<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the
error "<span>User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>.</span>"</p>
<p><br>
</p>
<p>I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config
I have is as follows:</p>
<p><br>
</p>
<p></p>
<div>include = <rfc2307-generic.properties><br>
<br>
vars.server = labauth.lan.lab.org<br>
<br>
pool.authz.auth.type = none<br>
pool.default.serverset.type = single<br>
pool.default.serverset.single.server = ${global:vars.server}<br>
pool.default.ssl.startTLS = true<br>
pool.default.ssl.insecure = true<br>
<br>
pool.default.connection-options.connectTimeoutMillis = 10000<br>
pool.default.connection-options.responseTimeoutMillis = 90000<br>
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars<br>
sequence.my-basedn-init-vars.010.description = set baseDN<br>
sequence.my-basedn-init-vars.010.type = var-set<br>
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN<br>
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB<br>
<br>
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars<br>
sequence.my-objectclass-init-vars.020.description = set objectClass<br>
sequence.my-objectclass-init-vars.020.type = var-set<br>
sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject<br>
sequence.my-objectclass-init-vars.020.var-set.value = (objectClass=labPerson)(uid=*)<br>
<br>
search.default.search-request.derefPolicy = NEVER<br>
<br>
sequence-init.init.900-local-init-vars = local-init-vars<br>
sequence.local-init-vars.010.description = override name space<br>
sequence.local-init-vars.010.type = var-set<br>
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault<br>
sequence.local-init-vars.010.var-set.value = *<br>
<br>
sequence.local-init-vars.020.description = apply filter to users<br>
sequence.local-init-vars.020.type = var-set<br>
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject<br>
sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(employeeStatus=3)<br>
<br>
sequence.local-init-vars.030.description = apply filter to groups<br>
sequence.local-init-vars.030.type = var-set<br>
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject<br>
sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)<br>
<br>
<br>
</div>
<p></p>
</div>
</body>
</html>