Trying to configure LDAP auth on engine. After adding user from LDAP i cannot login with this error "server_error: Cannot locate principal" Errors from engine.log 2021-06-30 17:24:23,830+05 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-5) [686f77b] Internal Server Error: Cannot locate principal 'Domain Reader' 2021-06-30 17:24:23,830+05 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-5) [686f77b] Cannot locate principal 'Domain Reader' 2021-06-30 17:24:23,851+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [686f77b] server_error: Cannot locate principal 'Domain Reader' How i can fix this error? ovirt 4.3.10 Config /etc/ovirt-engine/aaa/openldap_rfc.properties: include = <rfc2307-openldap.properties> vars.server = LDAP.testdom.local vars.user = CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local vars.password = password pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = tlocale pool.default.ssl.insecure = tlocale attrmap.map-principal-record.attr.PrincipalRecord_ID.map = uid attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn #LDAP value changes sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, givenName, sn, Email sequence.openldap-init-vars.040.var-set.value = (objectClass=posixAccount)(uid=*) sequence.openldap-init-vars.050.var-set.value = entryUUID, uid sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup) sequence.openldap-init-vars.070.var-set.value = membelocalid User attribures: ovirt-engine-extensions-tool aaa search --extension-name=openldap_rfc-authz --entity=principal --entity-name=domreader 2021-07-21 17:14:33,805+05 INFO ======================================================================== 2021-07-21 17:14:33,833+05 INFO ============================ Initialization ============================ 2021-07-21 17:14:33,833+05 INFO ======================================================================== 2021-07-21 17:14:33,878+05 INFO Loading extension 'internal-authz' 2021-07-21 17:14:33,885+05 INFO Extension 'internal-authz' loaded ------ 2021-07-21 17:14:35,885+05 INFO ======================================================================== 2021-07-21 17:14:35,886+05 INFO ============================== Execution =============================== 2021-07-21 17:14:35,886+05 INFO ======================================================================== 2021-07-21 17:14:35,886+05 INFO Iteration: 0 2021-07-21 17:14:35,891+05 INFO --- Begin QueryFilterRecord --- 2021-07-21 17:14:35,892+05 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102 2021-07-21 17:14:35,892+05 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4] 2021-07-21 17:14:35,893+05 INFO --- Begin QueryFilterRecord --- 2021-07-21 17:14:35,893+05 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0 2021-07-21 17:14:35,894+05 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];] 2021-07-21 17:14:35,894+05 INFO AAA_AUTHZ_PRINCIPAL_NAME: domreader 2021-07-21 17:14:35,894+05 INFO --- End QueryFilterRecord --- 2021-07-21 17:14:35,895+05 INFO --- End QueryFilterRecord --- 2021-07-21 17:14:35,895+05 INFO API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=testdom,dc=local' 2021-07-21 17:14:35,904+05 INFO API: <--Authz.InvokeCommands.QUERY_OPEN 2021-07-21 17:14:35,904+05 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2021-07-21 17:16:04,079+05 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1 2021-07-21 17:16:04,080+05 INFO --- Begin PrincipalRecord --- 2021-07-21 17:16:04,081+05 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: Domain Reader 2021-07-21 17:16:04,081+05 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Reader 2021-07-21 17:16:04,081+05 INFO AAA_LDAP_UNBOUNDID_DN: cn=Domain Reader,ou=AD,ou=SERVICE,dc=testdom,dc=local 2021-07-21 17:16:04,082+05 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=testdom,dc=local 2021-07-21 17:16:04,082+05 INFO AAA_AUTHZ_PRINCIPAL_ID: domreader 2021-07-21 17:16:04,082+05 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Domain Reader 2021-07-21 17:16:04,083+05 INFO AAA_AUTHZ_PRINCIPAL_NAME: domreader 2021-07-21 17:16:04,083+05 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: