On 11/20/2012 12:39 AM, Cristian Falcas wrote:

On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com

<mailto:iheim@redhat.com>> wrote:

    On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:

        On 11/19/2012 10:01 AM, Cristian Falcas wrote:

            Hi,

            I'm trying to add some users to ovirt using an AD.

            This is the configuration I used for a mediawiki site, which is
            working correctly:
            $wgAuth = new LdapAuthenticationPlugin();
            $wgLDAPUseLocal = true;
            $wgLDAPDomainNames = array( "a_domain");
            $wgLDAPServerNames = array( "a_domain"=>"site.example.com
            <http://site.example.com>
            <http://site.example.com>");

            $wgLDAPEncryptionType = array( "a_domain"=>"clear");
            $wgLDAPSearchStrings = array(

            "a_domain"=>"rom_domain\\USER-__NAME");
            $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__com");

            Those are the commands I tried using:
            engine-manage-domains -action=add -domain=site.example.com
            <http://site.example.com>
            <http://site.example.com> -provider=ActiveDirectory
            -user=user.name <http://user.name>
            <http://user.name> -interactive


            engine-manage-domains -action=add -domain=a_domain
            -provider=ActiveDirectory -user=user.name@company.com
            <mailto:user.name@company.com>

            <mailto:user.name@company.com

            <mailto:user.name@company.com>> -interactive


            engine-manage-domains -action=add -domain=a_domain

            -provider=ActiveDirectory -user=user.name@site.example.__com
            <mailto:user.name@site.example.com>
            <mailto:user.name@site.__example.com

            <mailto:user.name@site.example.com>> -interactive


        You don't add an user this way. You add the domain. You have to
        pass the
        domain admin user and the domain admin password.


    any domain user will do, doesn't have to be an admin.
    what does the log say?


        Then you can use the domain within the engine. e.g. search
        users, add
        access rights for vms etc.
        Even login to the engine and assigning rights within the engine
        you can
        handle from the engine itself.

        Regards,

            And the output on all tries:
            Enter password:

            Error: Authentication Failed. Please verify the fully
            qualified domain
            name that is used for authentication is correct..
            Problematic domain
            is: domain_used_in_command
            Failure while applying Kerberos configuration. Details:
            Authentication
            Failed. Please verify the fully qualified domain name that
            is used for
            authentication is correct.

            Can someone help me with the correct parameters?


            Best regards,
            Cristian Falcas

            _________________________________________________
            Users mailing list
            Users@ovirt.org <mailto:Users@ovirt.org>
            http://lists.ovirt.org/__mailman/listinfo/users

            <http://lists.ovirt.org/mailman/listinfo/users>



        --
        Regards,

        Vinzenz Feenstra | Senior Software Engineer
        RedHat Engineering Virtualization R & D

        Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>

        IRC: vfeenstr or evilissimo

        Better technology. Faster innovation. Powered by community
        collaboration.

        See how it works at redhat.com <http://redhat.com>



        _________________________________________________
        Users mailing list
        Users@ovirt.org <mailto:Users@ovirt.org>
        http://lists.ovirt.org/__mailman/listinfo/users
        <http://lists.ovirt.org/mailman/listinfo/users>



    _________________________________________________
    Users mailing list
    Users@ovirt.org <mailto:Users@ovirt.org>
    http://lists.ovirt.org/__mailman/listinfo/users

    <http://lists.ovirt.org/mailman/listinfo/users>




Hi,

This is the command I used (the same error is with -interactive parameter):

engine-manage-domains -action=add -domain=example.com

<http://example.com> -provider=ActiveDirectory -user=user.name@a_domain

-passwordFile=/tmp/pass

[root@localhost ~]# cat /tmp/pass
qwerty[root@localhost ~]#

This is the log:

2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos

configuration for domain(s): example.com <http://example.com>

2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): example.com

<http://example.com>

2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos

configuration for domain: example.com <http://example.com>

2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Cannot locate KDC
2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while

testing domain example.com <http://example.com>. Details: Kerberos

error. Please check log for further details.

Hi, the error indicates you don't have kerberos configured.
manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option).
I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).

This is the ldapsearch command that works (it retrieves users) from the
same machine:

ldapsearch -H ldap://example.com <http://example.com> -b

dc=example,dc=com -D user.name@a_domain -w qwerty


Best regards,
Cristian Falcas

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users