I got a little further. When testing after the setup, I get a Credential Invalid error until I added what Edward previously suggested except I had to use "Person" instead of "inetOrgPerson" because my LDAP server doesn't provide uidObject as well. Line added to /etc/ovirt-engine/aaa/MYDOMAIN.com.properties: sequence.openldap-init-vars.040.var-set.value = (objectClass=Person) Once I did that and restarted the service, ovirt-engine-extensions-tool gives me the following below. Not sure why it won't pull the principle record. 2019-09-06 10:50:15,032-04 INFO ======================================================================== 2019-09-06 10:50:15,032-04 INFO ============================== Execution =============================== 2019-09-06 10:50:15,032-04 INFO ======================================================================== 2019-09-06 10:50:15,033-04 INFO Iteration: 0 2019-09-06 10:50:15,033-04 INFO Profile='MYDOMAIN.com' authn='MYDOMAIN.com-authn' authz='MYDOMAIN.com' mapping='null' 2019-09-06 10:50:15,034-04 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='MYDOMAIN.com' user='MYUSERNAME' Password: 2019-09-06 10:50:18,822-04 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='MYDOMAIN.com' result=SUCCESS 2019-09-06 10:50:18,824-04 INFO --- Begin AuthRecord --- 2019-09-06 10:50:18,824-04 INFO --- End AuthRecord --- 2019-09-06 10:50:18,825-04 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='null' 2019-09-06 10:50:18,837-04 SEVERE Cannot locate principal 'null'