Re: [ovirt-users] How to mapping LDAP users in AAA
----- Original Message -----
From: "lofyer" <lofyer(a)gmail.com>
To: "users" <users(a)ovirt.org>
Sent: Tuesday, October 14, 2014 5:10:56 AM
Subject: [ovirt-users] How to mapping LDAP users in AAA
I've got a LDAP server without kerberos and I am trying to intergrate
its users to oVirt-3.5 with AAA.
==========================
/etc/ovirt-engine/aaa/example.properties:
You need to create two extensions, one for authentication and another for authorization at
/etc/ovirt-engine/extensions.d/ see[1], both should refer to your example.properties.
But I see you created these based on bellow.
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
include = <openldap.properties>
vars.user = cn=directory manager
are you sure this ^ is the full dn of the user?
vars.password = mypassword
vars.server = example.com
#pool.default.ssl.startTLS = false
#pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
#pool.default.ssl.truststore.password = admin
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
==========================
This is my basic ldap infomation:
ou=Groups
|
+---- cn=UserGroup1
|
+---- cn=UserGroup2
ou=UserGroup1
|
+---- cn=user1
|
+---- cn=user2
ou=UserGroup2
|
+---- cn=user3
|
+---- cn=user4
==========================
Now I can see example.com in web portal but I cannot list users in UG1
or UG2.
in admin portal?
I find that I could map DN, ID NAME, DISPLAY in the config file. What
should I add in the config file then?
you do not need to touch these...
1. which version of ovirt-engine do you use?
2. which version of ovirt-engine-extension-aaa-ldap do you use?
what is your root dse?
$ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w
mypassword -s BASE
seek namingContexts it should contain first entry a suffix for all objects.
if you try to search users within "Users" add tab within webadmin and find
nothing and rootdse is ok please modify
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in and set:
<file-handler name="SERVER"> <--- find this
<level name="FINEST"/> <--- modify this
<logger category="org.ovirt.engineextensions.aaa.ldap"> <---
add this
<level name="FINEST"/> <--- add this
</logger> <--- add this
<logger category="com.arjuna"> <--- find this
stop engine
remove /var/log/ovirt-engine/engine.log
start engine
try to search
send me engine.log
Regards,
Alon