----- Original Message ----- > From: "Jason Keltz" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: [email protected] > Sent: Friday, August 7, 2015 4:12:40 PM > Subject: Re: [ovirt-users] [ATN] LDAP Users please read > > Hi Alon. > > Thanks for your detailed response. > > I decided to give the new system a try. Rather than migrate, I prefer > to re-add from scratch, so I did: > > # engine-manage-domains delete --domain=EECS.YORKU.CA > # systemctl restart ovirt-engine
Good, but you could have first added the new one and only after you have all working delete the legacy one :) Not important right now. > # yum install ovirt-engine-extension-aaa-ldap > ... but I ran into my first trouble when I tried the following as per > your AAA-LDAP documentation: > > > QUICK START > > ----------- > > > > USING INSTALLER > > > > Install ovirt-engine-extension-aaa-ldap-setup and execute: > > > > # ovirt-engine-extension-aaa-ldap-setup > > > > The setup will guide you throughout the process of most common use cases. > > There's no command ovirt-engine-extension-aaa-ldap-setup. I checked the > repository, and I can't find any package that includes that command. I > guess that's something in 3.6 only. I don't want to use the manual > installation method. The method that I use should match the simplicity > of "engine-manage-domains". Correct this is new in 3.6, in 3.5 you should follow the documentation of 1.0[1] [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 > I re-add back my existing domain so that I can "migrate" it. So.. > > # engine-manage-domains add --domain=EECS.YORKU.CA --provider=ipa > --user=ovirtadmin > Enter password: > > I downloaded the ovirt-engine-kerlab-migration-1.0.2-1.el7ev.noarch.rpm > from > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases and > installed it: > > # rpm -i ovirt-engine-kerbldap-migration-1.0.2-1.el7ev.noarch.rpm > > I need to provide to the tool the domain, and the cacert. It's too bad > about having to provide the cacert -- the previous method of specifying > a provider, username, password, and auto-downloading the cert seemed > more user friendly. The documentation doesn't tell me where I might > find the cacert. Without much experience using the Red Hat IPA product, > it's buried. Is it the /root/cacert.p12 file? I copied that file to > /tmp on my engine server, and then: there is no standard method to get CA certificate. we provided some information at[1] under: "3. [Optional] Obtaining LDAP CA certificate." """ FreeIPA Copy /etc/ipa/ca.crt to your oVirt machine into /tmp. """ [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > # ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert > /tmp/cacert.p12 PKCS#12 file should never leave your IPA machine :) > sh-4.2# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA > --cacert /home/jas/cacert.p12 > [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2 > (ovirt-engine-kerbldap-migration-1.0.2-1.el7ev) > [INFO ] Connecting to database > [INFO ] Sanity checks > [INFO ] Loading options > [ERROR ] Conversion failed: Domain EECS.YORKU.CA not exists in > configuration. > > (minor correction in that last line: "does not exist" instead of "not > exists"). thanks! will fix. can you please add --debug and --log=/tmp/debug.log and send os the debug.log? probably we cannot resolve dns srvrecord correctly. $ dig +noall +answer srv _ldap._tcp.EECS.YORKU.CA should return a set of LDAP servers for your domain, if you do not have srvrecord we can workaround this by specifying a specific ldap server using --ldapserver parameter. > Of course the domain does actually exist. I can login to engine with my > domain login. yes, true, the question is what wrong in our conversion program :) > > Jason. > > > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
