Info on changing IPA server hostname in oVirt
Hello, in one of my test environments I upgraded my IPA server from 3.0 on CentOS 6.6 to 3.3 on CentOS 7.0. This was mainly due to testing IPA integration wit vSPhere (see here for a draft doc on how I managed it http://www.freeipa.org/page/HowTo/vsphere5_integration ) The workflow was as detailed in Chapter 6 here, creating a replica and decommissioning the old one: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... So I now have a new IPA server for the same domain with another hostname/ip. In the mean time I reinstall in version 7 the old IPA server, how can inform/update oVirt about the domain changes? [root@ovirtmgr ~]# engine-manage-domains edit --domain=localdomain.local --provider=ipa --ldap-servers=c7server.localdomain.local Enter password: Failure while testing domain localdomain.local. Details: An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually means that the LDAP server is configured with a minimum security strength factor (minssf) of 0. Change it to 1 and try again. ANy file I can eventually manually edit? Thanks in advance, Gianluca
Hi, please take a look here[1]. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1156577 ----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 4:11:30 PM Subject: [ovirt-users] Info on changing IPA server hostname in oVirt
Hello, in one of my test environments I upgraded my IPA server from 3.0 on CentOS 6.6 to 3.3 on CentOS 7.0. This was mainly due to testing IPA integration wit vSPhere (see here for a draft doc on how I managed it http://www.freeipa.org/page/HowTo/vsphere5_integration ) The workflow was as detailed in Chapter 6 here, creating a replica and decommissioning the old one: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... So I now have a new IPA server for the same domain with another hostname/ip. In the mean time I reinstall in version 7 the old IPA server, how can inform/update oVirt about the domain changes?
[root@ovirtmgr ~]# engine-manage-domains edit --domain=localdomain.local --provider=ipa --ldap-servers=c7server.localdomain.local Enter password: Failure while testing domain localdomain.local. Details: An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually means that the LDAP server is configured with a minimum security strength factor (minssf) of 0. Change it to 1 and try again.
ANy file I can eventually manually edit?
Thanks in advance, Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Wed, Dec 10, 2014 at 4:20 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
please take a look here[1].
Tried this but with same result [root@ovirtmgr ~]# rpm -q ovirt-engine ovirt-engine-3.5.0.1-1.el6.noarch [root@ovirtmgr ~]# engine-config -g SASL_QOP SASL_QOP: auth-conf version: general [root@ovirtmgr ~]# engine-config -s SASL_QOP=auth [root@ovirtmgr ~]# service ovirt-engine stop Stopping oVirt Engine: [ OK ] [root@ovirtmgr ~]# service ovirt-engine start Starting oVirt Engine: [ OK ] [root@ovirtmgr ~]# engine-config -g SASL_QOP SASL_QOP: auth version: general [root@ovirtmgr ~]# engine-manage-domains edit --domain=localdomain.local --provider=ipa --ldap-servers=c7server.localdomain.local Enter password: Failure while testing domain localdomain.local. Details: An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually means that the LDAP server is configured with a minimum security strength factor (minssf) of 0. Change it to 1 and try again.
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch. It's fixed since org.ovirt.engine-root-3.5.0-18. You can find newer version here[1]. [1] - http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 4:45:06 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 4:20 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
please take a look here[1].
Tried this but with same result
[root@ovirtmgr ~]# rpm -q ovirt-engine ovirt-engine-3.5.0.1-1.el6.noarch
[root@ovirtmgr ~]# engine-config -g SASL_QOP SASL_QOP: auth-conf version: general
[root@ovirtmgr ~]# engine-config -s SASL_QOP=auth
[root@ovirtmgr ~]# service ovirt-engine stop Stopping oVirt Engine: [ OK ]
[root@ovirtmgr ~]# service ovirt-engine start Starting oVirt Engine: [ OK ]
[root@ovirtmgr ~]# engine-config -g SASL_QOP SASL_QOP: auth version: general
[root@ovirtmgr ~]# engine-manage-domains edit --domain=localdomain.local --provider=ipa --ldap-servers=c7server.localdomain.local Enter password: Failure while testing domain localdomain.local. Details: An internal error has ocurred in the Kerberos implementation of the Java virtual machine. This usually means that the LDAP server is configured with a minimum security strength factor (minssf) of 0. Change it to 1 and try again.
