[ovirt-users] Info on changing IPA server hostname in oVirt

Alon Bar-Lev alonbl at redhat.com
Wed Dec 10 21:30:27 UTC 2014



----- Original Message -----
> From: "Gianluca Cecchi" <gianluca.cecchi at gmail.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Ondra Machacek" <omachace at redhat.com>, "users" <users at ovirt.org>
> Sent: Wednesday, December 10, 2014 11:22:27 PM
> Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
> 
> On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> 
> >
> >
> > 2014-12-10 19:03:16,554 ERROR
> > [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> > 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize
> > LDAP framework, deferring initialization. Error: no such object
> >
> > This is interesting I never saw this error, can I ask you to enable debug?
> >
> > Edit:
> > /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
> >
> > Add the following before the <root-logger> line:
> >        <logger category="org.ovirt.engineextensions.aaa.ldap">
> >          <level name="ALL"/>
> >        </logger>
> >
> > Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO
> >       <file-handler name="ENGINE" autoflush="true">
> >         <level name="ALL"/>
> >
> > Then restart engine and we should see lots of messages within engine.log.
> >
> > Thanks!
> > Alon
> >
> 
> 
> Hi,
> if you want I send it to you... but I have understood....
> I didn't change the domain parameters, leaving inside the
> file /etc/ovirt-engine/aaa/ldap1.properties
> dc=company,dc=com
> and changing only the "uid=..." part ;-)
> 
> In fact inside IPA log files I see this:
> 
> [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
> 1296]: Not handled (could not search for BIND dn
> uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
> object)
> [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
> 503]: Failed to retrieve entry
> "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
> [10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line
> 749]: Failed to retrieve entry
> "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
> [10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
> 1296]: Not handled (could not search for BIND dn
> uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
> object)
> [10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
> 503]: Failed to retrieve entry
> "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
> 
> 
> After putting correct values
> dc=localdomain,dc=local
> and restarting the engine (without debug symbols)
> 
> all is ok and I can both search users and groups in ldap1 and connect to
> the engine webadmin portal with apparently correct privileges (only limited
> tests done).

Good!
 
> Thanks and sorry for misundersanding...
> two questions:
> 1) What about the legacy still working?

yes it should work, but it won't be improved nor fixed apart of regression issues.

> 2) I see that the connection with ldap apparently is through 389 port and
> so in unencrypted mode.
> What should I configure to enable ldaps:// connection mode as this is
> sensitive information?
> 
> Possibly these lines in ldap1.properties?
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> 
> but how to use and where to put eventually the IPA certificate?
> Do I have to convert IPA ca.crt into some other format?

better to use startTLS over ldaps.
so yes, the above is the right setting.
you should import the ca certificate, see instructions here[1]

Alon

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141



More information about the Users mailing list