<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }body { font-size: 10.5pt; font-family: 微软雅黑; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div>It worked. Thanks!<span></span></div>
<blockquote style="margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em;"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:omachace@redhat.com">Ondra Machacek</a></div><div><b>Date:</b> 2017-06-08 14:45</div><div><b>To:</b> <a href="mailto:qinglong.dong@horebdata.cn">qinglong.dong@horebdata.cn</a></div><div><b>CC:</b> <a href="mailto:Latcho@aubg.bg">Latcho</a>; <a href="mailto:users@ovirt.org">users</a></div><div><b>Subject:</b> Re: Re: [ovirt-users] active directory</div></div></div><div><div>If you are using Active Directory you most probably don't use Anonymous bind.</div>
<div>The question:</div>
<div> </div>
<div> Enter search user DN (for example</div>
<div>uid=username,dc=example,dc=com or leave empty for anonymous):</div>
<div> </div>
<div>You should not leave empty but rather specify some user, which can</div>
<div>search in active directory,</div>
<div>you can enter it either in DN format(cn=user,dc=domain,dcom) or UPN</div>
<div>format (user@domain.com).</div>
<div> </div>
<div>On Thu, Jun 8, 2017 at 5:32 AM, qinglong.dong@horebdata.cn</div>
<div><qinglong.dong@horebdata.cn> wrote:</div>
<div>> Thanks! I excuted "ovirt-engine-extension-aaa-ldap-setup", but I got an</div>
<div>> error. Is there anything wrong?</div>
<div>></div>
<div>> [root@engine ~]# ovirt-engine-extension-aaa-ldap-setup</div>
<div>> [ INFO ] Stage: Initializing</div>
<div>> [ INFO ] Stage: Environment setup</div>
<div>> Configuration files:</div>
<div>> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']</div>
<div>> Log file:</div>
<div>> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170608112535-jll8t2.log</div>
<div>> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)</div>
<div>> [ INFO ] Stage: Environment packages setup</div>
<div>> [ INFO ] Stage: Programs detection</div>
<div>> [ INFO ] Stage: Environment customization</div>
<div>> Welcome to LDAP extension configuration program</div>
<div>> Available LDAP implementations:</div>
<div>> 1 - 389ds</div>
<div>> 2 - 389ds RFC-2307 Schema</div>
<div>> 3 - Active Directory</div>
<div>> 4 - IBM Security Directory Server</div>
<div>> 5 - IBM Security Directory Server RFC-2307 Schema</div>
<div>> 6 - IPA</div>
<div>> 7 - Novell eDirectory RFC-2307 Schema</div>
<div>> 8 - OpenLDAP RFC-2307 Schema</div>
<div>> 9 - OpenLDAP Standard Schema</div>
<div>> 10 - Oracle Unified Directory RFC-2307 Schema</div>
<div>> 11 - RFC-2307 Schema (Generic)</div>
<div>> 12 - RHDS</div>
<div>> 13 - RHDS RFC-2307 Schema</div>
<div>> 14 - iPlanet</div>
<div>> Please select: 3</div>
<div>> Please enter Active Directory Forest name: horebdata.com</div>
<div>> [ INFO ] Resolving Global Catalog SRV record for horebdata.com</div>
<div>> [ INFO ] Resolving LDAP SRV record for horebdata.com</div>
<div>> NOTE:</div>
<div>> It is highly recommended to use secure protocol to access the LDAP</div>
<div>> server.</div>
<div>> Protocol startTLS is the standard recommended method to do so.</div>
<div>> Only in cases in which the startTLS is not supported, fallback to</div>
<div>> non standard ldaps protocol.</div>
<div>> Use plain for test environments only.</div>
<div>> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:</div>
<div>> plain</div>
<div>> [ INFO ] Resolving SRV record 'horebdata.com'</div>
<div>> [ INFO ] Connecting to LDAP using</div>
<div>> 'ldap://win-fvdsocg3abj.horebdata.com:389'</div>
<div>> [ INFO ] Connection succeeded</div>
<div>> Enter search user DN (for example uid=username,dc=example,dc=com</div>
<div>> or leave empty for anonymous):</div>
<div>> [ INFO ] Attempting to bind using '[Anonymous]'</div>
<div>> Are you going to use Single Sign-On for Virtual Machines (Yes, No)</div>
<div>> [No]: yes</div>
<div>> NOTE:</div>
<div>> Profile name has to match domain name, otherwise Single Sign-On</div>
