Yes, I found out my original problem stemmed from the fact that I had not created a normal user account after my initial 389 DS setup. Once I created the normal user account I logged into the engine as the internal admin user. I assigned the normal user account the super user role. I logged out as internal admin and logged in as the new user / super user using the newly created profile. So at least for the AAA setup everything seems to work ok. I created some additional users in 389 DS and I can view them from the engine. Thank you for your help! ________________________________ From: Ondra Machacek <omachace@redhat.com> Sent: Wednesday, November 14, 2018 8:54 AM To: Jeremy Tourville; users@ovirt.org Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed You need to create some users in 'dc=cyber-range,dc=lan', you can switch to it in 389ds GUI console and there create some users, and use those users in aaa-ldap-setup and also in oVirt engine gui. On 11/9/18 10:24 AM, Jeremy Tourville wrote:
An update, I was able to complete the setup. It says it was successful but I still can't login using the engine web interface. I selected the newly created profile using the dropdown arrow and entered my admin user and password. I get an error "Unable to login. Verify your login information or contact the system administrator."
I attached my log showing the setup completion.
________________________________ From: Jeremy Tourville <jeremy_tourville@hotmail.com> Sent: Monday, November 5, 2018 2:58 PM To: Ondra Machacek Cc: users@ovirt.org Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed
Can you try to run that on command line[1], or can you double check that such user exists?
Here is the result of the command: [root@ldap ~]# ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=cyber-range,dc=lan> with scope subtree # filter: uid=admin # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Basically, I did not create any users except for the ones that were "created" during the setup-ds-admin.pl script run. https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ I ran the script just like the article did to include names, I did however change the server and domain names to match mine. I didn't create any users using the GUI or ldapmodify after the initial setup. Do I need to create a user with the needed bind privileges or is my problem somewhere else?
________________________________ From: Ondra Machacek <omachace@redhat.com> Sent: Monday, November 5, 2018 4:15 AM To: Jeremy Tourville; Donny Davis Cc: users@ovirt.org Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed
Looking at logs you may see:
2018-10-31 16:48:09,331-05 FINE Performing SearchRequest 'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)', attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn, title, mail})' request on server 'ldap.cyber-range.lan' 2018-10-31 16:48:09,333-05 FINE SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0)
So the AAA is trying to search user uid=admin in namespace dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run that on command line[1], or can you double check that such user exists?
Seems like admin which you use in vars.user, from namespace o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan.
Try to use as vars.use user from namespace dc=cyber-range,dc=lan.
[1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin
On 11/2/18 2:01 PM, Jeremy Tourville wrote:
I have been trying to find the setting to confirm that.
On Nov 2, 2018 7:43 AM, Donny Davis <donny@fortnebula.com> wrote: Is binding allowed in your 389ds instance?
On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville <jeremy_tourville@hotmail.com<mailto:jeremy_tourville@hotmail.com> wrote: The backend is 389 DS, no this is not Govt related. This will be used as a training platform for my local ISSA chapter. This is a new 389 DS server. I followed the instructions at https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ The server is "stock" with the exceptions of the settings for startTLS and adding certificates, etc (basically, whatever is needed to integrate with the Ovirt Engine.) I am using my Admin account to perform the bind. What I don't understand is why everything else in the aaa setup script works except the login sequence. It would seem like my certificates are correct, correct use of the admin DN, etc. The funny part is I can login to the server using the admin account and password yet the same admin account and password fail when using the aaa setup script. But, that is why I am using the expert knowledge on the list! Maybe I have overlooked a simple prerequisite setting needed for setup somewhere?
I'll wait for someone to chime in on possible reasons to get this message: SEVERE Authn.Result code is: CREDENTIALS_INVALID [ ERROR ] Login sequence failed
______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TGT7ASCWSUTU6T...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JN4AMQUNTFGL2N...