[ovirt-users] Can't perform search after setting up an Active Directory
Ondra Machacek
omachace at redhat.com
Wed May 25 10:57:06 UTC 2016
On 05/25/2016 12:20 PM, Alexis HAUSER wrote:
> Hi,
>
> I added an Active Directory server to RHEV, but I can't perform any search and I don't see any namespace in the interface.
>
> I'm able to perform search using with the same search user DN / passwd and certificate :
>
> LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H ldaps://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w 'mypaswd' -b 'CN=users,DC=something,DC=com'
>
> in the engine.log, if I grep warn, I can see the following messages :
>
> 2016-05-25 05:54:55,840 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADUSER at AD-authz:undefined: allnames=*: null
> 2016-05-25 05:54:55,843 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADGROUP at AD-authz:undefined: name=*: null
> 2016-05-25 05:54:58,160 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADUSER at AD-authz:undefined: allnames=*: null
> 2016-05-25 05:54:58,162 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADGROUP at AD-authz:undefined: name=*: null
Can you please send what's happening during initialization of engine?
(logs right after ovirt-engine is restarted).
Or run this command and send output of file 'login.log':
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=login.log
aaa login-user --profile=ad --user-name=some_user
--password=pass:some_user_password
>
> I also tried adding the following configuration but it didn't solve my problem :
>
> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> sequence.my-basedn-init-vars.010.description = set baseDN
> sequence.my-basedn-init-vars.010.type = var-set
> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-basedn-init-vars.010.var-set.value = CN=Users,DC=something,DC=com
>
> Any ideas ?
>
>
>
>
> By the way, if I didn't rename my .profile and auth* files from my LDAP configuration, I had the LDAP namespace suggested by the web interface in my AD domain when trying to perform a search. Is that a bug ?
Not sure I understand. The name of the profile could be whatever, so it
doesn't matter what is the name.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list