________________________________ From: Vrgotic, Marko Sent: Tuesday, June 4, 2019 4:44:08 PM To: users(a)ovirt.org Cc: Stojchev, Darko Subject: Issue with aaa-ldap connector on fresh install of 4.3.3 Dear oVIrt, We are running 4.3.3 latest with SHE. Tried to connect our domain users using aaa-ldap extension tool provided. We tried multiple different accounts, with multiple dn search tree syntaxes and verified the passwords. The error is always the same: `2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}` The log file is showing the following: 2019-06-04 14:02:31,666+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:283 URLs: [u'ldap://hqdc2.example.com:389', u'ldap://eudc1.example.com:389', u'ldap://eudc2.example.com:389', u'ldap://hqdc1.example.com:389'] 2019-06-04 14:02:31,666+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:393 Connecting to LDAP using 'ldap://hqdc2.example.com:389' 2019-06-04 14:02:31,675+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:444 Executing startTLS 2019-06-04 14:02:32,420+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:447 Perform search 2019-06-04 14:02:32,567+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:455 Result: [('', {'supportedLDAPVersion': ['3', '2']})] 2019-06-04 14:02:32,568+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:457 Connection succeeded 2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER 2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): 2019-06-04 14:02:57,540+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE uid=da-dstojchev,ou=Users,dc=example,dc=com 2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD 2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user password: 2019-06-04 14:03:00,713+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=da-dstojchev,ou=Users,dc=example,dc=com' 2019-06-04 14:03:00,862+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=da-dstojchev,ou=Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'} 2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER 2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): 2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE uid=openstack-test,ou=ABC Users,dc=example,dc=com 2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD 2019-06-04 14:03:27,377+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user password: 2019-06-04 14:03:30,616+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com' 2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'} 2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER 2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): 2019-06-04 14:03:41,055+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 812, in _customization_late default='', File "/usr/share/otopi/plugins/otopi/dialog/human.py", line 211, in queryString value = self._readline(hidden=hidden) File "/usr/lib/python2.7/site-packages/otopi/dialog.py", line 246, in _readline value = self.__input.readline() File "/usr/lib/python2.7/site-packages/otopi/main.py", line 53, in _signal raise RuntimeError("SIG%s" % signum) RuntimeError: SIG2 2019-06-04 14:03:41,057+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Environment customization': SIG2 2019-06-04 14:03:41,057+0000 DEBUG otopi.context context.dumpEnvironment:731 ENVIRONMENT DUMP – BEGIN This is fresh install of oVIrt 4.3.3 latest, assigned for our prod env. Kindly awaiting your reply, Marko Vrgotic ActiveVideo