Domain 2021-07-21 17:16:04,083+05 INFO --- End PrincipalRecord --- 2021-07-21 17:16:04,084+05 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2021-07-21 17:16:04,084+05 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END 2021-07-21 17:16:04,084+05 INFO API: -->Authz.InvokeCommands.QUERY_CLOSE 2021-07-21 17:16:04,084+05 INFO API: <--Authz.InvokeCommands.QUERY_CLOSE Trying to auth using ovirt-engine-extensions-tool: ovirt-engine-extensions-tool aaa login-user --profile=openldap_rfc --user-name=domreader 2021-07-21 17:40:47,318+05 INFO ======================================================================== 2021-07-21 17:40:47,350+05 INFO ============================ Initialization ============================ 2021-07-21 17:40:47,351+05 INFO ======================================================================== 2021-07-21 17:40:47,401+05 INFO Loading extension 'internal-authz' 2021-07-21 17:40:47,407+05 INFO Extension 'internal-authz' loaded 2021-07-21 17:40:47,409+05 INFO Loading extension 'internal-authn' 2021-07-21 17:40:47,410+05 INFO Extension 'internal-authn' loaded 2021-07-21 17:40:47,426+05 INFO Loading extension 'test_ldap' 2021-07-21 17:40:47,508+05 INFO Extension 'test_ldap' loaded 2021-07-21 17:40:47,509+05 INFO Loading extension 'test_ldap-authn' 2021-07-21 17:40:47,523+05 INFO Extension 'test_ldap-authn' loaded 2021-07-21 17:40:47,525+05 INFO Loading extension 'openldap_rfc-authz' 2021-07-21 17:40:47,538+05 INFO Extension 'openldap_rfc-authz' loaded 2021-07-21 17:40:47,540+05 INFO Loading extension 'openldap_rfc-authn' 2021-07-21 17:40:47,551+05 INFO Extension 'openldap_rfc-authn' loaded 2021-07-21 17:40:47,552+05 INFO Initializing extension 'internal-authz' 2021-07-21 17:40:47,671+05 INFO Extension 'internal-authz' initialized 2021-07-21 17:40:47,672+05 INFO Initializing extension 'internal-authn' 2021-07-21 17:40:47,685+05 INFO Extension 'internal-authn' initialized 2021-07-21 17:40:47,685+05 INFO Initializing extension 'test_ldap' 2021-07-21 17:40:47,686+05 INFO [ovirt-engine-extension-aaa-ldap.authz::test_ldap] Creating LDAP pool 'authz' 2021-07-21 17:40:47,787+05 INFO [ovirt-engine-extension-aaa-ldap.authz::test_ldap] LDAP pool 'authz' information: vendor='null' version='null' 2021-07-21 17:40:47,788+05 INFO [ovirt-engine-extension-aaa-ldap.authz::test_ldap] Available Namespaces: [dc=field,dc=example,dc=com] 2021-07-21 17:40:47,789+05 INFO Extension 'test_ldap' initialized 2021-07-21 17:40:47,789+05 INFO Initializing extension 'test_ldap-authn' 2021-07-21 17:40:47,790+05 INFO [ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] Creating LDAP pool 'authz' 2021-07-21 17:40:47,837+05 INFO [ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] LDAP pool 'authz' information: vendor='null' version='null' 2021-07-21 17:40:47,838+05 INFO [ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] Creating LDAP pool 'authn' 2021-07-21 17:40:47,849+05 INFO [ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] LDAP pool 'authn' information: vendor='null' version='null' 2021-07-21 17:40:47,849+05 INFO Extension 'test_ldap-authn' initialized 2021-07-21 17:40:47,850+05 INFO Initializing extension 'openldap_rfc-authz' 2021-07-21 17:40:47,850+05 INFO [ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] Creating LDAP pool 'authz' 2021-07-21 17:40:47,851+05 WARNING [ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] TLS/SSL insecure mode 2021-07-21 17:40:48,575+05 INFO [ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] LDAP pool 'authz' information: vendor='null' version='null' 2021-07-21 17:40:48,576+05 INFO [ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] Available Namespaces: [dc=testdom,dc=local] 2021-07-21 17:40:48,576+05 INFO Extension 'openldap_rfc-authz' initialized 2021-07-21 17:40:48,576+05 INFO Initializing extension 'openldap_rfc-authn' 2021-07-21 17:40:48,577+05 INFO [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] Creating LDAP pool 'authz' 2021-07-21 17:40:48,577+05 WARNING [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] TLS/SSL insecure mode 2021-07-21 17:40:49,174+05 INFO [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] LDAP