Bug 1462294 - [RFE] AD domain configuration is not supported in ovirt-engine-extension-aaa-ldap-setup, provide examples how to configure AD domain
[RFE] AD domain configuration is not supported in ovirt-engine-extension-aaa-...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
Unspecified Unspecified
urgent Severity high
: ovirt-4.2.0
: ---
Assigned To: Ondra Machacek
: FutureFeature, ZStream
Depends On:
Blocks: 1464498 1472254 1507715
  Show dependency treegraph
Reported: 2017-06-16 11:58 EDT by Anitha Udgiri
Modified: 2018-03-05 10:07 EST (History)
9 users (show)

See Also:
Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.3
Doc Type: Enhancement
Doc Text:
Using the virt-engine-extension-aaa-ldap-setup tool it's possible to configure an Active Directory forest with multi-domain trust, or an Active Directory forest with a single domain. However it is currently not possible to configure using a single domain from a multi-domain Active Directory forest because this is advanced configuration which is difficult to perform automatically. This update provides common advanced Active Directory configuration examples that users can copy and adapt to their local environment. Those examples are bundled within the ovirt-engine-extension-aaa-ldap package, and can be found at /usr/share/ovirt-engine-extension-aaa-ldap/examples/README.md. The ovirt-engine-extension-aaa-ldap-setup tool user experience has also been improved with the following changes: - Add more detailed error reporting for various Active Directory forest configuration steps. - Made the login test mandatory to test the provided configuration.
Story Points: ---
Clone Of:
: 1472254 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
grafuls: testing_plan_complete-

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 80049 None None None 2017-08-03 08:46 EDT
oVirt gerrit 80078 None None None 2017-08-03 08:47 EDT
oVirt gerrit 80088 None None None 2017-08-03 08:47 EDT

  None (edit)
Description Anitha Udgiri 2017-06-16 11:58:55 EDT
Description of problem:

At present, the setup script prompts the user to enter the forest name for AD configuration.

If the user does not want to use the Forest name and wants just the domain name, there is no such option at present for the user.

Seems like Forest name is made mandatory for AD setup.

Also, if the user enters a wrong Forest name, the script exits with an error and does not offer a chance to specify the domain name instead.

Need the script to provide the flexibility to use either one by the user.

Comment 2 Martin Perina 2017-06-25 18:59:53 EDT
1. ovirt-engine-extension-aaa-ldap-setup tool is created to help with default and/or simple LDAP configurations. Unfortunately configuring AD domain is not default nor simple unlike forrest. To configure forrest every information about LDAP servers can be found in DNS, but to configure domain user needs to know which server(s) to use, type of destination server selection algorithme in case of multiple servers, type of protocol to connect to destination server(s)

2. If user knows required information about AD domain, he can configure it manually without the tool

We will provide AD domain configuration within setup tool using set of questions:

1. Do you want to configured AD domain or forrest?
2. If forrest selected, use the same automatic method as currently provided
3. If domain select continue.
4. Which type of servers set do you want to use (single server, failober, round robin)?
5. Which LDAP servers do you want to use (space separated list of FQDNs or IPs)
6. Which protocol do you want to use to connect to above servers (plain, SSL, StartTLS)
7. Which port should be used for connection to above servers?
8. Continue with with authentication questions (same as for forrest)
Comment 4 Martin Perina 2017-08-03 08:31:06 EDT
Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration).

So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment
Comment 5 Martin Perina 2017-08-03 08:45:59 EDT
To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes:

1. Add more detailed error reporting for verious AD forest configuration steps
2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later)
Comment 6 Martin Perina 2017-08-08 04:04:06 EDT
Fix is included in ovirt-engine-extension-aaa-ldap-1.3.3
Comment 8 Gonza 2018-01-17 11:26:43 EST
Verified with:

Note You need to log in before you can comment on or make changes to this bug.