----- Original Message -----
From: "Cameron Christensen" <cameron.christensen@uk2group.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovirt.org Sent: Tuesday, November 18, 2014 6:21:18 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen@uk2group.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen@uk2group.com> To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello,
I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP.
This is probably a bug, can you please execute the following and paste result:
# PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from vdc_options where option_name='LDAPSecurityAuthentication'"
option_id | option_name | option_value | version -----------+----------------------------+-------------------+--------- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
I replaced my domain name with 'example.org'
I thought it will be empty... and it contains valid value. Yair?
Looking through the vdc_options table I noticed that many of the LDAP* and Ad* settings use two different spellings for the Kerberos/LDAP domain. One in all upper case letters, EXAMPLE.ORG and one in all lower case, example.org. (I'm guessing this is to handle either spelling of the domain?)
I updated LDAPSecurityAuthentication and set the option_value to use both the upper case and lower case domain name, 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
select * from vdc_options where option_name = 'LDAPSecurityAuthentication'; option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------+--------- 165 | LDAPSecurityAuthentication | EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general
Just so we can continue to investigate - if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup? dig SRV _ldap._tcp.EXAMPLE.ORG or dig SRV _ldap._tcp.example.org? same goes to _kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG Cheers, Yair
Using both domain names I am able to authenticate, authorize and pull account information from the IPA server once again.
Thanks for pointing me at the right location.
Cameron