[ovirt-users] [ATN] LDAP Users please read
Alon Bar-Lev
alonbl at redhat.com
Fri Aug 7 09:27:16 EDT 2015
----- Original Message -----
> From: "Jason Keltz" <jas at cse.yorku.ca>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Friday, August 7, 2015 4:12:40 PM
> Subject: Re: [ovirt-users] [ATN] LDAP Users please read
>
> Hi Alon.
>
> Thanks for your detailed response.
>
> I decided to give the new system a try. Rather than migrate, I prefer
> to re-add from scratch, so I did:
>
> # engine-manage-domains delete --domain=EECS.YORKU.CA
> # systemctl restart ovirt-engine
Good, but you could have first added the new one and only after you have all working delete the legacy one :)
Not important right now.
> # yum install ovirt-engine-extension-aaa-ldap
> ... but I ran into my first trouble when I tried the following as per
> your AAA-LDAP documentation:
>
> > QUICK START
> > -----------
> >
> > USING INSTALLER
> >
> > Install ovirt-engine-extension-aaa-ldap-setup and execute:
> >
> > # ovirt-engine-extension-aaa-ldap-setup
> >
> > The setup will guide you throughout the process of most common use cases.
>
> There's no command ovirt-engine-extension-aaa-ldap-setup. I checked the
> repository, and I can't find any package that includes that command. I
> guess that's something in 3.6 only. I don't want to use the manual
> installation method. The method that I use should match the simplicity
> of "engine-manage-domains".
Correct this is new in 3.6, in 3.5 you should follow the documentation of 1.0[1]
[1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> I re-add back my existing domain so that I can "migrate" it. So..
>
> # engine-manage-domains add --domain=EECS.YORKU.CA --provider=ipa
> --user=ovirtadmin
> Enter password:
>
> I downloaded the ovirt-engine-kerlab-migration-1.0.2-1.el7ev.noarch.rpm
> from
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases and
> installed it:
>
> # rpm -i ovirt-engine-kerbldap-migration-1.0.2-1.el7ev.noarch.rpm
>
> I need to provide to the tool the domain, and the cacert. It's too bad
> about having to provide the cacert -- the previous method of specifying
> a provider, username, password, and auto-downloading the cert seemed
> more user friendly. The documentation doesn't tell me where I might
> find the cacert. Without much experience using the Red Hat IPA product,
> it's buried. Is it the /root/cacert.p12 file? I copied that file to
> /tmp on my engine server, and then:
there is no standard method to get CA certificate. we provided some information at[1] under:
"3. [Optional] Obtaining LDAP CA certificate."
"""
FreeIPA
Copy /etc/ipa/ca.crt to your oVirt machine into /tmp.
"""
[1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> # ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert
> /tmp/cacert.p12
PKCS#12 file should never leave your IPA machine :)
> sh-4.2# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA
> --cacert /home/jas/cacert.p12
> [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2
> (ovirt-engine-kerbldap-migration-1.0.2-1.el7ev)
> [INFO ] Connecting to database
> [INFO ] Sanity checks
> [INFO ] Loading options
> [ERROR ] Conversion failed: Domain EECS.YORKU.CA not exists in
> configuration.
>
> (minor correction in that last line: "does not exist" instead of "not
> exists").
thanks! will fix.
can you please add --debug and --log=/tmp/debug.log and send os the debug.log? probably we cannot resolve dns srvrecord correctly.
$ dig +noall +answer srv _ldap._tcp.EECS.YORKU.CA
should return a set of LDAP servers for your domain, if you do not have srvrecord we can workaround this by specifying a specific ldap server using --ldapserver parameter.
> Of course the domain does actually exist. I can login to engine with my
> domain login.
yes, true, the question is what wrong in our conversion program :)
>
> Jason.
>
>
>
>
More information about the Users
mailing list