On 14/11/12 10:11, Antoni Segura Puimedon wrote:
----- Original Message -----
> From: "Itamar Heim" <iheim(a)redhat.com>
> To: "Charlie" <medievalist(a)gmail.com>
> Cc: "engine-devel" <engine-devel(a)ovirt.org>
> Sent: Wednesday, November 14, 2012 5:28:21 AM
> Subject: Re: [Engine-devel] Managing permissions on network
>
> On 11/13/2012 09:57 PM, Charlie wrote:
>> Will any of these groups and/or permissions be drawn from LDAP?
>>
>> Frankly, system admins are not looking for yet another console to
>> manage permissions.
>
> all users/groups come from LDAP.
> you just need to give permissions to these groups/users in ovirt.
> is that what you meant?
Would it be possible to somehow allow the admins to set permissions
on the LDAP console?
The integration with LDAP is on the level of managing users and groups
not the oVirt permissions themselves.
The reason for that is that permission = User + Role + Object
A user is given some Role on an Object, for example, admin1 is given the
role of clusterAdmin on clusterA, we can't set such permission in LDAP
as the objects themselves (Clusters, VMs, etc.) do not exist in LDAP.
Thanks, Livnat