Re: [ovirt-users] Extension aaa: No search for principal

----- Original Message ----- I am unsure what actually happens... Something in global catalog is out of sync. Usually - you do not add domain administrator to external application... there is no need to expose it. By default Administrator does not have "login from network" and "user principal suffix". Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager. So please use regular unprivileged users which belongs to "Domain Users" from now on. To test if user has userPrincipalName use the following command (assuming we search for user(a)int.corp.de): $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b '' '(userPrincipalName=user(a)int.corp.de)' cn userPrincipalName This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty. To find user without userPrincipalName such as Administrator use the following command: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work. You can dump entire GC and send me a user record if no result so I can determine what is different from expectations: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b '' > /tmp/dump.out Regards, Alon