>>>Can you try to run that on command line[1], or can you double check that >>>such user exists?
Here is the result of the command: [root@ldap ~]# ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=cyber-range,dc=lan> with scope subtree # filter: uid=admin # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Basically, I did not create any users except for the ones that were "created" during the setup-ds-admin.pl script run. https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ I ran the script just like the article did to include names, I did however change the server and domain names to match mine. I didn't create any users using the GUI or ldapmodify after the initial setup. Do I need to create a user with the needed bind privileges or is my problem somewhere else? ________________________________ From: Ondra Machacek <[email protected]> Sent: Monday, November 5, 2018 4:15 AM To: Jeremy Tourville; Donny Davis Cc: [email protected] Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed Looking at logs you may see: 2018-10-31 16:48:09,331-05 FINE Performing SearchRequest 'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)', attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn, title, mail})' request on server 'ldap.cyber-range.lan' 2018-10-31 16:48:09,333-05 FINE SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0) So the AAA is trying to search user uid=admin in namespace dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run that on command line[1], or can you double check that such user exists? Seems like admin which you use in vars.user, from namespace o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan. Try to use as vars.use user from namespace dc=cyber-range,dc=lan. [1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b 'dc=cyber-range,dc=lan' -D 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin On 11/2/18 2:01 PM, Jeremy Tourville wrote: > I have been trying to find the setting to confirm that. > > On Nov 2, 2018 7:43 AM, Donny Davis <[email protected]> wrote: > Is binding allowed in your 389ds instance? > > > On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville > <[email protected]<mailto:[email protected]> wrote: > The backend is 389 DS, no this is not Govt related. This will be used as a > training platform for my local ISSA chapter. This is a new 389 DS server. I > followed the instructions at > https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ > The server is "stock" with the exceptions of the settings for startTLS and > adding certificates, etc (basically, whatever is needed to integrate with the > Ovirt Engine.) > I am using my Admin account to perform the bind. What I don't understand is > why everything else in the aaa setup script works except the login sequence. > It would seem like my certificates are correct, correct use of the admin DN, > etc. The funny part is I can login to the server using the admin account and > password yet the same admin account and password fail when using the aaa > setup script. But, that is why I am using the expert knowledge on the list! > Maybe I have overlooked a simple prerequisite setting needed for setup > somewhere? > > I'll wait for someone to chime in on possible reasons to get this message: > SEVERE Authn.Result code is: CREDENTIALS_INVALID > [ ERROR ] Login sequence failed > > ______________________________________________ > Users mailing list -- [email protected]<mailto:[email protected]> > To unsubscribe send an email to > [email protected]<mailto:[email protected]> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/TGT7ASCWSUTU6TDT2HIBLBCRL2CEF3G6/ > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/JN4AMQUNTFGL2NDUWNDG2AZTF7YIQPN6/ >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/ZMNZS6IGHG3QFOO4RUVUFQH5AAVLKGOT/
