Bug 1472254

Summary: [downstream clone - 4.1.6] [RFE] - AD domain configuration is not supported in ovirt-engine-extension-aaa-ldap-setup, provide examples how to configure AD domain
Product: Red Hat Enterprise Virtualization Manager Reporter: rhev-integ
Component: ovirt-engine-extension-aaa-ldapAssignee: Ondra Machacek <omachace>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.1.0CC: bazulay, eheftman, lsurette, mgoldboi, mperina, omachace, oourfali, pstehlik, Rhev-m-bugs, ykaul
Target Milestone: ovirt-4.1.6Keywords: FutureFeature, Rebase, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.4 Doc Type: Enhancement
Doc Text:
When configuring Active Directory (AD) with the ovirt-engine-extension-aaa-ldap-setup tool, regardless of whether you are defining a multiple or single domain forest, you can only configure the name of the forest - you cannot define the name of a specific domain or a specific server. This release provides examples for common advanced AD configuration which users can copy to their local environment and adapt as required. These examples are bundled within the ovirt-engine-extension-aaa-ldap package and after installing the package, a description of these examples can be found in /usr/share/ovirt-engine-extension-aaa-ldap/examples/README.md In addition, the following improvements have been made to the ovirt-engine-extension-aaa-ldap-setup tool: 1. A more detailed error reporting for various AD forest configuration steps. 2. A mandatory login test that checks the configuration (previously this test was optional).
 Story Points: ---
Clone Of: 1462294 Environment:
Last Closed: 2017-09-19 07:16:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1462294    
Bug Blocks: 1464498    

Description rhev-integ 2017-07-18 10:10:58 UTC 
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1462294 +++
======================================================================

Description of problem:

At present, the setup script prompts the user to enter the forest name for AD configuration.

If the user does not want to use the Forest name and wants just the domain name, there is no such option at present for the user.

Seems like Forest name is made mandatory for AD setup.

Also, if the user enters a wrong Forest name, the script exits with an error and does not offer a chance to specify the domain name instead.

Need the script to provide the flexibility to use either one by the user.

Thanks,
Anitha

(Originally by Anitha Udgiri)
Comment 2 rhev-integ 2017-07-18 10:11:08 UTC 
Notes:
1. ovirt-engine-extension-aaa-ldap-setup tool is created to help with default and/or simple LDAP configurations. Unfortunately configuring AD domain is not default nor simple unlike forrest. To configure forrest every information about LDAP servers can be found in DNS, but to configure domain user needs to know which server(s) to use, type of destination server selection algorithme in case of multiple servers, type of protocol to connect to destination server(s)

2. If user knows required information about AD domain, he can configure it manually without the tool

Solution:
We will provide AD domain configuration within setup tool using set of questions:

1. Do you want to configured AD domain or forrest?
2. If forrest selected, use the same automatic method as currently provided
3. If domain select continue.
4. Which type of servers set do you want to use (single server, failober, round robin)?
5. Which LDAP servers do you want to use (space separated list of FQDNs or IPs)
6. Which protocol do you want to use to connect to above servers (plain, SSL, StartTLS)
7. Which port should be used for connection to above servers?
8. Continue with with authentication questions (same as for forrest)

(Originally by Martin Perina)
Comment 3 Martin Perina 2017-08-03 12:31:49 UTC 
Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration).

So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment
Comment 4 Martin Perina 2017-08-03 12:45:44 UTC 
To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes:

1. Add more detailed error reporting for verious AD forest configuration steps
2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later)
Comment 5 Martin Perina 2017-08-08 08:05:13 UTC 
Fix is included in ovirt-engine-extension-aaa-ldap-1.3.3
Comment 7 Gonza 2017-08-18 13:11:59 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-setup-1.3.4-0.0.master.git2db902e.el7.centos.noarch
Comment 8 Martin Perina 2017-08-18 15:04:07 UTC 
Retargeting to 4.1.6, as we need to withdraw release of ovirt-engine-extension-aaa-ldap-1.3.3 due to critical bug contained in it
Comment 9 Martin Perina 2017-08-28 10:41:30 UTC 
Fix is included in ovirt-engine-extension-aaa-ldap-1.3.4
Comment 11 Gonza 2017-09-04 11:54:19 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-setup-1.3.5-0.0.master.git7230cd9.el7.centos.noarch
Comment 13 errata-xmlrpc 2017-09-19 07:16:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2743