<div>> for Virtual Machines will not work.</div>
<div>> Please specify profile name that will be visible to users</div>
<div>> [horebdata.com]:</div>
<div>> [ INFO ] Stage: Setup validation</div>
<div>> The following files are about to be overwritten:</div>
<div>> /etc/ovirt-engine/extensions.d/horebdata.com-authn.properties</div>
<div>> /etc/ovirt-engine/extensions.d/horebdata.com.properties</div>
<div>> /etc/ovirt-engine/aaa/horebdata.com.properties</div>
<div>> Continue and overwrite? (Yes, No) [No]: yes</div>
<div>> NOTE:</div>
<div>> It is highly recommended to test drive the configuration before</div>
<div>> applying it into engine.</div>
<div>> Perform at least one Login sequence and one Search sequence.</div>
<div>> Select test sequence to execute (Done, Abort, Login, Search)</div>
<div>> [Abort]: login</div>
<div>> Enter user name: horebdata</div>
<div>> Enter user password:</div>
<div>> [ INFO ] Executing login sequence...</div>
<div>> Login output:</div>
<div>> 2017-06-08 11:26:09,446+08 INFO</div>
<div>> ========================================================================</div>
<div>> 2017-06-08 11:26:09,463+08 INFO ============================</div>
<div>> Initialization ============================</div>
<div>> 2017-06-08 11:26:09,463+08 INFO</div>
<div>> ========================================================================</div>
<div>> 2017-06-08 11:26:09,475+08 INFO Loading extension</div>
<div>> 'horebdata.com-authn'</div>
<div>> 2017-06-08 11:26:09,517+08 INFO Extension 'horebdata.com-authn'</div>
<div>> loaded</div>
<div>> 2017-06-08 11:26:09,522+08 INFO Loading extension</div>
<div>> 'horebdata.com'</div>
<div>> 2017-06-08 11:26:09,530+08 INFO Extension 'horebdata.com'</div>
<div>> loaded</div>
<div>> 2017-06-08 11:26:09,531+08 INFO Initializing extension</div>
<div>> 'horebdata.com-authn'</div>
<div>> 2017-06-08 11:26:09,532+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP</div>
<div>> pool 'authz'</div>
<div>> 2017-06-08 11:26:09,620+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool</div>
<div>> 'authz' information: vendor='null' version='null'</div>
<div>> 2017-06-08 11:26:09,621+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP</div>
<div>> pool 'authn'</div>
<div>> 2017-06-08 11:26:09,636+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool</div>
<div>> 'authn' information: vendor='null' version='null'</div>
<div>> 2017-06-08 11:26:09,649+08 WARNING</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot</div>
<div>> initialize LDAP framework, deferring initialization. Error: Unexpected comma</div>
<div>> or semicolon found at the end of the DN string.</div>
<div>> 2017-06-08 11:26:09,650+08 INFO Extension 'horebdata.com-authn'</div>
<div>> initialized</div>
<div>> 2017-06-08 11:26:09,650+08 INFO Initializing extension</div>
<div>> 'horebdata.com'</div>
<div>> 2017-06-08 11:26:09,651+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool</div>
<div>> 'authz'</div>
<div>> 2017-06-08 11:26:09,679+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'authz'</div>
<div>> information: vendor='null' version='null'</div>
<div>> 2017-06-08 11:26:09,679+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool</div>
<div>> 'gc'</div>
<div>> 2017-06-08 11:26:09,694+08 INFO</div>
<div>> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'gc'</div>
<div>> information: vendor='null' version='null'</div>
<div>> 2017-06-08 11:26:09,697+08 WARNING</div>
<div>> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Cannot initialize</div>
<div>> LDAP framework, deferring initialization. Error: Unexpected comma or</div>
<div>> semicolon found at the end of the DN string.</div>
<div>> 2017-06-08 11:26:09,697+08 INFO Extension 'horebdata.com'</div>
<div>> initialized</div>
<div>> 2017-06-08 11:26:09,697+08 INFO Start of enabled extensions</div>
<div>> list</div>
<div>> 2017-06-08 11:26:09,697+08 INFO Instance name: 'horebdata.com',</div>
