FreeIPA integration problem

Latest response

I've integrated FreeIPA 2.1.4-2.fc16 with RHEV and integration works fine.

But I've got problems with fresh installation of RHEV and FreeIPA

 

 

No user in Directory was found for admin@RHEV.IIC.MSK.IBM.COM. Trying next LDAP server in list         
Failure while testing domain rhev.iic.msk.ibm.com. Details: No user information was found for user

 

  

        
        

                            

                
            ii          
          

                        
        


        


              



        


      
      Log in to join the conversation           
  

        

          

 
  

              Responses          

  
  




      



        

      

        
                  

                
            a.          
                                                                                                Active Contributor
                                      140 points
          

                
        

                    
            24 February 2012 2:41 PM          
       

        
        
      

      
      

        

        

          



        
As agreed in Jabber, I post the results of my investigation of the issue.


 


The roots of the problem are in the way how RHEV handles directory identification (as described in class JndiAction.java).


 


    

  1. RHEV initially consideres directory to be AD (this.isIPA = false; at line 39).
    2. 

  2. Discovery happens in getDomainDN() (line 188 and below).
    3. 

  3. First it checks for DefaultNamingContext attribute (line 200).
    4. 

  4. If defaultNamingContext was found - it is returned (lines 202-203). In this case the directory is still considered to be AD.
    5. 

  5. If defaultNamingContext was not found - it looks for NamingContext (line 205).
    6. 

  6. If NamingContext was found - it is returned and directory is marked as IPA (lines 207-209).
    7. 

  7. Directory type is used to prepare the query in prepareQuery() (line 158 and below).
    8. 



 


If IPA contains BOTH defaultNamingContext and NamingContext - the directory is considered to be AD, wrong query is prepared and the issue described by Pavel happens.


 


Possible fixes:


- Change directory discovery method 


- Allow to set directory type manually

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            ii          
                                                                                                Active Contributor
                                      175 points
          

                
        

                    
            24 February 2012 2:44 PM          
       

        
        
      

      
      

        

        

          



        
 


And LDAP update ticket:


https://fedorahosted.org/389/ticket/26

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            a.          
                                                                                                Active Contributor
                                      140 points
          

                
        

                    
            24 February 2012 2:51 PM          
       

        
        
      

      
      

        

        

          



        
Yes, RHEV will not work with IPA after exactly this patch. However, it is not IPA issue. Having defaultNamingContext attribute is reasonable, because many other DSes use it. So, the issue is on RHEV side.

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            ii          
                                                                                                Active Contributor
                                      175 points
          

                
        

                    
            25 February 2012 5:35 AM          
       

        
        
      

      
      

        

        

          



        
I've rebuild 389-base with patch


 


--- a/ldap/servers/slapd/slap.h    2012-02-25 12:41:03.698255639 +0400
+++ b/ldap/servers/slapd/slap.h    2012-02-25 12:41:17.968259266 +0400
@@ -1972,7 +1972,7 @@
 #define CONFIG_ENTRYUSN_GLOBAL    "nsslapd-entryusn-global"
 #define CONFIG_ENTRYUSN_IMPORT_INITVAL    "nsslapd-entryusn-import-initval"
 #define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE    "nsslapd-allowed-to-delete-attrs"
-#define CONFIG_DEFAULT_NAMING_CONTEXT "nsslapd-defaultnamingcontext"
+#define CONFIG_DEFAULT_NAMING_CONTEXT ""
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
 


Now rhevm-manage-domains works . We should patch ovirt (rhev) not LDAP

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            DY          
                                                                                                Guru
                                      5340 points
          

                
        

                    
            27 February 2012 7:38 AM          
       

        
        
      

      
      

        

        

          



        
Thanks for pointing this out guys, I ahve taken this up to engineering and the issue will receive attention. It hadn't had any so far because RHEV is normally tested against IPA, not freeIPA (RHEV actually is not supported with the upstream freeIPA, especially because its stability is not as reliable as the downstream version). 

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            ii          
                                                                                                Active Contributor
                                      175 points
          

                
        

                    
            24 August 2012 6:41 AM          
       

        
        
      

      
      

        

        

          



        
I heard that RH IPA has the attribute as well.


 


My temporary workaround (rebuild FreeIPA - add domain - rebuild again) has an issue - I have to rebuild FreeIPA again because admin (RHEV user for users discovery) password expired. 

  


  • 

  • 

  • 

        

      

   

  





        

      

        
                  

                
            DY          
                                                                                                Guru
                                      5340 points
          

                
        

                    
            24 August 2012 9:34 AM          
       

        
        
      

      
      

        

        

          



        
Yes, IDM has this attribute too now:


 


 


USAGE:


        engine-manage-domains -action=ACTION [-domain=DOMAIN -provider=PROVIDER -user=USER -passwordFile=PASSWORD_FILE -interactive -configFile=PATH -addPermissions] -report


Where:


        ACTION             action to perform (add/edit/delete/validate/list). See details below.


        DOMAIN                  (mandatory for add, edit and delete) the domain you wish to perform the action on.


        PROVIDER                (mandatory for add, optional for edit) the LDAP provider type of server used for the domain. Among the supported providers IPA,RHDS and ActiveDirectory.


 



  


  • 

  • 

  • 

        

      

   

  



    



        


      

    

  



          
    
        


      
  



  
  Close

  

    

      

        Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.