<div dir="ltr">I added that to the end, since there wasn't any reference on it as to where to put it;<div>I restarted the engine and didn't notice any changes, the namespace still reads the same as before, and no users show up</div><div>Note that in the field to the right of namespace it's blank, whereby with "internal" or our other pre-aaa ldap config it shows "*" and can be changed to a username as a filter, in this case it doesn't allow me to enter anything</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I beginning to understand... although I cannot figure out how login works while search not.<br>
<br>
Anyway, try to add this to your profile:<br>
<br>
sequence-init.init.900-local-init-vars = local-init-vars<br>
sequence.local-init-vars.010.description = override name space<br>
sequence.local-init-vars.010.type = var-set<br>
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault<br>
sequence.local-init-vars.010.var-set.value = cn=users,cn=accounts,dc=corp,dc=ft,dc=com<br>
sequence.local-init-vars.020.description = apply filter to users<br>
sequence.local-init-vars.020.type = var-set<br>
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject<br>
sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)<br>
sequence.local-init-vars.030.description = apply filter to groups<br>
sequence.local-init-vars.030.type = var-set<br>
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject<br>
sequence.local-init-vars.030.var-set.value = ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)<br>
<span class="im HOEnZb"><br>
<br>
----- Original Message -----<br>
> From: "David Smith" <<a href="mailto:dsmith@mypchelp.com">dsmith@mypchelp.com</a>><br>
> To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> Cc: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
</span><div class="HOEnZb"><div class="h5">> Sent: Wednesday, May 6, 2015 12:17:59 AM<br>
> Subject: Re: [ovirt-users] AAA LDAP Authentication<br>
><br>
> I can log into ovirt, I can see the profile, it doesn't throw any errors.<br>
> However, it doesn't display any users. This is because the automatic rootDN<br>
> is wrong.<br>
> oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search base<br>
> it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com<br>
> Hence my desire to configure rootDN<br>
><br>
> Then, I also want to filter based on the above (sorry the traffic part was<br>
> a comment from testlink, the line should be)<br>
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';<br>
> That filter is was makes sure the results only show users in the specific<br>
> group I want to give access to.<br>
><br>
> Thanks,<br>
> David<br>
><br>
> On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
><br>
> > Hi,<br>
> ><br>
> > So your configuration is working, just you want to filter users?<br>
> ><br>
> > I do not follow what organization filter is.<br>
> ><br>
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.<br>
> > > '(organizationname=*Traffic)'<br>
> ><br>
> > It looks to me that you want to narrow the results based on specific<br>
> > attribute value.<br>
> ><br>
> > But first you should confirm that all is working for you, only then we can<br>
> > start customize the provider to meet your special needs.<br>
> ><br>
> > Thanks,<br>
> > Alon.<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "David Smith" <<a href="mailto:dsmith@mypchelp.com">dsmith@mypchelp.com</a>><br>
> > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > Cc: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> > > Sent: Wednesday, May 6, 2015 12:01:28 AM<br>
> > > Subject: Re: [ovirt-users] AAA LDAP Authentication<br>
> > ><br>
> > > Hi Alon,<br>
> > ><br>
> > > Thanks for the quick reply.<br>
> > > openldap works fine; I use it with testlink (as shown in the example<br>
> > > config). We're not using active directory; Just LDAP. The example config<br>
> > I<br>
> > > provided is fully inclusive of all configuration required for "testlink"<br>
> > to<br>
> > > use LDAP, I also have jenkins and mantis configured using the same<br>
> > > parameters (although their terminology on where to enter the parameters<br>
> > is<br>
> > > varied, they use all the same information)<br>
> > ><br>
> > > The rootDSE is being determined automatically; however for my use it's<br>
> > > wrong and needs to be provided manually. Again, I have no control over<br>
> > > this. It's a company-wide configuration that won't be changed just for<br>
> > me.<br>
> > ><br>
> > > How would I be able to specify the organization filter line if I added<br>
> > some<br>
> > > other include directive of whatever driver? I don't even understand what<br>
> > > you're saying, exactly. Not all ovirt users/managers are programming<br>
> > > experts.<br>
> > ><br>
> > > I use LDAPS because thats what my company supports. StartTLS is NOT<br>
> > > supported (as I stated). Silly on their part, right?<br>
> > ><br>
> > > Thanks,<br>
> > > David<br>
> > ><br>
> > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
> > ><br>