<div>> Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.1',</div>
<div>> Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos',</div>
<div>> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt</div>
<div>> Project', Build interface Version: '0', File:</div>
<div>> '/tmp/tmpHfBhQf/extensions.d/horebdata.com.properties', Initialized: 'true'</div>
<div>> 2017-06-08 11:26:09,698+08 INFO Instance name:</div>
<div>> 'horebdata.com-authn', Extension name:</div>
<div>> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.1', Notes: 'Display</div>
<div>> name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', License: 'ASL</div>
<div>> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build</div>
<div>> interface Version: '0', File:</div>
<div>> '/tmp/tmpHfBhQf/extensions.d/horebdata.com-authn.properties', Initialized:</div>
<div>> 'true'</div>
<div>> 2017-06-08 11:26:09,698+08 INFO End of enabled extensions list</div>
<div>> 2017-06-08 11:26:09,698+08 INFO</div>
<div>> ========================================================================</div>
<div>> 2017-06-08 11:26:09,698+08 INFO ==============================</div>
<div>> Execution ===============================</div>
<div>> 2017-06-08 11:26:09,698+08 INFO</div>
<div>> ========================================================================</div>
<div>> 2017-06-08 11:26:09,698+08 INFO Iteration: 0</div>
<div>> 2017-06-08 11:26:09,699+08 INFO Profile='horebdata.com'</div>
<div>> authn='horebdata.com-authn' authz='horebdata.com' mapping='null'</div>
<div>> 2017-06-08 11:26:09,699+08 INFO API:</div>
<div>> -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='horebdata.com'</div>
<div>> user='horebdata'</div>
<div>> 2017-06-08 11:26:09,702+08 WARNING</div>
<div>> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot</div>
<div>> initialize LDAP framework, deferring initialization. Error: Unexpected comma</div>
<div>> or semicolon found at the end of the DN string.</div>
<div>> 2017-06-08 11:26:09,703+08 SEVERE Unexpected comma or semicolon</div>
<div>> found at the end of the DN string.</div>
<div>> [ ERROR ] Login sequence failed</div>
<div>> Please investigate details of the failure (search for lines</div>
<div>> containing SEVERE log level).</div>
<div>> Select test sequence to execute (Done, Abort, Login, Search)</div>
<div>> [Abort]:</div>
<div>></div>
<div>> From: Ondra Machacek</div>
<div>> Date: 2017-06-07 14:47</div>
<div>> To: qinglong.dong@horebdata.cn</div>
<div>> CC: users</div>
<div>> Subject: Re: [ovirt-users] active directory</div>
<div>> Or you can try the migration tool:</div>
<div>></div>
<div>> https://github.com/oVirt/ovirt-engine-kerbldap-migration</div>
<div>></div>
<div>> Check the README, there are instructions how to procceed.</div>
<div>></div>
<div>> On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <Latcho@aubg.bg> wrote:</div>
<div>>> This can help you:</div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>> http://lists.ovirt.org/pipermail/users/2016-September/042937.html</div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>> Best,</div>
<div>>></div>
<div>>> Latcho</div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>> From: users-bounces@ovirt.org [mailto:users-bounces@ovirt.org] On Behalf</div>
<div>>> Of</div>
<div>>> qinglong.dong@horebdata.cn</div>
<div>>> Sent: Wednesday, June 07, 2017 4:57 AM</div>
<div>>> To: users</div>
<div>>> Subject: [ovirt-users] active directory</div>
<div>>></div>
<div>>></div>
<div>>></div>
<div>>> Hi all,</div>
<div>>></div>
<div>>> I used "engine-manage-domains" to add AD to ovirt in earlier</div>
<div>>> version. What should I do in ovirt 4.1? Hope someone can help. Thanks!</div>
<div>>></div>
<div>>></div>
<div>>> _______________________________________________</div>
<div>>> Users mailing list</div>
<div>>> Users@ovirt.org</div>
<div>>> http://lists.ovirt.org/mailman/listinfo/users</div>
<div>>></div>
<div>></div>
<div> </div>
</div></blockquote>
</body></html>