[ovirt-users] Can't perform search after setting up an Active Directory

Ondra Machacek omachace at redhat.com
Wed May 25 10:57:06 UTC 2016


On 05/25/2016 12:20 PM, Alexis HAUSER wrote:
> Hi,
>
> I added an Active Directory server to RHEV, but I can't perform any search and I don't see any namespace in the interface.
>
> I'm able to perform search using with the same search user DN / passwd and certificate :
>
> LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H ldaps://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w 'mypaswd' -b 'CN=users,DC=something,DC=com'
>
> in the engine.log, if I grep warn, I can see the following messages :
>
> 2016-05-25 05:54:55,840 WARN  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADUSER at AD-authz:undefined: allnames=*: null
> 2016-05-25 05:54:55,843 WARN  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADGROUP at AD-authz:undefined: name=*: null
> 2016-05-25 05:54:58,160 WARN  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADUSER at AD-authz:undefined: allnames=*: null
> 2016-05-25 05:54:58,162 WARN  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADGROUP at AD-authz:undefined: name=*: null

Can you please send what's happening during initialization of engine? 
(logs right after ovirt-engine is restarted).

Or run this command and send output of file 'login.log':

  $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=login.log 
aaa login-user --profile=ad --user-name=some_user 
--password=pass:some_user_password

>
> I also tried adding the following configuration but it didn't solve my problem :
>
> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> sequence.my-basedn-init-vars.010.description = set baseDN
> sequence.my-basedn-init-vars.010.type = var-set
> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-basedn-init-vars.010.var-set.value = CN=Users,DC=something,DC=com
>
> Any ideas ?
>
>
>
>
> By the way, if I didn't rename my .profile and auth* files from my LDAP configuration, I had the LDAP namespace suggested by the web interface in my AD domain when trying to perform a search. Is that a bug ?

Not sure I understand. The name of the profile could be whatever, so it 
doesn't matter what is the name.

> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



More information about the Users mailing list