This is a multi-part message in MIME format. --------------070103020009070604040701 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 06/18/2015 02:07 PM, Mitja Mihelič wrote:
Hi! Hi
We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP domain on the login screen. Only internal is available. Our LDAP server is actually a 389DS instance and we are using for authentication in oVirt without Kerberos. The existing setup has worked since the days of 3.2.
When we try to validate the domain, we get [root@brda ~]# engine-manage-domains validate Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object] Failure while testing domain guest.arnes.si. Details: Cannot authenticate user to LDAP server.
The LDAP log reports [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3 As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".
Before the upgrade the bind DN was generated properly as [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3
So what is your search user's DN ? Is it: dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si" or dn="uid=ovirt,ou=People,dc=arnes,dc=si" Is it possible for you to try if different user works fine? Because user with very similar DN works for me just OK.
This looks like a bug. Is there a quick fix we can do to fix this typo?
We are also interested in knowing what is the correct way in 3.5 to add a domain that uses an LDAP server for its authentication source without Kerberos.
Please see following links: *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... *http://www.ovirt.org/Features/AAA *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree... *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... *https://github.com/machacekondra/ovirt-engine-kerbldap-migration
Kind regards, Mitja -- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--------------070103020009070604040701 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 06/18/2015 02:07 PM, Mitja Mihelič wrote:<br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <font size="-1">Hi!<br> </font></blockquote> <font size="-1">Hi</font><br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP domain on the login screen. Only internal is available.<br> Our LDAP server is actually a 389DS instance and we are using for authentication in oVirt without Kerberos. The existing setup has worked since the days of 3.2.<br> <br> When we try to validate the domain, we get<br> [root@brda ~]# engine-manage-domains validate<br> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]<br> Failure while testing domain guest.arnes.si. Details: Cannot authenticate user to LDAP server.<br> <br> The LDAP log reports<br> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3<br> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".<br> <br> Before the upgrade the bind DN was generated properly as<br> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3<br> </font></blockquote> <br> So what is your search user's DN ?<br> Is it:<br> <font size="-1">dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"<br> <br> </font>or<br> <br> <font size="-1">dn="uid=ovirt,ou=People,dc=arnes,dc=si"<br> </font><br> Is it possible for you to try if different user works fine?<br> Because user with very similar DN works for me just OK.<br> <br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> This looks like a bug.<br> Is there a quick fix we can do to fix this typo?<br> <br> We are also interested in knowing what is the correct way in 3.5 to add a domain that uses an LDAP server for its authentication source without Kerberos.<br> </font></blockquote> <br> Please see following links:<br> <pre wrap="">* <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD</a> * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD</a> * <a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.org/Features/AAA</a> * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD</a> * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6</a> * <a class="moz-txt-link-freetext" href="https://github.com/machacekondra/ovirt-engine-kerbldap-migration">https://github.com/machacekondra/ovirt-engine-kerbldap-migration</a> </pre> <br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> Kind regards, Mitja<br> </font> <pre class="moz-signature" cols="72">-- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99</pre> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </body> </html> --------------070103020009070604040701--