this is known problem, partially dup of bug#798075 and other issues caused by the fact that the implementation is accessing upn while sending the first component as sam account. this and many other issues[1] should be resolved when using new ldap provider in 3.5[2][3]. this issue will not be resolved when using the legacy provider even in future, so migration should be done in 3.5. [1] https://bugzilla.redhat.com/showdependencytree.cgi?id=1063095&hide_resolved=0 [2] http://www.ovirt.org/Features/AAA [3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
$ ldapsearch .. dn: CN=diff diff,CN=Users,DC=ad2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com .. sAMAccountName: diff_ sAMAccountType: 805306368 userPrincipalName: diffferent.lab.eng.brq.redhat.com With new ldap provider I can connect with user using diffferent.lab.eng.brq.redhat.com.
migration can be done in stages. 1. add the same ldap using the new provider. 2. user can login either to old or new profile (select in domain drop down at login dialog). 3. assign permissions to the users/groups of new provider to all resources. 4. wait for all user to migrate / announce 5. remove the old provider. depend on migration time, we may have experimental tool to perform 1-3.