I missed this when you sent it; apologies for the delay. > On Feb 13, 2018, at 12:11 AM, Ondra Machacek <[email protected]> wrote: > > Hello, > > On 02/09/2018 08:17 PM, Jamie Lawrence wrote: >> Hello, >> I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP >> servers are fine and function normally for a number of other services, but I >> can't get this working. >> Our LDAP setup requires startTLS and a login. That last bit seems to be >> where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for >> the cert and I pass it the path to the same cert used via nslcd/PAM for >> logging in to the host, it replies: >> [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389' >> [ INFO ] Executing startTLS >> [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': >> 'authentication required', 'desc': 'Server is unwilling to perform'} >> [ ERROR ] Cannot connect using any of available options >> "Unwilling to perform" makes me think -aaa-ldap-setup is trying something >> the backend doesn't support, but I'm having trouble guessing what that could >> be since the tool hasn't gathered sufficient information to connect yet - it >> asks for a DN/pass later in the script. And the log isn't much more >> forthcoming. >> I double-checked the cert with openssl; it is a valid, PEM-encoded cert. >> Before I head in to the code, has anyone seen this? > > Looks like you have disallowed anonymous bind on your LDAP. > We are trying to estabilish anonymous bind to test the connection.
Ah, I think I forgot that anonymous bind was a thing. > I would recommend to try to do a manual configuration, the documentation > is here: > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L17 > > Then in your /etc/ovirt-engine/aaa/profile1.properties add following > line: > > pool.default.auth.type = simple Awesome, thanks so much. I really appreciate the pointer. -j _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
