[ovirt-users] 4.2 aaa LDAP setup issue

[Jamie Lawrence]

I missed this when you sent it; apologies for the delay.

> On Feb 13, 2018, at 12:11 AM, Ondra Machacek <omachace at redhat.com> wrote:
> 
> Hello,
> 
> On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
>> Hello,
>> I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working.
>> Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies:
>> [ INFO  ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
>> [ INFO  ] Executing startTLS
>> [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'}
>> [ ERROR ] Cannot connect using any of available options
>> "Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming.
>> I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
>> Before I head in to the code, has anyone seen this?
> 
> Looks like you have disallowed anonymous bind on your LDAP.
> We are trying to estabilish anonymous bind to test the connection.

Ah, I think I forgot that anonymous bind was a thing. 

> I would recommend to try to do a manual configuration, the documentation
> is here:
> 
> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L17
> 
> Then in your /etc/ovirt-engine/aaa/profile1.properties add following
> line:
> 
> pool.default.auth.type = simple

Awesome, thanks so much. I really appreciate the pointer.

-j