Created attachment 916544 [details]
multi.properties

I specified wrong Steps to reproduce.

Correct are:
1) install:
 * ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.el6_5.noarch
 * unboundid-ldapsdk-2.3.7-0.0.snap.r530.el6_5.noarch

2) add files from attachment to /etc/ovirt-engine/extensions.d/
3) service ovirt-engine restart
4) GET https://engine/ovirt-engine/api/domains/6d756c74-695a-6d75-6c74-695a6d756c74/users

Created attachment 916546 [details]
multiZ.properties

2014-07-10 15:17:17,627 ERROR [org.ovirt.engine.core.bll.SearchQuery] (http--0.0.0.0-8080-3) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
        at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryUsers(SearchQuery.java:180) [bll.jar:]
        at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:69) [bll.jar:]
        at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:73) [bll.jar:]
        at org.ovirt.engine.core.dal.VdcCommandBase.execute(VdcCommandBase.java:31) [dal.jar:]

Known issue[1]

        ExtensionProxy authz = AuthenticationProfileRepository.getInstance().getProfile(data.getDomain()).getAuthz();$

[1] http://gerrit.ovirt.org/#/c/28722/

Has to be merged to ovirt-3.5 branch.

Created attachment 922100 [details]
engine.log

Now getting NPE on 3 lines below.

2014-07-29 12:19:55,702 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-1) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
	at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryUsers(SearchQuery.java:183) [bll.jar:]
	at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:70) [bll.jar:]
	at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:73) [bll.jar:]
	at org.ovirt.engine.core.dal.VdcCommandBase.execute(VdcCommandBase.java:31) [dal.jar:]

what version do you use? there was a mess in moving to on qa.
please use latest nightly to check aaa

I tried:
* ovirt-engine-backend-3.5.0-0.0.master.20140726172544.git8e1babc.el6.noarch.rpm
from http://ovirt-mirror.eng.lab.tlv.redhat.com/pub/ovirt-3.5-snapshot

and

* ovirt-engine-backend-3.5.0-0.0.master.20140722232058.git8e1babc.el6.noarch.rpm
from http://ovirt-mirror.eng.lab.tlv.redhat.com/pub/ovirt-3.5-pre/

nor of them worked, same NPE is printed.

Please state exact environment and configuration to allow reproduction, comment#0 is confusing, either you use legacy or new provider...

if you tested this using the legacy provider, please also try to test using the new provider.

I have this working correctly with this domain and new provider, so maybe this is a bug in the legacy provider and this one is resolved.

ovirt-engine-extension-aaa-ldap-0.0.0-0.0.1.master.el6_5.noarch
ovirt-engine-backend-3.5.0-0.0.master.20140726172544.git8e1babc.el6.noarch


Using new provider. Just specify you want to use SSL/TLS. Set insecure = false,
and don't provide trustore. In general when wrong configuration is specified,
and provider is added(not ignored on startup), then it causes this NPE when 
searching for users in this LDAP.

Steps:
$ cat > /etc/ovirt-engine/extensions.d/ldap-authn-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authn-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties
ovirt.engine.aaa.authn.profile.name = ldap-ipa1
ovirt.engine.aaa.authn.authz.plugin = ldap-authz-ipa1
EOT

$ cat >  /etc/ovirt-engine/extensions.d/ldap-authz-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authz-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties

$ cat > /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties << "EOT"
include = <ipa.properties>

vars.user = uid=vdcadmin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
vars.password = 123456
vars.domain = rhev.lab.eng.brq.redhat.com
vars.server = brq-ipa.${global:vars.domain}

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.ssl.enable = true
pool.default.ssl.insecure = false
#pool.default.ssl.truststore.file = /tmp/ipa.ts
#pool.default.ssl.truststore.password = 123456
EOT

$ service ovirt-engine restart

Go to API/webadmin and search for users in this domain.

> In general when wrong configuration is specified,
and provider is added(not ignored on startup), then it causes this NPE when 
searching for users in this LDAP.

so if provider is valid there is no issue?

if so, this is a different bug... please close this one... and open a new...

BTW: I applied configuration of comment#11 I get:

<fault><reason>Operation Failed</reason><detail>trust store must be provided</detail></fault>

using ovirt-engine-3.5 branch commit e7700b8b from Thu Jun 19 09:35:23 2014

Verified. With correctly configured ldap provider, users can be searched.

*** Bug 1118251 has been marked as a duplicate of this bug. ***

oVirt 3.5 has been released and should include the fix for this issue.