<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 23, 2016 at 11:31 AM, Alexis HAUSER <span dir="ltr"><<a href="mailto:alexis.hauser@telecom-bretagne.eu" target="_blank">alexis.hauser@telecom-bretagne.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> As I explained, my groups are not in the same dn path than my users. As it<br>
> is not possible to add multiple dn path, my only solution is to use users.<br>
<br>
> Well, that's the 1st time I've heard about LDAP setup where users and<br>
> groups of one domain are not under same baseDN. Usually all LDAP setups<br>
> have some baseDN (for example 'dc=company,dc=com') and somewhere under this<br>
> baseDN (not necessarily directly under it) we could find users and groups.<br>
>The only exception to this is ActiveDirectory with multi-domain trust<br>
>inside single forrest (which we currently support and user of domainA can<br>
>be a member of a group from domainB) and multi-forrest trust (which we<br>
>don't support).<br>
<br>
<br>
Oh thank you, it actually helped a lot : I just realize the search was "recursive" and now it actually works and seem to solve my problem.<br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Great news!<br></div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Now I only have to check if adding permissions to group apply to users who belong to this group, but I guess it should. <br></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
> Those users have attributes like "member of" which still keep the<br>
> information about what group they belong too. I didn't find any way using<br>
> the interface to filter by attribute, for example to show all users member<br>
> of group "foo".<br>
><br>
>"<br>
> We don't support LDAP searches in the webadmin UI, because we don't<br>
> distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database<br>
> (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users<br>
> and groups for oVirt using same AAA interface.<br>
<br>
<br>
And only a part of the attributes are imported to the database (it doesn't seem to be able to display them from the web interface) ?<br>
That would be a nice feature to be able to filter from any attribute of users.<br>
Do you think I should open a new RFE bug about it ?<br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">We fetch only basic attributes common to all LDAPs, for users we fetch username, first name, last name, display name, department, title, email and for groups name and display name. But if you miss some attribute, please create an RFE bug for that.<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Thanks<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Martin Perina<br><br></div></div></div><br></div></div>