<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Why openldap server?<div>We do not support openldap at the moment.</div><div><br></div><div><br><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jure Kranjc" <jure.kranjc@arnes.si><br><b>To: </b>users@ovirt.org<br><b>Sent: </b>Tuesday, March 19, 2013 3:50:49 PM<br><b>Subject: </b>Re: [Users] ldap simple<br><br>
Hi.<br>
<br>
Further testing...<br>
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),<br>
- Fedora 18, engine 3.2.1, openldap-server, simple authentication,
no firewalls,<br>
- with packet inspection we can see ldap responding with requested
attributes<br>
- still, there are errors in logs, see below, and no users are
listed in webadmin, engine fails to parse given attributes<br>
- engine-manage-domains -action=validate returns "Invalid
credentials" even though binding is ok and ldap is replying with
data.<br>
<br>
Can anyone point us to some documentation on this topic?<br>
Is really AD the only good solution for user management?<br>
<br>
engine.log<br>
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (&(&(objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null<br>
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
<a class="moz-txt-link-freetext">ldap://ldaphost.domain.si:389</a> due to null. We should try the next
server<br>
<br>
server.log<br>
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 03/18/2013 09:09 AM, Yair Zaslavsky
wrote:<br>
</div>
<blockquote cite="mid:357546066.8850428.1363594171898.JavaMail.root@redhat.com">
<style>p { margin: 0; }</style>
<div style="font-family: times new roman,new york,times,serif;
font-size: 12pt; color: #000000">Hi,
<div>We're issuing a RootDSE query (once per LDAP domain
configured).</div>
<div>We try to obtain from it the "defaultNamingContext"
attribute.</div>
<div>If does not exist - we try to obtain ""NamingContexts"</div>
<div>We store the result at a "domainDn" (we have a data
structure which maps domains to information objects, one of
the fields at the information object is the DN of the domain)
field, and we use it to compose the full ldap URL we send the
queries to.</div>
<div><br>
<br>
<hr id="zwchr">
<blockquote style="border-left:2px solid rgb(16, 16,
255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Andrej Bagon" <a class="moz-txt-link-rfc2396E" href="mailto:andrej.bagon@arnes.si" target="_blank"><andrej.bagon@arnes.si></a><br>
<b>To: </b>"Itamar Heim" <a class="moz-txt-link-rfc2396E" href="mailto:iheim@redhat.com" target="_blank"><iheim@redhat.com></a><br>
<b>Cc: </b><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>, "Yair Zaslavsky"
<a class="moz-txt-link-rfc2396E" href="mailto:yzaslavs@redhat.com" target="_blank"><yzaslavs@redhat.com></a>, "Oved Ourfalli"
<a class="moz-txt-link-rfc2396E" href="mailto:oourfali@redhat.com" target="_blank"><oourfali@redhat.com></a><br>
<b>Sent: </b>Monday, March 18, 2013 9:07:06 AM<br>
<b>Subject: </b>Re: [Users] ldap simple<br>
<br>
Hi,<br>
<br>
the system is trying to bind to ldap as:<br>
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si<br>
<br>
I dont know how it knows dc=ourdomain,dc=si<br>
It should be<br>
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
"dc=arnes,dc=si<br>
<br>
The same with the search: we have users in form as:<br>
<a href="mailto:edupersonprincipalname=abagon@guest.arnes.si" target="_blank">edupersonprincipalname=username@users.ourdomain.si</a>,dc=users,dc=ourdomain,dc=si<br>
<br>
values in database:<br>
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;<br>
option_id | option_name |
option_value | version <br>
-----------+----------------------------+--------------------------------+---------<br>
10 | AdUserName |
users.ourdomain.si:ovirt | general<br>
11 | AdUserPassword
|users.ourdomain.si:adminpassword | general<br>
69 | DomainName | users.ourdomain.si
| general<br>
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE | general<br>
132 | LdapServers |
users.ourdomain.si:server.ourdomain.si | general<br>
133 | LDAPProviderTypes |
users.ourdomain.si:rhds | general<br>
(6 rows)<br>
<br>
Best Regards,<br>
Andrej Bagon<br>
<br>
<br>
On 03/15/2013 12:09 PM, Itamar Heim wrote:
<blockquote cite="mid:51430171.2010904@redhat.com">On
03/14/2013 01:58 PM, Andrej Bagon wrote: <br>
<blockquote>Hi, <br>
<br>
is it possible to change the bind request that is sent
to the ldap <br>
server? The default
uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is <br>
not suitable. <br>
</blockquote>
<br>
can you please explain why / what you would like to change
it to? <br>
(not sure possible now, but there is work to make it more
configurable/pluggable) <br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
<br>_______________________________________________<br>Users mailing list<br>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blockquote><br></div></div></body></html>