On Wed, Dec 10, 2014 at 5:18 PM, Ondra Machacek <omachace@redhat.com> wrote:
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch.
It's fixed since org.ovirt.engine-root-3.5.0-18.
You can find newer version here[1].
Any smaller single patch I can apply instead of updating whole engine to a snapshot release? Gianluca
Alon, can you advice, please? ----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 5:25:40 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 5:18 PM, Ondra Machacek <omachace@redhat.com> wrote:
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch.
It's fixed since org.ovirt.engine-root-3.5.0-18.
You can find newer version here[1].
Any smaller single patch I can apply instead of updating whole engine to a snapshot release?
Gianluca
I suggest to install the new provider which does not require kerberos and much easier to customize / problem determination. http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... ----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> Cc: "users" <users@ovirt.org>, "Alon Bar-Lev" <alonbl@redhat.com> Sent: Wednesday, December 10, 2014 6:40:17 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
Alon, can you advice, please?
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 5:25:40 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 5:18 PM, Ondra Machacek <omachace@redhat.com> wrote:
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch.
It's fixed since org.ovirt.engine-root-3.5.0-18.
You can find newer version here[1].
Any smaller single patch I can apply instead of updating whole engine to a snapshot release?
Gianluca
On Wed, Dec 10, 2014 at 5:43 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
I suggest to install the new provider which does not require kerberos and much easier to customize / problem determination.
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
From what I read in your link it seems far from intuitive from an oVirt
admin point of view who probably doesn't know ldap/IPA so in depth... authn and authz concepts overlap with related files and I have not understood how many files I have to add and if @AUTHZ_NAME@ and @AUTHN_NAME@ are the same string for a fixed IPA server or not... also reading http://www.ovirt.org/Features/AAA doesn't clarify at least based my knowledge of ladap in general and IPA in particular (that is not so much...) Previsously I "only" had to run engine-manage-domains add --domain=localdomain.local --provider=ipa --user=admin and my configured IPA 3.0 worked without any problem... Can you detail what would be the structure of files under /etc/ovirt-engine/extensions.d/ ? Or anyone already configured with IPA and has a working example of files? Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 7:29:58 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 5:43 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
I suggest to install the new provider which does not require kerberos and much easier to customize / problem determination.
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
From what I read in your link it seems far from intuitive from an oVirt admin point of view who probably doesn't know ldap/IPA so in depth... authn and authz concepts overlap with related files and I have not understood how many files I have to add and if @AUTHZ_NAME@ and @AUTHN_NAME@ are the same string for a fixed IPA server or not... also reading http://www.ovirt.org/Features/AAA doesn't clarify at least based my knowledge of ladap in general and IPA in particular (that is not so much...)
We may provide a wrapper tool in future, for now we focused about making it work as there were too many issues within the existing implementation. Configuration is one time while problems are within the runtime.
Previsously I "only" had to run engine-manage-domains add --domain=localdomain.local --provider=ipa --user=admin
and my configured IPA 3.0 worked without any problem...
Can you detail what would be the structure of files under /etc/ovirt-engine/extensions.d/ ? Or anyone already configured with IPA and has a working example of files?
it should be even simpler... :) 1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to /etc/ovirt-engine 2. edit /etc/ovirt-engine/aaa/ldap1.properties, set vars.server, vars.user, vars.password to meet your setup, uncomment ipa on top and comment out the openldap. 3. until 3.5.1 you should also edit /etc/ovirt-engine/extensions.d/*.properties and replace ../aaa with /etc/ovirt-engine/aaa Alon
On Wed, Dec 10, 2014 at 6:36 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
it should be even simpler... :)
1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to /etc/ovirt-engine
2. edit /etc/ovirt-engine/aaa/ldap1.properties, set vars.server, vars.user, vars.password to meet your setup, uncomment ipa on top and comment out the openldap.
3. until 3.5.1 you should also edit /etc/ovirt-engine/extensions.d/*.properties and replace ../aaa with /etc/ovirt-engine/aaa
Alon
OK. Done and restarted the engine. Now in webadmin I see ldap1 as a new profile. But if from admin in configure I try to give a system permission I have this window with "GO " greyed out... https://drive.google.com/file/d/0BwoPbcrMv8mvaGVvVmJpazFwTFk/view?usp=sharin... BTW: I tried my IPA lookup just for trying.... and I'm able to find all the users and also new users defined after migration to the new c7server.... ??? https://drive.google.com/file/d/0BwoPbcrMv8mvbks2cmlhSmJjdnc/view?usp=sharin... Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 8:12:16 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 6:36 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
it should be even simpler... :)
1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to /etc/ovirt-engine
2. edit /etc/ovirt-engine/aaa/ldap1.properties, set vars.server, vars.user, vars.password to meet your setup, uncomment ipa on top and comment out the openldap.
3. until 3.5.1 you should also edit /etc/ovirt-engine/extensions.d/*.properties and replace ../aaa with /etc/ovirt-engine/aaa
Alon
OK. Done and restarted the engine.
Now in webadmin I see ldap1 as a new profile. But if from admin in configure I try to give a system permission I have this window with "GO " greyed out... https://drive.google.com/file/d/0BwoPbcrMv8mvaGVvVmJpazFwTFk/view?usp=sharin...
probably I some startup error at engine.log, can you please send me engine.log so I can see what's wrong?
BTW: I tried my IPA lookup just for trying.... and I'm able to find all the users and also new users defined after migration to the new c7server.... ??? https://drive.google.com/file/d/0BwoPbcrMv8mvbks2cmlhSmJjdnc/view?usp=sharin...
so legacy is working now, right?
Gianluca
On Wed, Dec 10, 2014 at 7:16 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
probably I some startup error at engine.log, can you please send me engine.log so I can see what's wrong?
BTW: I tried my IPA lookup just for trying.... and I'm able to find all the users and also new users defined after migration to the new c7server.... ???
https://drive.google.com/file/d/0BwoPbcrMv8mvbks2cmlhSmJjdnc/view?usp=sharin...
ok. done. Here it is https://drive.google.com/file/d/0BwoPbcrMv8mvQWZ0R3lwX2RXTEU/view?usp=sharin... so legacy is working now, right?
Gianluca
Yes, I can browse the IPA users and I can also login again with an IPA user with the same permissions he had before, connected with "localdomain.local" profile that is the legacy one This afternoon when I posted the first question of this thread it didn't worked. I don't know if oVirt makes a sort of broadcast related to the domain and so can find now the new IPA server transparently or the engine-config commands produced anything despite the errors they gave.... In relation with the ldap instance see this in engine.log just after engine last start after adding the aaa extension 2014-12-10 19:03:16,591 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::ldap1-authz] Cannot initialize LDAP framework, deferring initializ ation. Error: no such object 2014-12-10 19:03:16,592 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Extension 'ldap1-authz' initialized 2014-12-10 19:03:16,596 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Initializing extension 'internal' 2014-12-10 19:03:16,598 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Extension 'internal' initialized 2014-12-10 19:03:16,598 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Initializing extension 'localdomain.local' 2014-12-10 19:03:16,599 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Extension 'localdomain.local' initialized 2014-12-10 19:03:16,599 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Start of enabled extensions list 2014-12-10 19:03:16,599 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'builtin-authn-localdomain.local', Extension name: 'Kerberos/Ldap Authn (Built-in)', Ve rsion: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Buil d interface Version: '0', File: 'N/A', Initialized: 'true' 2014-12-10 19:03:16,603 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'ldap1-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.0 ', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/domain1-authn.properties', Initialized: 'true' 2014-12-10 19:03:16,604 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-12-10 19:03:16,604 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'ldap1-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.0', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/domain1-authz.properties', Initialized: 'true' 2014-12-10 19:03:16,605 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-12-10 19:03:16,606 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'localdomain.local', Extension name: 'Kerberos/Ldap Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-12-10 19:03:16,609 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) End of enabled extensions list and then no other ERROR messages, but you can check the whole log. Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 10:14:09 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 7:16 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
probably I some startup error at engine.log, can you please send me engine.log so I can see what's wrong?
