[ovirt-users] LDAP bind DN generation problem
Ondra Machacek
omachace at redhat.com
Thu Jun 18 12:49:57 UTC 2015
On 06/18/2015 02:07 PM, Mitja Mihelič wrote:
> Hi!
Hi
>
> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the
> LDAP domain on the login screen. Only internal is available.
> Our LDAP server is actually a 389DS instance and we are using for
> authentication in oVirt without Kerberos. The existing setup has
> worked since the days of 3.2.
>
> When we try to validate the domain, we get
> [root at brda ~]# engine-manage-domains validate
> Error: Cannot authenticate user ovirt to domain guest.arnes.si,
> details: [LDAP: error code 32 - No Such Object]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
> Object]
> Failure while testing domain guest.arnes.si. Details: Cannot
> authenticate user to LDAP server.
>
> The LDAP log reports
> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3
> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".
>
> Before the upgrade the bind DN was generated properly as
> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3
So what is your search user's DN ?
Is it:
dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"
or
dn="uid=ovirt,ou=People,dc=arnes,dc=si"
Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
>
> This looks like a bug.
> Is there a quick fix we can do to fix this typo?
>
> We are also interested in knowing what is the correct way in 3.5 to
> add a domain that uses an LDAP server for its authentication source
> without Kerberos.
Please see following links:
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
*http://www.ovirt.org/Features/AAA
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
*https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> Kind regards, Mitja
> --
> --
> Mitja Mihelič
> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8800, fax: +386 1 479 88 99
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150618/ed44891b/attachment-0001.html>
More information about the Users
mailing list