[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Tue Nov 20 07:05:23 UTC 2012
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs at redhat.com> wrote:
>
>
> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>>
>>
>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim at redhat.com
>> <mailto:iheim at redhat.com>> wrote:
>>
>> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>>
>> On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>>
>> Hi,
>>
>> I'm trying to add some users to ovirt using an AD.
>>
>> This is the configuration I used for a mediawiki site, which
>> is
>> working correctly:
>> $wgAuth = new LdapAuthenticationPlugin();
>> $wgLDAPUseLocal = true;
>> $wgLDAPDomainNames = array( "a_domain");
>> $wgLDAPServerNames = array( "a_domain"=>"site.example.com
>> <http://site.example.com>
>> <http://site.example.com>");
>>
>> $wgLDAPEncryptionType = array( "a_domain"=>"clear");
>> $wgLDAPSearchStrings = array(
>> "a_domain"=>"rom_domain\\USER-**__NAME");
>> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__**com");
>>
>>
>> Those are the commands I tried using:
>> engine-manage-domains -action=add -domain=site.example.com
>> <http://site.example.com>
>> <http://site.example.com> -provider=ActiveDirectory
>> -user=user.name <http://user.name>
>> <http://user.name> -interactive
>>
>>
>> engine-manage-domains -action=add -domain=a_domain
>> -provider=ActiveDirectory -user=user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>>
>> <mailto:user.name at company.com>**> -interactive
>>
>>
>> engine-manage-domains -action=add -domain=a_domain
>> -provider=ActiveDirectory -user=user.name at site.example._**
>> _com
>> <mailto:user.name at site.**example.com<user.name at site.example.com>
>> >
>> <mailto:user.name at site.__examp**le.com <http://example.com>
>>
>> <mailto:user.name at site.**example.com<user.name at site.example.com>>>
>> -interactive
>>
>>
>> You don't add an user this way. You add the domain. You have to
>> pass the
>> domain admin user and the domain admin password.
>>
>>
>> any domain user will do, doesn't have to be an admin.
>> what does the log say?
>>
>>
>> Then you can use the domain within the engine. e.g. search
>> users, add
>> access rights for vms etc.
>> Even login to the engine and assigning rights within the engine
>> you can
>> handle from the engine itself.
>>
>> Regards,
>>
>> And the output on all tries:
>> Enter password:
>>
>> Error: Authentication Failed. Please verify the fully
>> qualified domain
>> name that is used for authentication is correct..
>> Problematic domain
>> is: domain_used_in_command
>> Failure while applying Kerberos configuration. Details:
>> Authentication
>> Failed. Please verify the fully qualified domain name that
>> is used for
>> authentication is correct.
>>
>> Can someone help me with the correct parameters?
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>> ______________________________**___________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>> --
>> Regards,
>>
>> Vinzenz Feenstra | Senior Software Engineer
>> RedHat Engineering Virtualization R & D
>> Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
>>
>> IRC: vfeenstr or evilissimo
>>
>> Better technology. Faster innovation. Powered by community
>> collaboration.
>> See how it works at redhat.com <http://redhat.com>
>>
>>
>>
>> ______________________________**___________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>> ______________________________**___________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>>
>> Hi,
>>
>> This is the command I used (the same error is with -interactive
>> parameter):
>>
>> engine-manage-domains -action=add -domain=example.com
>> <http://example.com> -provider=ActiveDirectory -user=user.name at a_domain
>>
>> -passwordFile=/tmp/pass
>>
>> [root at localhost ~]# cat /tmp/pass
>> qwerty[root at localhost ~]#
>>
>> This is the log:
>>
>> 2012-11-20 00:30:40,443 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Creating kerberos
>> configuration for domain(s): example.com <http://example.com>
>>
>> 2012-11-20 00:30:40,525 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Successfully
>> created kerberos configuration for domain(s): example.com
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,526 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Testing kerberos
>> configuration for domain: example.com <http://example.com>
>>
>> 2012-11-20 00:30:40,830 ERROR
>> [org.ovirt.engine.core.utils.**kerberos.KerberosConfigCheck] Error:
>> exception message: Cannot locate KDC
>> 2012-11-20 00:30:40,851 ERROR
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Failure while
>> testing domain example.com <http://example.com>. Details: Kerberos
>>
>> error. Please check log for further details.
>>
>>
> Hi, the error indicates you don't have kerberos configured.
> manage-domains validates by default using GSSAPI/Kerberos (if I understand
> correctly, this is equivalent to run ldapsearch with -Y gssapi option).
> I wonder if -x (simple authentication) will work for you as well (as
> manage-domains contains code for simple authentication as well).
>
>
>
> This is the ldapsearch command that works (it retrieves users) from the
>> same machine:
>>
>
>
>> ldapsearch -H ldap://example.com <http://example.com> -b
>>
>> dc=example,dc=com -D user.name at a_domain -w qwerty
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>
>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is
there any equivalent for engine-manage-domains?
Cristian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/7fcce500/attachment-0001.html>
More information about the Users
mailing list