BTW: I tried my IPA lookup just for trying.... and I'm able to find all the users and also new users defined after migration to the new c7server.... ???
https://drive.google.com/file/d/0BwoPbcrMv8mvbks2cmlhSmJjdnc/view?usp=sharin...
ok. done. Here it is https://drive.google.com/file/d/0BwoPbcrMv8mvQWZ0R3lwX2RXTEU/view?usp=sharin...
2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object This is interesting I never saw this error, can I ask you to enable debug? Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in Add the following before the <root-logger> line: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger> Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/> Then restart engine and we should see lots of messages within engine.log. Thanks! Alon
On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object
This is interesting I never saw this error, can I ask you to enable debug?
Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Add the following before the <root-logger> line: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/>
Then restart engine and we should see lots of messages within engine.log.
Thanks! Alon
Hi, if you want I send it to you... but I have understood.... I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties dc=company,dc=com and changing only the "uid=..." part ;-) In fact inside IPA log files I see this: [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 After putting correct values dc=localdomain,dc=local and restarting the engine (without debug symbols) all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done). Thanks and sorry for misundersanding... two questions: 1) What about the legacy still working? 2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode. What should I configure to enable ldaps:// connection mode as this is sensitive information? Possibly these lines in ldap1.properties? # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit but how to use and where to put eventually the IPA certificate? Do I have to convert IPA ca.crt into some other format? Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 11:22:27 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object
This is interesting I never saw this error, can I ask you to enable debug?
Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Add the following before the <root-logger> line: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/>
Then restart engine and we should see lots of messages within engine.log.
Thanks! Alon
Hi, if you want I send it to you... but I have understood.... I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties dc=company,dc=com and changing only the "uid=..." part ;-)
In fact inside IPA log files I see this:
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32 [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object) [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
After putting correct values dc=localdomain,dc=local and restarting the engine (without debug symbols)
all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done).
Good!
Thanks and sorry for misundersanding... two questions: 1) What about the legacy still working?
yes it should work, but it won't be improved nor fixed apart of regression issues.
2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode. What should I configure to enable ldaps:// connection mode as this is sensitive information?
Possibly these lines in ldap1.properties?
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit
but how to use and where to put eventually the IPA certificate? Do I have to convert IPA ca.crt into some other format?
