Selecting login profile with LDAP integration
I am trying to get LDAP integration working with FreeIPA, it would seem that the instructions to do so are the same across the RHEV and oVirt administration guides and other sites that have replicated that information and based on oVirt 4.4 (I am running 4.5.2). I have it configured as per the oVirt admin guide with: - the test as part of the setup tool returned success - I have created a ovirt-admins LDAP group, which was successfully found by oVirt and I have created a new group within oVirt for that. But how do I actually login with a LDAP user credentials? Documentation refers to selecting the Profile that was configured with the LDAP setup, but doesn't seem to be provided since 4.5 on the login screen? Keycloak is reporting that it is trying to validate the login against the Internal profile so I assume it isn't able to try multiple authentication sources? 2022-08-19 14:46:55,112+10 WARN [org.keycloak.events] (default task-12) [] type=LOGIN_ERROR, realmId=2429db03-71ca-4500-a8ee-e25e01c7a5e3, clientId=ovirt-engine-internal, userId=null, ipAddress=192.168.0.70, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://sr-utl04.ovirt.lennoxconsulting.com.au/ovirt-engine/callback, code_id=d9f6400a-4d2f-4d9f-8407-e40db360a56b, username=david@lennoxconsulting.com.au, authSessionParentId=d9f6400a-4d2f-4d9f-840 7-e40db360a56b, authSessionTabId=He1IhSgIZP8 So how do I set up the engine to allow me to select the Profile to use on the login screen? - David. I have tried using LDAP email addresses,
If you followed an older guide, what you've probably done is setup the deprecated aaa plugin. New installations use keycloak by default, which has it's own setup method for integrating an LDAP authentication source. It is possible to use the older plugin system, but it won't be supported moving forward and is liable to be removed entirely. I can't recommend it's use. There is a link to a guide on configuring keycloak integration on the mailing list: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UMG3BB5I4T5AGP... That being said, it's probably possible to enable the deprecated interface on a new installation, but I'm not sure how to do it. You might get an idea or two from the link above however. (The external keycloak guide.) As for the other interfaces, there was a comment a while ago about how email addresses can wind up looking weird with keycloak integration. Specifically, if a user's email address is used ( bob@example.com ) it can require having the auth source appended ( bob@example.com@example- authz ) during login for it to work. You might want to give that a try first. -Patrick Hibbs On Fri, 2022-08-19 at 05:34 +0000, Dave Lennox wrote:
trying to validate the login against the Internal profile so I assume it isn't able to try multiple authentication sources?
Patrick, Thank you for that. I was missing that link in my understanding of the platform, a lot more makes sense now that I get the current online documentation isn't up to the oVirt 4.5.2 implementation. I have removed the AAA solution and now working through setting it up with Keycloak using native documentation from that project. - Dave.
participants (2)
-
Dave Lennox -
Patrick Hibbs