FreeIPA integration problem

Latest response

I've integrated FreeIPA 2.1.4-2.fc16 with RHEV and integration works fine.

But I've got problems with fresh installation of RHEV and FreeIPA

 

 

No user in Directory was found for admin@RHEV.IIC.MSK.IBM.COM. Trying next LDAP server in list         
Failure while testing domain rhev.iic.msk.ibm.com. Details: No user information was found for user

 

  

Responses

As agreed in Jabber, I post the results of my investigation of the issue.

 

The roots of the problem are in the way how RHEV handles directory identification (as described in class JndiAction.java).

 

  1. RHEV initially consideres directory to be AD (this.isIPA = false; at line 39).
  2. Discovery happens in getDomainDN() (line 188 and below).
  3. First it checks for DefaultNamingContext attribute (line 200).
  4. If defaultNamingContext was found - it is returned (lines 202-203). In this case the directory is still considered to be AD.
  5. If defaultNamingContext was not found - it looks for NamingContext (line 205).
  6. If NamingContext was found - it is returned and directory is marked as IPA (lines 207-209).
  7. Directory type is used to prepare the query in prepareQuery() (line 158 and below).

 

If IPA contains BOTH defaultNamingContext and NamingContext - the directory is considered to be AD, wrong query is prepared and the issue described by Pavel happens.

 

Possible fixes:

- Change directory discovery method 

- Allow to set directory type manually

 

And LDAP update ticket:

https://fedorahosted.org/389/ticket/26

Yes, RHEV will not work with IPA after exactly this patch. However, it is not IPA issue. Having defaultNamingContext attribute is reasonable, because many other DSes use it. So, the issue is on RHEV side.

I've rebuild 389-base with patch

 

--- a/ldap/servers/slapd/slap.h    2012-02-25 12:41:03.698255639 +0400
+++ b/ldap/servers/slapd/slap.h    2012-02-25 12:41:17.968259266 +0400
@@ -1972,7 +1972,7 @@
 #define CONFIG_ENTRYUSN_GLOBAL    "nsslapd-entryusn-global"
 #define CONFIG_ENTRYUSN_IMPORT_INITVAL    "nsslapd-entryusn-import-initval"
 #define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE    "nsslapd-allowed-to-delete-attrs"
-#define CONFIG_DEFAULT_NAMING_CONTEXT "nsslapd-defaultnamingcontext"
+#define CONFIG_DEFAULT_NAMING_CONTEXT ""
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"

 

Now rhevm-manage-domains works . We should patch ovirt (rhev) not LDAP

Thanks for pointing this out guys, I ahve taken this up to engineering and the issue will receive attention. It hadn't had any so far because RHEV is normally tested against IPA, not freeIPA (RHEV actually is not supported with the upstream freeIPA, especially because its stability is not as reliable as the downstream version). 

I heard that RH IPA has the attribute as well.

 

My temporary workaround (rebuild FreeIPA - add domain - rebuild again) has an issue - I have to rebuild FreeIPA again because admin (RHEV user for users discovery) password expired. 

Yes, IDM has this attribute too now:

 

 

USAGE:
        engine-manage-domains -action=ACTION [-domain=DOMAIN -provider=PROVIDER -user=USER -passwordFile=PASSWORD_FILE -interactive -configFile=PATH -addPermissions] -report
Where:
        ACTION             action to perform (add/edit/delete/validate/list). See details below.
        DOMAIN                  (mandatory for add, edit and delete) the domain you wish to perform the action on.
        PROVIDER                (mandatory for add, optional for edit) the LDAP provider type of server used for the domain. Among the supported providers IPA,RHDS and ActiveDirectory.