<div dir="ltr">Hi Alon, <div><br></div><div>Thanks for the quick reply.</div><div>openldap works fine; I use it with testlink (as shown in the example config). We're not using active directory; Just LDAP. The example config I provided is fully inclusive of all configuration required for "testlink" to use LDAP, I also have jenkins and mantis configured using the same parameters (although their terminology on where to enter the parameters is varied, they use all the same information)</div><div><br></div><div>The rootDSE is being determined automatically; however for my use it's wrong and needs to be provided manually. Again, I have no control over this. It's a company-wide configuration that won't be changed just for me.</div><div><br></div><div>How would I be able to specify the organization filter line if I added some other include directive of whatever driver? I don't even understand what you're saying, exactly. Not all ovirt users/managers are programming experts.</div><div><br></div><div>I use LDAPS because thats what my company supports. StartTLS is NOT supported (as I stated). Silly on their part, right?</div><div><br></div><div>Thanks,</div><div>David</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
Resources includes sysadmin documentation[1], integrator documentation[2], overview[3], examples[4].<br>
<br>
You did not specify what LDAP vendor it is.<br>
<br>
I can guess your directory is Active Directory, hence all you need to do is follow the "QUICK START"[5].<br>
<br>
The rootDSE is determined automatically, all you need is to provide a valid user and password.<br>
<br>
What you are missing in your configuration is the include directive of the proper driver.<br>
Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more flexible and should be used unless there is an issue.<br>
<br>
Alon<br>
<br>
[1] <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD</a><br>
[2] <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD</a><br>
[3] <a href="http://www.ovirt.org/Features/AAA" target="_blank">http://www.ovirt.org/Features/AAA</a><br>
[4] <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD</a><br>
[5] <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6</a><br>
<div><div class="h5"><br>
----- Original Message -----<br>
> From: "David Smith" <<a href="mailto:dsmith@mypchelp.com">dsmith@mypchelp.com</a>><br>
> To: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> Sent: Tuesday, May 5, 2015 11:09:25 PM<br>
> Subject: [ovirt-users] AAA LDAP Authentication<br>
><br>
> I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some serious<br>
> detail in documentation, the rest is java-programmer-oriented docs only that<br>
> I can find;<br>
><br>
> <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git</a><br>
><br>
> Here's a sample config (sanitized) that I need to adapt to ovirt; *I HAVE NO<br>
> control over the LDAP server.<br>
><br>
> So far I've managed to figure out through search after search to use LDAPS<br>
> (TLS isn't an option, thanks!)<br>
> Two parts I can't figure out; setting rootDN and setting the organization<br>
> filter-- members of that particular organization should have access to<br>
> ovirt, and none others.<br>
><br>
> vars.server = <a href="http://directory.ft.com" target="_blank">directory.ft.com</a><br>
><br>
> #<br>
> # Search user and its password.<br>
> #<br>
> vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com<br>
> vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com<br>
> vars.password = Ft######<br>
><br>
> pool.default.serverset.single.server = ${global:vars.server}<br>
> pool.default.serverset.single.port = 636<br>
> pool.default.auth.simple.bindDN = ${global:vars.user}<br>
> pool.default.auth.simple.rootDN = ${global:vars.urootdn}<br>
> pool.default.auth.simple.password = ${global:vars.password}<br>
><br>
> # enable SSL<br>
> pool.default.ssl.enable = true<br>
> #pool.default.ssl.insecure = false<br>
><br>
> # Create keystore, import certificate chain and uncomment<br>
> # if using ssl/tls.<br>
> #pool.default.ssl.startTLS = true<br>
> pool.default.ssl.truststore.file =<br>
> ${local:_basedir}/${global:vars.server}.jks<br>
> pool.default.ssl.truststore.password = changeit<br>
><br>
><br>
> example config from testlink<br>
> $tlCfg->authentication['method'] = 'LDAP';<br>
><br>
> /** LDAP authentication credentials */<br>
> $tlCfg->authentication['ldap_server'] = 'ldaps:// <a href="http://directory.ft.com" target="_blank">directory.ft.com</a> ';<br>
> $tlCfg->authentication['ldap_port'] = '636';<br>
> $tlCfg->authentication['ldap_version'] = '3';<br>
> $tlCfg->authentication['ldap_root_dn'] =<br>
> 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';<br>
> $tlCfg->authentication['ldap_bind_dn'] =<br>
> 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';<br>
> $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';<br>
> $tlCfg->authentication['ldap_tls'] = false; // true -> use tls<br>
> $tlCfg->authentication['ldap_organization'] =<br>
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.<br>
> '(organizationname=*Traffic)'<br>
> $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use 'sAMAccountName' for<br>
> Active Directory<br>
><br>
</div></div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</blockquote></div><br></div>