Re: [ovirt-users] Info on changing IPA server hostname in oVirt

From: "Gianluca Cecchi" <gianluca.cecchi(a)gmail.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: "Ondra Machacek" <omachace(a)redhat.com&gt;, "users" <users(a)ovirt.org&gt; Sent: Wednesday, December 10, 2014 11:22:27 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > 2014-12-10 19:03:16,554 ERROR > [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread > 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize > LDAP framework, deferring initialization. Error: no such object > > This is interesting I never saw this error, can I ask you to enable debug? > > Edit: > /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in > > Add the following before the <root-logger> line: > <logger category="org.ovirt.engineextensions.aaa.ldap"> > <level name="ALL"/> > </logger> > > Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO > <file-handler name="ENGINE" autoflush="true"> > <level name="ALL"/> > > Then restart engine and we should see lots of messages within engine.log. > > Thanks! > Alon > Hi, if you want I send it to you... but I have understood.... I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties dc=company,dc=com and changing only the "uid=..." part ;-) In fact inside IPA log files I see this: [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 After putting correct values dc=localdomain,dc=local and restarting the engine (without debug symbols) all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done).

Thanks and sorry for misundersanding... two questions: 1) What about the legacy still working?

2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode. What should I configure to enable ldaps:// connection mode as this is sensitive information? Possibly these lines in ldap1.properties? # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit but how to use and where to put eventually the IPA certificate? Do I have to convert IPA ca.crt into some other format?