Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hi, just tried it too. I was not successfull to reproduce, but the problem is that the domain part of LDAPSecurityAuthentication is uppercase as Cameron wrote. In 3.4 it is OK when it's upper case - everything works OK, but in 3.5 it's not. I checked differences and something like this would be enough, Yair? diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte index f5ab28d..ccaf04a 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends ExtensionsManager { ) ); } - if (nameValue[0].equals(domain)) { + if (nameValue[0].equalsIgnoreCase(domain)) { result = nameValue[1]; break; } Ondra ----- Original Message -----
From: "Alon Bar-Lev" <alonbl at redhat.com> To: "Cameron Christensen" <cameron.christensen at uk2group.com>, "Yair Zaslavsky" <yzaslavs at redhat.com> Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:48:15 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen at uk2group.com> To: "Alon Bar-Lev" <alonbl at redhat.com> Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen at uk2group.com> To: users at ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello,
I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP.
This is probably a bug, can you please execute the following and paste result:
# PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from vdc_options where option_name='LDAPSecurityAuthentication'"
option_id | option_name | option_value | version -----------+----------------------------+-------------------+--------- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
I replaced my domain name with 'example.org'
I thought it will be empty... and it contains valid value. Yair?
No, this is fine actually.
Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug.
Alon
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "cameron christensen" <cameron.christensen@uk2group.com>, "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, November 20, 2014 6:09:53 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hi,
just tried it too. I was not successfull to reproduce, but the problem is that the domain part of LDAPSecurityAuthentication is uppercase as Cameron wrote.
In 3.4 it is OK when it's upper case - everything works OK, but in 3.5 it's not.
I checked differences and something like this would be enough, Yair?
diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte index f5ab28d..ccaf04a 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends ExtensionsManager { ) ); } - if (nameValue[0].equals(domain)) { + if (nameValue[0].equalsIgnoreCase(domain)) { result = nameValue[1]; break; }
Ondra
Looks fine, but please email me in private a testing environment where I can check that. Thanks! P.S: Another option worth trying is simply remove and add the domain, but hey, if you're already in 3.5, and removed the domain, why not use he generic ldap provider?
----- Original Message -----
From: "Alon Bar-Lev" <alonbl at redhat.com> To: "Cameron Christensen" <cameron.christensen at uk2group.com>, "Yair Zaslavsky" <yzaslavs at redhat.com> Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:48:15 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen at uk2group.com> To: "Alon Bar-Lev" <alonbl at redhat.com> Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
----- Original Message -----
From: "Cameron Christensen" <cameron.christensen at uk2group.com> To: users at ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello,
I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP.
This is probably a bug, can you please execute the following and paste result:
# PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from vdc_options where option_name='LDAPSecurityAuthentication'"
option_id | option_name | option_value | version -----------+----------------------------+-------------------+--------- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
I replaced my domain name with 'example.org'
I thought it will be empty... and it contains valid value. Yair?
No, this is fine actually.
Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug.
Alon
participants (2)
-
Ondra Machacek -
Yair Zaslavsky