Description of problem: At present, the setup script prompts the user to enter the forest name for AD configuration. If the user does not want to use the Forest name and wants just the domain name, there is no such option at present for the user. Seems like Forest name is made mandatory for AD setup. Also, if the user enters a wrong Forest name, the script exits with an error and does not offer a chance to specify the domain name instead. Need the script to provide the flexibility to use either one by the user. Thanks, Anitha
Notes: 1. ovirt-engine-extension-aaa-ldap-setup tool is created to help with default and/or simple LDAP configurations. Unfortunately configuring AD domain is not default nor simple unlike forrest. To configure forrest every information about LDAP servers can be found in DNS, but to configure domain user needs to know which server(s) to use, type of destination server selection algorithme in case of multiple servers, type of protocol to connect to destination server(s) 2. If user knows required information about AD domain, he can configure it manually without the tool Solution: We will provide AD domain configuration within setup tool using set of questions: 1. Do you want to configured AD domain or forrest? 2. If forrest selected, use the same automatic method as currently provided 3. If domain select continue. 4. Which type of servers set do you want to use (single server, failober, round robin)? 5. Which LDAP servers do you want to use (space separated list of FQDNs or IPs) 6. Which protocol do you want to use to connect to above servers (plain, SSL, StartTLS) 7. Which port should be used for connection to above servers? 8. Continue with with authentication questions (same as for forrest)
Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration). So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment
To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes: 1. Add more detailed error reporting for verious AD forest configuration steps 2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later)
Fix is included in ovirt-engine-extension-aaa-ldap-1.3.3
Verified with: ovirt-engine-extension-aaa-ldap-1.3.6-1.el7ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:1485
BZ<2>Jira Resync