[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

An update, I was able to complete the setup. It says it was successful but I still can't login using the engine web interface. I selected the newly created profile using the dropdown arrow and entered my admin user and password. I get an error "Unable to login. Verify your login information or contact the system administrator." I attached my log showing the setup completion. ________________________________ From: Jeremy Tourville <jeremy_tourville(a)hotmail.com&gt; Sent: Monday, November 5, 2018 2:58 PM To: Ondra Machacek Cc: users(a)ovirt.org Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed >>> Can you try to run that on command line[1], or can you double check that such user exists? Here is the result of the command: [root@ldap ~]# ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=cyber-range,dc=lan> with scope subtree # filter: uid=admin # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Basically, I did not create any users except for the ones that were "created" during the setup-ds-admin.pl script run. https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ I ran the script just like the article did to include names, I did however change the server and domain names to match mine. I didn't create any users using the GUI or ldapmodify after the initial setup. Do I need to create a user with the needed bind privileges or is my problem somewhere else? ________________________________ From: Ondra Machacek <omachace(a)redhat.com&gt; Sent: Monday, November 5, 2018 4:15 AM To: Jeremy Tourville; Donny Davis Cc: users(a)ovirt.org Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed Looking at logs you may see: 2018-10-31 16:48:09,331-05 FINE Performing SearchRequest 'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)', attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn, title, mail})' request on server 'ldap.cyber-range.lan' 2018-10-31 16:48:09,333-05 FINE SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0) So the AAA is trying to search user uid=admin in namespace dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run that on command line[1], or can you double check that such user exists? Seems like admin which you use in vars.user, from namespace o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan. Try to use as vars.use user from namespace dc=cyber-range,dc=lan. [1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin On 11/2/18 2:01 PM, Jeremy Tourville wrote: > I have been trying to find the setting to confirm that. > > On Nov 2, 2018 7:43 AM, Donny Davis <donny(a)fortnebula.com&gt; wrote: > Is binding allowed in your 389ds instance? > > > On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville <jeremy_tourville@hotmail.com<mailto:jeremy_tourville@hotmail.com> wrote: > The backend is 389 DS, no this is not Govt related. This will be used as a training platform for my local ISSA chapter. This is a new 389 DS server. I followed the instructions at https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ > The server is "stock" with the exceptions of the settings for startTLS and adding certificates, etc (basically, whatever is needed to integrate with the Ovirt Engine.) > I am using my Admin account to perform the bind. What I don't understand is why everything else in the aaa setup script works except the login sequence. It would seem like my certificates are correct, correct use of the admin DN, etc. The funny part is I can login to the server using the admin account and password yet the same admin account and password fail when using the aaa setup script. But, that is why I am using the expert knowledge on the list! Maybe I have overlooked a simple prerequisite setting needed for setup somewhere? > > I'll wait for someone to chime in on possible reasons to get this message: > SEVERE Authn.Result code is: CREDENTIALS_INVALID > [ ERROR ] Login sequence failed > > ______________________________________________ > Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> > To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TGT7ASCWSUT... > > > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JN4AMQUNTFG... >