<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <span dir="ltr"><<a href="mailto:alexis.hauser@telecom-bretagne.eu" target="_blank">alexis.hauser@telecom-bretagne.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">>> Is their a way to search for attributes into the ovirt web interface, for<br>
>> example "memberof" ?<br>
>><br>
>> I can't imagine adding hundreds or thousand of users one by one...What<br>
>> would be the solutions ?<br>
>><br>
<br>
>You can assign specific permission to the group that relevant users are<br>
>member of (we support also nested groups if needed)<br>
>and of course you can select multiple users/groups when you assign<br>
>permissions.<br>
<br>
>If the above is not option for you, could you try to describe what exactly<br>
>are you trying to achieve?<br>
<br>
>Thanks<br>
<br>
>Martin Perina<br>
<br>
As I explained, my groups are not in the same dn path than my users. As it is not possible to add multiple dn path, my only solution is to use users. </blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Well, that's the 1st time I've heard about LDAP setup where users and groups of one domain are not under same baseDN. Usually all LDAP setups have some baseDN (for example 'dc=company,dc=com') and somewhere under this baseDN (not necessarily directly under it) we could find users and groups. The only exception to this is ActiveDirectory with multi-domain trust inside single forrest (which we currently support and user of domainA can be a member of a group from domainB) and multi-forrest trust (which we don't support).<br></div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Those users have attributes like "member of" which still keep the information about what group they belong too. I didn't find any way using the interface to filter by attribute, for example to show all users member of group "foo".<br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">We don't support LDAP searches in the webadmin UI, because we don't distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users and groups for oVirt using same AAA interface.<br><br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I could do that with ldapsearch, but then how would I inject the result to ovirt configuration to add those users to specific ovirt roles ("ovirt permission groups") ?<br>
</blockquote></div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">So the only way that comes to my mind is to use one of our SDKs (Python, Java, Ruby). You would need to implement LDAP query by yourself and them add wanted permission to those users using our SDKs.<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Martin Perina<br></div><br></div></div>