[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Yair Zaslavsky
yzaslavs at redhat.com
Wed Nov 19 08:20:29 UTC 2014
----- Original Message -----
> From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, users at ovirt.org
> Sent: Tuesday, November 18, 2014 6:21:18 PM
> Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
>
> On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> > > From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: users at ovirt.org
> > > Sent: Monday, November 17, 2014 11:43:34 PM
> > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > IPA
> > >
> > >
> > >
> > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > > >
> > > > ----- Original Message -----
> > > > > From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> > > > > To: users at ovirt.org
> > > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > > > IPA
> > > > >
> > > > > Hello,
> > > > >
> > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > > Starting up ovrit-engine the extension manager fails to properly load
> > > > > the service that handles Kerberos/LDAP.
> > > >
> > > > This is probably a bug, can you please execute the following and paste
> > > > result:
> > > >
> > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from
> > > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > > >
> > >
> > > option_id | option_name | option_value | version
> > > -----------+----------------------------+-------------------+---------
> > > 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> > >
> > > I replaced my domain name with 'example.org'
> > >
> >
> > I thought it will be empty... and it contains valid value. Yair?
> >
> Looking through the vdc_options table I noticed that many of the LDAP*
> and Ad* settings use two different spellings for the Kerberos/LDAP
> domain. One in all upper case letters, EXAMPLE.ORG and one in all lower
> case, example.org. (I'm guessing this is to handle either spelling of
> the domain?)
>
> I updated LDAPSecurityAuthentication and set the option_value to use
> both the upper case and lower case domain name,
> 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
>
> select * from vdc_options where option_name =
> 'LDAPSecurityAuthentication';
> option_id | option_name | option_value
> | version
> -----------+----------------------------+-------------------------------------+---------
> 165 | LDAPSecurityAuthentication |
> EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general
Just so we can continue to investigate -
if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup?
dig SRV _ldap._tcp.EXAMPLE.ORG
or
dig SRV _ldap._tcp.example.org?
same goes to
_kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG
Cheers,
Yair
>
> Using both domain names I am able to authenticate, authorize and pull
> account information from the IPA server once again.
>
> Thanks for pointing me at the right location.
>
> Cameron
>
More information about the Users
mailing list