[ovirt-users] active directory
Ondra Machacek
omachace at redhat.com
Thu Jun 8 06:45:08 UTC 2017
If you are using Active Directory you most probably don't use Anonymous bind.
The question:
Enter search user DN (for example
uid=username,dc=example,dc=com or leave empty for anonymous):
You should not leave empty but rather specify some user, which can
search in active directory,
you can enter it either in DN format(cn=user,dc=domain,dcom) or UPN
format (user at domain.com).
On Thu, Jun 8, 2017 at 5:32 AM, qinglong.dong at horebdata.cn
<qinglong.dong at horebdata.cn> wrote:
> Thanks! I excuted "ovirt-engine-extension-aaa-ldap-setup", but I got an
> error. Is there anything wrong?
>
> [root at engine ~]# ovirt-engine-extension-aaa-ldap-setup
> [ INFO ] Stage: Initializing
> [ INFO ] Stage: Environment setup
> Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
> Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170608112535-jll8t2.log
> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
> [ INFO ] Stage: Environment packages setup
> [ INFO ] Stage: Programs detection
> [ INFO ] Stage: Environment customization
> Welcome to LDAP extension configuration program
> Available LDAP implementations:
> 1 - 389ds
> 2 - 389ds RFC-2307 Schema
> 3 - Active Directory
> 4 - IBM Security Directory Server
> 5 - IBM Security Directory Server RFC-2307 Schema
> 6 - IPA
> 7 - Novell eDirectory RFC-2307 Schema
> 8 - OpenLDAP RFC-2307 Schema
> 9 - OpenLDAP Standard Schema
> 10 - Oracle Unified Directory RFC-2307 Schema
> 11 - RFC-2307 Schema (Generic)
> 12 - RHDS
> 13 - RHDS RFC-2307 Schema
> 14 - iPlanet
> Please select: 3
> Please enter Active Directory Forest name: horebdata.com
> [ INFO ] Resolving Global Catalog SRV record for horebdata.com
> [ INFO ] Resolving LDAP SRV record for horebdata.com
> NOTE:
> It is highly recommended to use secure protocol to access the LDAP
> server.
> Protocol startTLS is the standard recommended method to do so.
> Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
> Use plain for test environments only.
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> plain
> [ INFO ] Resolving SRV record 'horebdata.com'
> [ INFO ] Connecting to LDAP using
> 'ldap://win-fvdsocg3abj.horebdata.com:389'
> [ INFO ] Connection succeeded
> Enter search user DN (for example uid=username,dc=example,dc=com
> or leave empty for anonymous):
> [ INFO ] Attempting to bind using '[Anonymous]'
> Are you going to use Single Sign-On for Virtual Machines (Yes, No)
> [No]: yes
> NOTE:
> Profile name has to match domain name, otherwise Single Sign-On
> for Virtual Machines will not work.
> Please specify profile name that will be visible to users
> [horebdata.com]:
> [ INFO ] Stage: Setup validation
> The following files are about to be overwritten:
> /etc/ovirt-engine/extensions.d/horebdata.com-authn.properties
> /etc/ovirt-engine/extensions.d/horebdata.com.properties
> /etc/ovirt-engine/aaa/horebdata.com.properties
> Continue and overwrite? (Yes, No) [No]: yes
> NOTE:
> It is highly recommended to test drive the configuration before
> applying it into engine.
> Perform at least one Login sequence and one Search sequence.
> Select test sequence to execute (Done, Abort, Login, Search)
> [Abort]: login
> Enter user name: horebdata
> Enter user password:
> [ INFO ] Executing login sequence...
> Login output:
> 2017-06-08 11:26:09,446+08 INFO
> ========================================================================
> 2017-06-08 11:26:09,463+08 INFO ============================
> Initialization ============================
> 2017-06-08 11:26:09,463+08 INFO
> ========================================================================
> 2017-06-08 11:26:09,475+08 INFO Loading extension
> 'horebdata.com-authn'
> 2017-06-08 11:26:09,517+08 INFO Extension 'horebdata.com-authn'
> loaded
> 2017-06-08 11:26:09,522+08 INFO Loading extension
> 'horebdata.com'
> 2017-06-08 11:26:09,530+08 INFO Extension 'horebdata.com'
> loaded
> 2017-06-08 11:26:09,531+08 INFO Initializing extension
> 'horebdata.com-authn'
> 2017-06-08 11:26:09,532+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP
> pool 'authz'
> 2017-06-08 11:26:09,620+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
> 'authz' information: vendor='null' version='null'
> 2017-06-08 11:26:09,621+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP
> pool 'authn'
> 2017-06-08 11:26:09,636+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
> 'authn' information: vendor='null' version='null'
> 2017-06-08 11:26:09,649+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: Unexpected comma
> or semicolon found at the end of the DN string.
