Created attachment 965413 [details] engine.log Description of problem: Ovirt-engine can't get user list from freeipa 4.1.2 domain. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install ovirt 3.5 (centos 6.6) 2. Install freeipa 4.1.2 (centos 7, minssf set to 1) 3. Add domain via engine-manage-domains 4. Restart ovirt-engine Actual results: Can't login to webadmin portal (user has been added) Can't get list users from domain via WebAdmin -> Configure -> Add System Permission to User Expected results: Additional info:
Created attachment 965415 [details] Wireshark dump 192.168.100.225 (ovirt.example.com) 192.168.100.244 (ipa.example.com)
Created attachment 965584 [details] engine.log The first engine.log is incorrect. Before that I tested ovirt-engine-expansions-aaa-ldap and deleted it correctly (the extension works). This log is obtained after a clean install ovirt.
Created attachment 965587 [details] ovirt.pcapng
Created attachment 965599 [details] engine.log After engine-config -s SASL_QOP=auth service ovirt-engine restart engine-manage-domains delete --domain=example.com service ovirt-engine restart engine-manage-domains add --domain=example.com --provider=ipa --user=admin --add-permissions service ovirt-engine restart
Created attachment 965600 [details] ovirt.pcapng
I think the problem is that for the ipa, ovirt takes first namingContext in root dse: $ ldapsearch -LLL -x -h brq-ipa7.rhev.lab.eng.brq.redhat.com -p 389 -b '' -s base dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=brq-ipa7,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com namingContexts: o=ipaca defaultnamingcontext: dc=brq-ipa7,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=co m $ ldapsearch -LLL -x -h brq-ipa.rhev.lab.eng.brq.redhat.com -p 389 -b '' -s base dn: objectClass: top namingContexts: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com defaultnamingcontext: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com which is for ipa 4.1.2 "cn=changelog", it was not in ipa 3. it should look for defaultnamingcontext not namingContexts.
(In reply to Ondra Machacek from comment #6) > it should look for defaultnamingcontext not namingContexts. yes, sounds reasonable.
I installed http://resources.ovirt.org/pub/yum-repo/ovirt-release35-snapshot.rpm as of tonight I still can add a domain but don't see users. Timestamp from the rpps indicates that the patch is in the binary but I did not verify.
(In reply to Moritz Baumann from comment #8) > I installed > http://resources.ovirt.org/pub/yum-repo/ovirt-release35-snapshot.rpm > > as of tonight I still can add a domain but don't see users. > > Timestamp from the rpps indicates that the patch is in the binary but I did > not verify. was not merged yet. please track this bug until it is at least at MODIFIED state.
This is an automated message: This bug should be fixed in oVirt 3.5.1 RC1, moving to QA
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.
this ovirt bug was fixed during 3.5.1 cycle and is included in the build, and therefore should be verified.
Can list uses and login as user from freeipa 4.1.2.
This is an automated message. oVirt 3.5.4 has been released on September 3rd 2015 and should include the fix for this BZ. Moving to closed current release.