[ovirt-users] [ATN] LDAP Users please read

Alon Bar-Lev alonbl at redhat.com
Fri Aug 7 09:27:16 EDT 2015



----- Original Message -----
> From: "Jason Keltz" <jas at cse.yorku.ca>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Friday, August 7, 2015 4:12:40 PM
> Subject: Re: [ovirt-users] [ATN] LDAP Users please read
> 
> Hi Alon.
> 
> Thanks for your detailed response.
> 
> I decided to give the new system a try.  Rather than migrate, I prefer
> to re-add from scratch, so I did:
> 
> # engine-manage-domains delete --domain=EECS.YORKU.CA
> # systemctl restart ovirt-engine

Good, but you could have first added the new one and only after you have all working delete the legacy one :)
Not important right now.

> # yum install ovirt-engine-extension-aaa-ldap
> ... but I ran into my first trouble when I tried the following as per
> your AAA-LDAP documentation:
> 
> > QUICK START
> > -----------
> >
> > USING INSTALLER
> >
> > Install ovirt-engine-extension-aaa-ldap-setup and execute:
> >
> >   # ovirt-engine-extension-aaa-ldap-setup
> >
> > The setup will guide you throughout the process of most common use cases.
> 
> There's no command ovirt-engine-extension-aaa-ldap-setup.  I checked the
> repository, and I can't find any package that includes that command.  I
> guess that's something in 3.6 only.    I don't want to use the manual
> installation method.  The method that I use should match the simplicity
> of "engine-manage-domains".

Correct this is new in 3.6, in 3.5 you should follow the documentation of 1.0[1]

[1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0

> I re-add back my existing domain so that I can "migrate" it. So..
> 
> # engine-manage-domains  add --domain=EECS.YORKU.CA --provider=ipa
> --user=ovirtadmin
> Enter password:
> 
> I downloaded the ovirt-engine-kerlab-migration-1.0.2-1.el7ev.noarch.rpm
> from
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases and
> installed it:
> 
> # rpm -i ovirt-engine-kerbldap-migration-1.0.2-1.el7ev.noarch.rpm
> 
> I need to provide to the tool the domain, and the cacert.  It's too bad
> about having to provide the cacert -- the previous method of specifying
> a provider, username, password, and auto-downloading the cert seemed
> more user friendly.  The documentation doesn't tell me where I might
> find the cacert.  Without much experience using the Red Hat IPA product,
> it's buried.  Is it the /root/cacert.p12 file?   I copied that file to
> /tmp on my engine server, and then:

there is no standard method to get CA certificate. we provided some information at[1] under:
 "3. [Optional] Obtaining LDAP CA certificate."

"""
FreeIPA

Copy /etc/ipa/ca.crt to your oVirt machine into /tmp.
"""

[1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration

> 
> # ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert
> /tmp/cacert.p12

PKCS#12 file should never leave your IPA machine :)

> sh-4.2# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA
> --cacert /home/jas/cacert.p12
> [INFO   ] tool: ovirt-engine-kerbldap-migration-1.0.2
> (ovirt-engine-kerbldap-migration-1.0.2-1.el7ev)
> [INFO   ] Connecting to database
> [INFO   ] Sanity checks
> [INFO   ] Loading options
> [ERROR  ] Conversion failed: Domain EECS.YORKU.CA not exists in
> configuration.
> 
> (minor correction in that last line: "does not exist" instead of "not
> exists").

thanks! will fix.

can you please add --debug and --log=/tmp/debug.log and send os the debug.log? probably we cannot resolve dns srvrecord correctly.

$ dig +noall +answer srv _ldap._tcp.EECS.YORKU.CA

should return a set of LDAP servers for your domain, if you do not have srvrecord we can workaround this by specifying a specific ldap server using --ldapserver parameter.

> Of course the domain does actually exist.  I can login to engine with my
> domain login.

yes, true, the question is what wrong in our conversion program :)

> 
> Jason.
> 
> 
> 
> 


More information about the Users mailing list