----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 11:22:27 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object
This is interesting I never saw this error, can I ask you to enable debug?
Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Add the following before the <root-logger> line: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/>
Then restart engine and we should see lots of messages within engine.log.
Thanks! Alon
Hi, if you want I send it to you... but I have understood.... I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties dc=company,dc=com and changing only the "uid=..." part ;-)
In fact inside IPA log files I see this:
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
After putting correct values dc=localdomain,dc=local and restarting the engine (without debug symbols)
all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done).
Good!
Thanks and sorry for misundersanding... two questions: 1) What about the legacy still working?
yes it should work, but it won't be improved nor fixed apart of regression issues.
2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode. What should I configure to enable ldaps:// connection mode as this is sensitive information?
Possibly these lines in ldap1.properties?
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit
but how to use and where to put eventually the IPA certificate? Do I have to convert IPA ca.crt into some other format?
better to use startTLS over ldaps. so yes, the above is the right setting. you should import the ca certificate, see instructions here[1] Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...