pool 'authz' information: vendor='null' version='null' 2021-07-21 17:40:49,175+05 INFO [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] Creating LDAP pool 'authn' 2021-07-21 17:40:49,175+05 WARNING [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] TLS/SSL insecure mode 2021-07-21 17:40:49,427+05 INFO [ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] LDAP pool 'authn' information: vendor='null' version='null' 2021-07-21 17:40:49,428+05 INFO Extension 'openldap_rfc-authn' initialized 2021-07-21 17:40:49,428+05 INFO Start of enabled extensions list 2021-07-21 17:40:49,429+05 INFO Instance name: 'openldap_rfc-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.10', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/openldap_rfc-authz.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,429+05 INFO Instance name: 'test_ldap', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.10', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/test_ldap.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,429+05 INFO Instance name: 'internal-authn', Extension name: '"ovirt-engine-extension-aaa-jdbc".authn', Version: '"1.1.10"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,430+05 INFO Instance name: 'internal-authz', Extension name: '"ovirt-engine-extension-aaa-jdbc".authz', Version: '"1.1.10"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,430+05 INFO Instance name: 'openldap_rfc-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.10', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/openldap_rfc-authn.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,430+05 INFO Instance name: 'test_ldap-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.10', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/test_ldap-authn.properties', Initialized: 'tlocale' 2021-07-21 17:40:49,430+05 INFO End of enabled extensions list 2021-07-21 17:40:49,431+05 INFO ======================================================================== 2021-07-21 17:40:49,431+05 INFO ============================== Execution =============================== 2021-07-21 17:40:49,431+05 INFO ======================================================================== 2021-07-21 17:40:49,432+05 INFO Iteration: 0 2021-07-21 17:40:49,433+05 INFO Profile='openldap_rfc' authn='openldap_rfc-authn' authz='openldap_rfc-authz' mapping='null' 2021-07-21 17:40:49,433+05 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap_rfc' user='domreader' Password: 2021-07-21 17:42:28,572+05 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap_rfc' result=SUCCESS 2021-07-21 17:42:28,576+05 INFO --- Begin AuthRecord --- 2021-07-21 17:42:28,577+05 INFO AAA_AUTHN_AUTH_RECORD_PRINCIPAL: Domain Reader 2021-07-21 17:42:28,577+05 INFO --- End AuthRecord --- 2021-07-21 17:42:28,578+05 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='Domain Reader' 2021-07-21 17:43:28,582+05 SEVERE Cannot locate principal 'Domain Reader' LDAP server working as proxy to AD. slapd.conf listnig: ### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ad.schema ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload back_ldap moduleload rwm ### Logging ################################################################### logfile /var/log/slapd/slapd.log loglevel 256 # Main settings ############################################################### pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:!NULL TLSCACertificateFile /etc/pki/tls/certs/cacert.pem TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem TLSVerifyClient never # Disallow non-encrypted binds - this will refuse any connection that isn't # secured with at least 128-bit encryption security ssf=128 # Allow v2 binding for legacy clients ######################################### allow bind_v2 ### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldap://testdom.local:389" suffix "dc=testdom,dc=local" idassert-bind bindmethod=simple mode=none binddn="CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local" credentials=eOv5rgrNv3eq starttls=yes tls_cacertdir=/etc/pki/tls/certs tls_reqcert=never idassert-authzFrom "*" overlay rwm