5
> > > > > ovirt-engine-extensions-api-impl-javadoc.noarch
> > > > > 3.5.0.1-1.el6                         ovirt-3.5
> > > > > ovirt-engine-reports.noarch
> > > > > 3.5.1-0.1.el6                         ovirt-3.5
> > > > > ovirt-engine-reports-setup.noarch
> > > > > 3.5.1-0.1.el6                         ovirt-3.5
> > > > > ovirt-engine-sdk-java.noarch
> > > > > 3.5.0.5-1.el6                         ovirt-3.5
> > > > > ovirt-engine-sdk-java-javadoc.noarch
> > > > > 3.5.0.5-1.el6                         ovirt-3.5
> > > > > ovirt-engine-setup-plugin-allinone.noarch
> > > > >
> > > > > How can I get this package?
> > > >
> > > >
> > > > Thanks for trying!
> > > >
> > > > Package is available at ovirt-3.5-snapshot[1].
> > > >
> > > > [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
> > > >
> > >
> >
>