<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 11:17 AM, Matt . <span dir="ltr"><<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Martin,<br>
<br>
Thanks for the explanation. But what happens on those tests during the<br>
setup the same happens as showed in oVirt.<br></blockquote><div><br><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Exactly, you can execute those tests even before publishing new profile to engine and if something doesn't work you can fix even before users notice that something is wrong.<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Also please bear in mind that there are variety of small differences in schema across different setups even for the same LDAP server. So setup tool uses only basic configurations, if you need something more complicated you need to edit configuration manually.<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Thanks<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Martin Perina<br> <br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Default IPA should just work I guess.<br>
<br>
I will test your command and report back.<br>
<br>
Cheers,<br>
<br>
Matt<br>
<br>
2017-01-31 10:24 GMT+01:00 Martin Perina <<a href="mailto:mperina@redhat.com">mperina@redhat.com</a>>:<br>
> Hi,<br>
><br>
> it seem that your schema doesn't match the defaults or you home some<br>
> configuration issue. Could you please execute following and send us the<br>
> output for your IPA setup?<br>
><br>
> ovirt-engine-extensions-tool --log-level=FINE aaa<br>
> authz-fetch_principal_record --authz-flag=resolve-groups-<wbr>recursive<br>
> --authz-flag=resolve-groups --extension-name=<PROFILE-<wbr>NAME><br>
> --principal-name=<USERNAME><br>
><br>
> The above will search for a user by <USERNAME> and tries to fetch all groups<br>
> he is member of.<br>
><br>
> Btw you can test both "search users/groups" and "login a user" during<br>
> aaa-ldap-setup tool (and it's recommended to do so) and the output from<br>
> those commands should provide you the same details.<br>
><br>
> Thanks<br>
><br>
> Martin Perina<br>
><br>
><br>
><br>
> On Mon, Jan 30, 2017 at 9:27 PM, Matt . <<a href="mailto:yamakasi.014@gmail.com">yamakasi.014@gmail.com</a>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> When I do a ovirt-engine-extension-aaa-<wbr>ldap-setup and chose IPA the<br>
>> groups are shown but the users are not.<br>
>><br>
>> When I chose 389ds, the users are shown but not the groups.<br>
>><br>
>> Is something wrong with the FreeIPA implementation ? I'm on latest IPA<br>
>> 4.4 version from Fedora<br>
>><br>
>> Cheers,<br>
>><br>
>> Matt<br>
>> ______________________________<wbr>_________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
><br>
><br>
</blockquote></div><br></div></div>