[ovirt-users] 4.2 aaa LDAP setup issue
Jamie Lawrence
jlawrence at squaretrade.com
Tue Feb 20 23:24:13 UTC 2018
I missed this when you sent it; apologies for the delay.
> On Feb 13, 2018, at 12:11 AM, Ondra Machacek <omachace at redhat.com> wrote:
>
> Hello,
>
> On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
>> Hello,
>> I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working.
>> Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies:
>> [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
>> [ INFO ] Executing startTLS
>> [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'}
>> [ ERROR ] Cannot connect using any of available options
>> "Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming.
>> I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
>> Before I head in to the code, has anyone seen this?
>
> Looks like you have disallowed anonymous bind on your LDAP.
> We are trying to estabilish anonymous bind to test the connection.
Ah, I think I forgot that anonymous bind was a thing.
> I would recommend to try to do a manual configuration, the documentation
> is here:
>
> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L17
>
> Then in your /etc/ovirt-engine/aaa/profile1.properties add following
> line:
>
> pool.default.auth.type = simple
Awesome, thanks so much. I really appreciate the pointer.
-j
More information about the Users
mailing list