Yes, I found out my original problem stemmed from the fact that I had not created a normal user account after my initial 389 DS setup. Once I created the normal user account I logged into the engine as the internal admin user. I assigned the normal user account the super user role. I logged out as internal admin and logged in as the new user / super user using the newly created profile. So at least for the AAA setup everything seems to work ok. I created some additional users in 389 DS and I can view them from the engine.
Thank you for your help! ________________________________ From: Ondra Machacek <[email protected]> Sent: Wednesday, November 14, 2018 8:54 AM To: Jeremy Tourville; [email protected] Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed You need to create some users in 'dc=cyber-range,dc=lan', you can switch to it in 389ds GUI console and there create some users, and use those users in aaa-ldap-setup and also in oVirt engine gui. On 11/9/18 10:24 AM, Jeremy Tourville wrote: > An update, I was able to complete the setup. It says it was successful but I > still can't login using the engine web interface. I selected the newly > created profile using the dropdown arrow and entered my admin user and > password. I get an error "Unable to login. Verify your login information or > contact the system administrator." > > I attached my log showing the setup completion. > > ________________________________ > From: Jeremy Tourville <[email protected]> > Sent: Monday, November 5, 2018 2:58 PM > To: Ondra Machacek > Cc: [email protected] > Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed > >>>> Can you try to run that on command line[1], or can you double check that >>>> such user exists? > > Here is the result of the command: > [root@ldap ~]# ldapsearch -x -H ldap://ldap.cyber-range.lan -b > 'dc=cyber-range,dc=lan' -D > 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W > uid=admin > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=cyber-range,dc=lan> with scope subtree > # filter: uid=admin > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > Basically, I did not create any users except for the ones that were "created" > during the setup-ds-admin.pl script run. > https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ > I ran the script just like the article did to include names, I did however > change the server and domain names to match mine. I didn't create any users > using the GUI or ldapmodify after the initial setup. Do I need to create a > user with the needed bind privileges or is my problem somewhere else? > > ________________________________ > From: Ondra Machacek <[email protected]> > Sent: Monday, November 5, 2018 4:15 AM > To: Jeremy Tourville; Donny Davis > Cc: [email protected] > Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed > > Looking at logs you may see: > > 2018-10-31 16:48:09,331-05 FINE Performing SearchRequest > 'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER, > sizeLimit=0, timeLimit=0, > filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)', > attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn, > title, mail})' request on server 'ldap.cyber-range.lan' > 2018-10-31 16:48:09,333-05 FINE SearchResult: > SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, > referencesReturned=0) > > So the AAA is trying to search user uid=admin in namespace > dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run > that on command line[1], or can you double check that such user exists? > > Seems like admin which you use in vars.user, from namespace > o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan. > > Try to use as vars.use user from namespace dc=cyber-range,dc=lan. > > [1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b > 'dc=cyber-range,dc=lan' -D > 'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W > uid=admin > > On 11/2/18 2:01 PM, Jeremy Tourville wrote: >> I have been trying to find the setting to confirm that. >> >> On Nov 2, 2018 7:43 AM, Donny Davis <[email protected]> wrote: >> Is binding allowed in your 389ds instance? >> >> >> On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville >> <[email protected]<mailto:[email protected]> wrote: >> The backend is 389 DS, no this is not Govt related. This will be used as a >> training platform for my local ISSA chapter. This is a new 389 DS server. >> I followed the instructions at >> https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/ >> The server is "stock" with the exceptions of the settings for startTLS and >> adding certificates, etc (basically, whatever is needed to integrate with >> the Ovirt Engine.) >> I am using my Admin account to perform the bind. What I don't understand is >> why everything else in the aaa setup script works except the login sequence. >> It would seem like my certificates are correct, correct use of the admin >> DN, etc. The funny part is I can login to the server using the admin >> account and password yet the same admin account and password fail when using >> the aaa setup script. But, that is why I am using the expert knowledge on >> the list! Maybe I have overlooked a simple prerequisite setting needed for >> setup somewhere? >> >> I'll wait for someone to chime in on possible reasons to get this message: >> SEVERE Authn.Result code is: CREDENTIALS_INVALID >> [ ERROR ] Login sequence failed >> >> ______________________________________________ >> Users mailing list -- [email protected]<mailto:[email protected]> >> To unsubscribe send an email to >> [email protected]<mailto:[email protected]> >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/[email protected]/message/TGT7ASCWSUTU6TDT2HIBLBCRL2CEF3G6/ >> >> >> _______________________________________________ >> Users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/[email protected]/message/JN4AMQUNTFGL2NDUWNDG2AZTF7YIQPN6/ >> >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/IE3QEJLMI3P43XFH62FMDZHYS5NQ5AAY/
