On 11/20/2012 09:05 AM, Cristian Falcas wrote:
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains.<mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com
<mailto:iheim@redhat.com><mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> wrote:"a_domain"=>"rom_domain\\USER-____NAME");
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki
site, which is
working correctly:
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;
$wgLDAPDomainNames = array( "a_domain");
$wgLDAPServerNames = array(
"a_domain"=>"site.example.com <http://site.example.com>
<http://site.example.com>
<http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear");
$wgLDAPSearchStrings = array(
$wgLDAPBaseDNs = array(
"a_domain"=>"dc=company,dc=____com");<mailto:user.name@company.com>>__> -interactive
Those are the commands I tried using:
engine-manage-domains -action=add
-domain=site.example.com <http://site.example.com>
<http://site.example.com>
<http://site.example.com> -provider=ActiveDirectory
-user=user.name <http://user.name> <http://user.name>
<http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain
-provider=ActiveDirectory
-user=user.name@company.com <mailto:user.name@company.com>
<mailto:user.name@company.com
<mailto:user.name@company.com>>
<mailto:user.name@company.com
<mailto:user.name@company.com>
<mailto:user.name@company.com
engine-manage-domains -action=add -domain=a_domain
-provider=ActiveDirectory
-user=user.name@site.example.____com
<mailto:user.name@site.__example.com
<mailto:user.name@site.example.com>>
<mailto:user.name@site.
<mailto:user.name@site.>__examp__le.com <http://example.com>___________________________________________________
<mailto:user.name@site.__example.com
<mailto:user.name@site.example.com>>> -interactive
You don't add an user this way. You add the domain. You
have to
pass the
domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin.
what does the log say?
Then you can use the domain within the engine. e.g. search
users, add
access rights for vms etc.
Even login to the engine and assigning rights within
the engine
you can
handle from the engine itself.
Regards,
And the output on all tries:
Enter password:
Error: Authentication Failed. Please verify the fully
qualified domain
name that is used for authentication is correct..
Problematic domain
is: domain_used_in_command
Failure while applying Kerberos configuration. Details:
Authentication
Failed. Please verify the fully qualified domain
name that
is used for
authentication is correct.
Can someone help me with the correct parameters?
Best regards,
Cristian Falcas
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>>
http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users><http://redhat.com>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>
--
Regards,
Vinzenz Feenstra | Senior Software Engineer
RedHat Engineering Virtualization R & D
Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community
collaboration.
See how it works at redhat.com <http://redhat.com>
___________________________________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>>
http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>
___________________________________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
<mailto:Users@ovirt.org>>
http://lists.ovirt.org/____mailman/listinfo/users
<http://lists.ovirt.org/__mailman/listinfo/users>[org.ovirt.engine.core.utils.__kerberos.ManageDomains] Creating
<http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>>
Hi,
This is the command I used (the same error is with -interactive
parameter):
engine-manage-domains -action=add -domain=example.com
<http://example.com>
<http://example.com> -provider=ActiveDirectory
-user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass
qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO[org.ovirt.engine.core.utils.__kerberos.ManageDomains] Successfully
kerberos
configuration for domain(s): example.com <http://example.com>
<http://example.com>
2012-11-20 00:30:40,525 INFO[org.ovirt.engine.core.utils.__kerberos.ManageDomains] Testing
created kerberos configuration for domain(s): example.com
<http://example.com>
<http://example.com>
2012-11-20 00:30:40,526 INFO[org.ovirt.engine.core.utils.__kerberos.KerberosConfigCheck] Error:
kerberos
configuration for domain: example.com <http://example.com>
<http://example.com>
2012-11-20 00:30:40,830 ERROR[org.ovirt.engine.core.utils.__kerberos.ManageDomains] Failure while
exception message: Cannot locate KDC
2012-11-20 00:30:40,851 ERROR
testing domain example.com <http://example.com>
<http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured.
manage-domains validates by default using GSSAPI/Kerberos (if I
understand correctly, this is equivalent to run ldapsearch with -Y
gssapi option).
I wonder if -x (simple authentication) will work for you as well (as
manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users)
from the
same machine:
ldapsearch -H ldap://example.com <http://example.com>
<http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards,
Cristian Falcas
_________________________________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved.
Is there any equivalent for engine-manage-domains?
Cristian
In the past we did have the ability to do that, but there are several problematic issues.
What ldap server are you working against? Maybe I missed that