----- Original Message ----- > From: "Cameron Christensen" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: "Yair Zaslavsky" <[email protected]>, [email protected] > Sent: Tuesday, November 18, 2014 6:21:18 PM > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: > > > > ----- Original Message ----- > > > From: "Cameron Christensen" <[email protected]> > > > To: "Alon Bar-Lev" <[email protected]> > > > Cc: [email protected] > > > Sent: Monday, November 17, 2014 11:43:34 PM > > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > IPA > > > > > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > > > ----- Original Message ----- > > > > > From: "Cameron Christensen" <[email protected]> > > > > > To: [email protected] > > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > > IPA > > > > > > > > > > Hello, > > > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > > the service that handles Kerberos/LDAP. > > > > > > > > This is probably a bug, can you please execute the following and paste > > > > result: > > > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > > > > option_id | option_name | option_value | version > > > -----------+----------------------------+-------------------+--------- > > > 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > > > I replaced my domain name with 'example.org' > > > > > > > I thought it will be empty... and it contains valid value. Yair? > > > Looking through the vdc_options table I noticed that many of the LDAP* > and Ad* settings use two different spellings for the Kerberos/LDAP > domain. One in all upper case letters, EXAMPLE.ORG and one in all lower > case, example.org. (I'm guessing this is to handle either spelling of > the domain?) > > I updated LDAPSecurityAuthentication and set the option_value to use > both the upper case and lower case domain name, > 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. > > select * from vdc_options where option_name = > 'LDAPSecurityAuthentication'; > option_id | option_name | option_value > | version > -----------+----------------------------+-------------------------------------+--------- > 165 | LDAPSecurityAuthentication | > EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general
Just so we can continue to investigate - if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup? dig SRV _ldap._tcp.EXAMPLE.ORG or dig SRV _ldap._tcp.example.org? same goes to _kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG Cheers, Yair > > Using both domain names I am able to authenticate, authorize and pull > account information from the IPA server once again. > > Thanks for pointing me at the right location. > > Cameron > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