> 2017-06-08 11:26:09,650+08 INFO Extension 'horebdata.com-authn'
> initialized
> 2017-06-08 11:26:09,650+08 INFO Initializing extension
> 'horebdata.com'
> 2017-06-08 11:26:09,651+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
> 'authz'
> 2017-06-08 11:26:09,679+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'authz'
> information: vendor='null' version='null'
> 2017-06-08 11:26:09,679+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
> 'gc'
> 2017-06-08 11:26:09,694+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'gc'
> information: vendor='null' version='null'
> 2017-06-08 11:26:09,697+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Cannot initialize
> LDAP framework, deferring initialization. Error: Unexpected comma or
> semicolon found at the end of the DN string.
> 2017-06-08 11:26:09,697+08 INFO Extension 'horebdata.com'
> initialized
> 2017-06-08 11:26:09,697+08 INFO Start of enabled extensions
> list
> 2017-06-08 11:26:09,697+08 INFO Instance name: 'horebdata.com',
> Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.1',
> Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos',
> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
> Project', Build interface Version: '0', File:
> '/tmp/tmpHfBhQf/extensions.d/horebdata.com.properties', Initialized: 'true'
> 2017-06-08 11:26:09,698+08 INFO Instance name:
> 'horebdata.com-authn', Extension name:
> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.1', Notes: 'Display
> name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', License: 'ASL
> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
> interface Version: '0', File:
> '/tmp/tmpHfBhQf/extensions.d/horebdata.com-authn.properties', Initialized:
> 'true'
> 2017-06-08 11:26:09,698+08 INFO End of enabled extensions list
> 2017-06-08 11:26:09,698+08 INFO
> ========================================================================
> 2017-06-08 11:26:09,698+08 INFO ==============================
> Execution ===============================
> 2017-06-08 11:26:09,698+08 INFO
> ========================================================================
> 2017-06-08 11:26:09,698+08 INFO Iteration: 0
> 2017-06-08 11:26:09,699+08 INFO Profile='horebdata.com'
> authn='horebdata.com-authn' authz='horebdata.com' mapping='null'
> 2017-06-08 11:26:09,699+08 INFO API:
> -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='horebdata.com'
> user='horebdata'
> 2017-06-08 11:26:09,702+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: Unexpected comma
> or semicolon found at the end of the DN string.
> 2017-06-08 11:26:09,703+08 SEVERE Unexpected comma or semicolon
> found at the end of the DN string.
> [ ERROR ] Login sequence failed
> Please investigate details of the failure (search for lines
> containing SEVERE log level).
> Select test sequence to execute (Done, Abort, Login, Search)
> [Abort]:
>
> From: Ondra Machacek
> Date: 2017-06-07 14:47
> To: qinglong.dong at horebdata.cn
> CC: users
> Subject: Re: [ovirt-users] active directory
> Or you can try the migration tool:
>
> https://github.com/oVirt/ovirt-engine-kerbldap-migration
>
> Check the README, there are instructions how to procceed.
>
> On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <Latcho at aubg.bg> wrote:
>> This can help you:
>>
>>
>>
>> http://lists.ovirt.org/pipermail/users/2016-September/042937.html
>>
>>
>>
>> Best,
>>
>> Latcho
>>
>>
>>
>>
>>
>> From: users-bounces at ovirt.org [mailto:users-bounces at ovirt.org] On Behalf
>> Of
>> qinglong.dong at horebdata.cn
>> Sent: Wednesday, June 07, 2017 4:57 AM
>> To: users
>> Subject: [ovirt-users] active directory
>>
>>
>>
>> Hi all,
>>
>> I used "engine-manage-domains" to add AD to ovirt in earlier
>> version. What should I do in ovirt 4.1? Hope someone can help. Thanks!
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
More information about the Users
mailing list