better to use startTLS over ldaps. so yes, the above is the right setting. you should import the ca certificate, see instructions here[1] Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
better to use startTLS over ldaps. so yes, the above is the right setting. you should import the ca certificate, see instructions here[1]
Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
I've done it this way: copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt keytool -importcert -noprompt -trustcacerts -alias iparootca -file /root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret put ipaca.jks in /etc/ovirt-engine/aaa/ ldap1.properties now has # Create keystore, import certificate chain and uncomment # if using ssl/tls. pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks pool.default.ssl.truststore.password = mysecret and restarted ovirt engine but it seems all conenctions are still through 389 port.... java 1586 ovirt 300u IPv4 395136 0t0 TCP ovirtmgr.localdomain.local:34263->c7serv er.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 301u IPv4 395137 0t0 TCP ovirtmgr.localdomain.local:34264->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 302u IPv4 395138 0t0 TCP ovirtmgr.localdomain.local:34265->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 303u IPv4 395139 0t0 TCP ovirtmgr.localdomain.local:34266->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 304u IPv4 395140 0t0 UDP *:55673 java 1586 ovirt 305u IPv4 395141 0t0 TCP ovirtmgr.localdomain.local:34267->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 306u IPv4 395142 0t0 TCP ovirtmgr.localdomain.local:34268->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 307u IPv4 395143 0t0 TCP ovirtmgr.localdomain.local:34269->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 308u IPv4 395144 0t0 TCP ovirtmgr.localdomain.local:34270->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 309u IPv4 395145 0t0 UDP *:49690 java 1586 ovirt 310u IPv4 395146 0t0 TCP ovirtmgr.localdomain.local:34271->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 311u IPv4 395147 0t0 TCP ovirtmgr.localdomain.local:34272->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 312u IPv4 395148 0t0 TCP ovirtmgr.localdomain.local:34273->c7server.localdomain.local:389 (ESTABLISHED) java 1586 ovirt 313u IPv4 395149 0t0 TCP ovirtmgr.localdomain.local:34274->c7server.localdomain.local:389 (ESTABLISHED)
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Ondra Machacek" <omachace@redhat.com>, "users" <users@ovirt.org> Sent: Thursday, December 11, 2014 12:10:43 AM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
better to use startTLS over ldaps. so yes, the above is the right setting. you should import the ca certificate, see instructions here[1]
Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
I've done it this way:
copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt
keytool -importcert -noprompt -trustcacerts -alias iparootca -file /root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret
put ipaca.jks in /etc/ovirt-engine/aaa/
ldap1.properties now has
# Create keystore, import certificate chain and uncomment # if using ssl/tls. pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks pool.default.ssl.truststore.password = mysecret
and restarted ovirt engine but it seems all conenctions are still through 389 port....
that's ok. there are two methods of secure communications. 1. a protocol over TLS/SSL, in which you negotiate secure stream and communicate over it. 2. startTLS(and similar), in which you connect using plain protocol and instruct remote to start secure stream within the same connection. the startTLS is more flexible and has some advantages over the secure stream, for example: you do not need two separate tcp ports, you can also fallback within same connection to plain if ssl is not supported. you can verify that you are using secure connection using wireshark, or you can use a store without the correct ca certificate. Alon
otherwise what to do if I want to pass from this to ovirt-engine-extension-aaa-ldap? Will the users configuration be preserved? Or what to do with the previous domain configuration? Do I "only" run a sort of force-delete command for the IPA domain configuration and then oVirt would take care of removing the already configured permissions associated to this domain? Gianluca On Wed, Dec 10, 2014 at 5:25 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Wed, Dec 10, 2014 at 5:18 PM, Ondra Machacek <omachace@redhat.com> wrote:
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch.
It's fixed since org.ovirt.engine-root-3.5.0-18.
You can find newer version here[1].
Any smaller single patch I can apply instead of updating whole engine to a snapshot release?
Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, December 10, 2014 6:41:34 PM Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
otherwise what to do if I want to pass from this to ovirt-engine-extension-aaa-ldap? Will the users configuration be preserved?
unfortunately no. you add a new profile and assign permissions from the new profile, remove the previous using manage domains when done.
Or what to do with the previous domain configuration? Do I "only" run a sort of force-delete command for the IPA domain configuration and then oVirt would take care of removing the already configured permissions associated to this domain?
as far as I know when you remove the legacy domain using engine-manage-domain the permissions are invalidated. I am adding yair that can probably help more in the legacy provider, but please consider upgrading to the new provider as the legacy will not be supported but for regressions.
Gianluca
On Wed, Dec 10, 2014 at 5:25 PM, Gianluca Cecchi < gianluca.cecchi@gmail.com
wrote:
On Wed, Dec 10, 2014 at 5:18 PM, Ondra Machacek < omachace@redhat.com > wrote:
Fix is not included in ovirt-engine-3.5.0.1-1.el6.noarch.
It's fixed since org.ovirt.engine-root-3.5.0-18.
You can find newer version here[1].
[1] - http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
Any smaller single patch I can apply instead of updating whole engine to a snapshot release?
Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Alon Bar-Lev -
Gianluca Cecchi -
Ondra Machacek