Re: [ovirt-users] LDAP bind DN generation problem

This is a multi-part message in MIME format. --------------070103020009070604040701 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 06/18/2015 02:07 PM, Mitja Mihelič wrote: Hi So what is your search user's DN ? Is it: dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si" or dn="uid=ovirt,ou=People,dc=arnes,dc=si" Is it possible for you to try if different user works fine? Because user with very similar DN works for me just OK. Please see following links: *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD *http://www.ovirt.org/Features/AAA *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 *https://github.com/machacekondra/ovirt-engine-kerbldap-migration --------------070103020009070604040701 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 06/18/2015 02:07 PM, Mitja Mihelič wrote:<br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <font size="-1">Hi!<br> </font></blockquote> <font size="-1">Hi</font><br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP domain on the login screen. Only internal is available.<br> Our LDAP server is actually a 389DS instance and we are using for authentication in oVirt without Kerberos. The existing setup has worked since the days of 3.2.<br> <br> When we try to validate the domain, we get<br> [root@brda ~]# engine-manage-domains validate<br> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]<br> Failure while testing domain guest.arnes.si. Details: Cannot authenticate user to LDAP server.<br> <br> The LDAP log reports<br> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3<br> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".<br> <br> Before the upgrade the bind DN was generated properly as<br> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3<br> </font></blockquote> <br> So what is your search user's DN ?<br> Is it:<br> <font size="-1">dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"<br> <br> </font>or<br> <br> <font size="-1">dn="uid=ovirt,ou=People,dc=arnes,dc=si"<br> </font><br> Is it possible for you to try if different user works fine?<br> Because user with very similar DN works for me just OK.<br> <br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> This looks like a bug.<br> Is there a quick fix we can do to fix this typo?<br> <br> We are also interested in knowing what is the correct way in 3.5 to add a domain that uses an LDAP server for its authentication source without Kerberos.<br> </font></blockquote> <br> Please see following links:<br> <pre wrap="">* <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l... * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l... * <a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.or... * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l... * <a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l... * <a class="moz-txt-link-freetext" href="https://github.com/machacekondra/ovirt-engine-kerbldap-migrati... </pre> <br> <blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font size="-1"> <br> Kind regards, Mitja<br> </font> <pre class="moz-signature" cols="72">-- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99</pre> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://... </pre> </blockquote> <br> </body> </html> --------------070103020009070604040701--