> > > > Hello,<br>
> > > ><br>
> > > > Resources includes sysadmin documentation[1], integrator<br>
> > documentation[2],<br>
> > > > overview[3], examples[4].<br>
> > > ><br>
> > > > You did not specify what LDAP vendor it is.<br>
> > > ><br>
> > > > I can guess your directory is Active Directory, hence all you need to<br>
> > do<br>
> > > > is follow the "QUICK START"[5].<br>
> > > ><br>
> > > > The rootDSE is determined automatically, all you need is to provide a<br>
> > > > valid user and password.<br>
> > > ><br>
> > > > What you are missing in your configuration is the include directive of<br>
> > the<br>
> > > > proper driver.<br>
> > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more<br>
> > > > flexible and should be used unless there is an issue.<br>
> > > ><br>
> > > > Alon<br>
> > > ><br>
> > > > [1]<br>
> > > ><br>
> > <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD</a><br>
> > > > [2]<br>
> > > ><br>
> > <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD</a><br>
> > > > [3] <a href="http://www.ovirt.org/Features/AAA" target="_blank">http://www.ovirt.org/Features/AAA</a><br>
> > > > [4]<br>
> > > ><br>
> > <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD</a><br>
> > > > [5]<br>
> > > ><br>
> > <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6</a><br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "David Smith" <<a href="mailto:dsmith@mypchelp.com">dsmith@mypchelp.com</a>><br>
> > > > > To: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM<br>
> > > > > Subject: [ovirt-users] AAA LDAP Authentication<br>
> > > > ><br>
> > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some<br>
> > > > serious<br>
> > > > > detail in documentation, the rest is java-programmer-oriented docs<br>
> > only<br>
> > > > that<br>
> > > > > I can find;<br>
> > > > ><br>
> > > > ><br>
> > <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git</a><br>
> > > > ><br>
> > > > > Here's a sample config (sanitized) that I need to adapt to ovirt; *I<br>
> > > > HAVE NO<br>
> > > > > control over the LDAP server.<br>
> > > > ><br>
> > > > > So far I've managed to figure out through search after search to use<br>
> > > > LDAPS<br>
> > > > > (TLS isn't an option, thanks!)<br>
> > > > > Two parts I can't figure out; setting rootDN and setting the<br>
> > organization<br>
> > > > > filter-- members of that particular organization should have access<br>
> > to<br>
> > > > > ovirt, and none others.<br>
> > > > ><br>
> > > > > vars.server = <a href="http://directory.ft.com" target="_blank">directory.ft.com</a><br>
> > > > ><br>
> > > > > #<br>
> > > > > # Search user and its password.<br>
> > > > > #<br>
> > > > > vars.user =<br>
> > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com<br>
> > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com<br>
> > > > > vars.password = Ft######<br>
> > > > ><br>
> > > > > pool.default.serverset.single.server = ${global:vars.server}<br>
> > > > > pool.default.serverset.single.port = 636<br>
> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}<br>
> > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}<br>
> > > > > pool.default.auth.simple.password = ${global:vars.password}<br>
> > > > ><br>
> > > > > # enable SSL<br>
> > > > > pool.default.ssl.enable = true<br>
> > > > > #pool.default.ssl.insecure = false<br>
> > > > ><br>
> > > > > # Create keystore, import certificate chain and uncomment<br>
> > > > > # if using ssl/tls.<br>
> > > > > #pool.default.ssl.startTLS = true<br>
> > > > > pool.default.ssl.truststore.file =<br>
> > > > > ${local:_basedir}/${global:vars.server}.jks<br>
> > > > > pool.default.ssl.truststore.password = changeit<br>
> > > > ><br>
> > > > ><br>
> > > > > example config from testlink<br>
> > > > > $tlCfg->authentication['method'] = 'LDAP';<br>
> > > > ><br>
> > > > > /** LDAP authentication credentials */<br>
> > > > > $tlCfg->authentication['ldap_server'] = 'ldaps:// <a href="http://directory.ft.com" target="_blank">directory.ft.com</a><br>
> > ';<br>
> > > > > $tlCfg->authentication['ldap_port'] = '636';<br>
> > > > > $tlCfg->authentication['ldap_version'] = '3';<br>
> > > > > $tlCfg->authentication['ldap_root_dn'] =<br>
> > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';<br>
> > > > > $tlCfg->authentication['ldap_bind_dn'] =<br>
> > > > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';<br>
> > > > > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';<br>
> > > > > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls<br>
> > > > > $tlCfg->authentication['ldap_organization'] =<br>
> > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //<br>
> > e.g.<br>
> > > > > '(organizationname=*Traffic)'<br>
> > > > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use<br>
> > > > 'sAMAccountName' for<br>
> > > > > Active Directory<br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > Users mailing list<br>
> > > > > <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> > > > > <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>