[Users] LDAP

[Nathan Stratton]

On Sun, 19 Feb 2012, Itamar Heim wrote:

> On 02/19/2012 11:11 PM, Nathan Stratton wrote:
>> On Sun, 19 Feb 2012, Itamar Heim wrote:
>> 
>>> the current code supports AD, freeIPA/IPA and 389ds/RHDS.
>>> if apache directory server is similar to any of them, you could try
>>> hacking the code to add support for it.
>> 
>> Ok, will go with 389 for now, its in the family, tho Gluster is in the
>> family and you don't support it as a storage file system... : )
>
> please remember you need 389ds with kerberos support.

Got it installed and setup, I am able to authenticate from linux boxes 
with the new 389 LDAP so I know that works. However still running into 
issues getting ovirt-engine to work with it.

http://share.robotics.net/ldap.pcap

As you can see from the pcap, I see a DNS SRV query for 
_ldap._tcp.blinkmind.net and the box does talk to the LDAP box. I don't 
see anyting on port 88, or a ldap query for the kerberos or does it try to 
just use the same IP as ldap?

2012-02-21 16:59:48,411 ERROR 
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher] 
(http--0.0.0.0-8080-1) Failed ldap search server 
LDAP://ldap-master.hou.blinkmind.net:389 due to 
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We 
should not try the next server: 
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
 	at 
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticateToKDC(GSSAPIDirContextAuthenticationStrategy.java:150) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.explicitAuth(GSSAPIDirContextAuthenticationStrategy.java:119) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticate(GSSAPIDirContextAuthenticationStrategy.java:111) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.GSSAPILdapTemplateWrapper.useAuthenticationStrategy(GSSAPILdapTemplateWrapper.java:90) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.PrepareLdapConnectionTask.call(PrepareLdapConnectionTask.java:56) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:108) 
[engine-bll.jar:]
 	at 
org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) 
[engine-bll.jar:]
 	at 
java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) 
[:1.6.0_22]
 	at java.util.concurrent.FutureTask.run(FutureTask.java:166) 
[:1.6.0_22]
 	at 
org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) 
[utils-3.0.0-0001.jar:]
 	at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) 
[:1.6.0_22]
 	at 
java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) 
[:1.6.0_22]
 	at java.util.concurrent.FutureTask.run(FutureTask.java:166) 
[:1.6.0_22]
 	at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) 
[:1.6.0_22]
 	at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) 
[:1.6.0_22]
 	at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]

2012-02-21 16:59:48,415 ERROR 
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] 
(http--0.0.0.0-8080-1) Failed authenticating user: nathan to domain 
blinkmind.net. Ldap Query Type is getUserByName
2012-02-21 16:59:48,416 ERROR 
[org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) 
USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND : nathan
2012-02-21 16:59:48,416 WARN 
[org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) 
CanDoAction of action LoginAdminUser failed. 
Reasons:USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND