Re: [ovirt-users] AAA Auth FreeIPA does not show users
Hi,
I've just tried with:
# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
And all worked good. Can you please share the logs,
which Martin asked for, so we can investigate?
Thanks,
Ondra
On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014(a)gmail.com> wrote:
Hi,
True. Are you able to check if it still is good for IPA 4.4 usage, it
could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed
something ? Would be great!
Thanks,
Matt
2017-01-31 11:30 GMT+01:00 Martin Perina <mperina(a)redhat.com>:
>
>
> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014(a)gmail.com> wrote:
>>
>> Hi Martin,
>>
>> Thanks for the explanation. But what happens on those tests during the
>> setup the same happens as showed in oVirt.
>
>
> Exactly, you can execute those tests even before publishing new profile to
> engine and if something doesn't work you can fix even before users notice
> that something is wrong.
>
> Also please bear in mind that there are variety of small differences in
> schema across different setups even for the same LDAP server. So setup tool
> uses only basic configurations, if you need something more complicated you
> need to edit configuration manually.
>
> Thanks
>
> Martin Perina
>
>>
>>
>> Default IPA should just work I guess.
>>
>> I will test your command and report back.
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina(a)redhat.com>:
>> > Hi,
>> >
>> > it seem that your schema doesn't match the defaults or you home some
>> > configuration issue. Could you please execute following and send us the
>> > output for your IPA setup?
>> >
>> > ovirt-engine-extensions-tool --log-level=FINE aaa
>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive
>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME>
>> > --principal-name=<USERNAME>
>> >
>> > The above will search for a user by <USERNAME> and tries to fetch all
>> > groups
>> > he is member of.
>> >
>> > Btw you can test both "search users/groups" and "login a
user" during
>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from
>> > those commands should provide you the same details.
>> >
>> > Thanks
>> >
>> > Martin Perina
>> >
>> >
>> >
>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014(a)gmail.com>
wrote:
>> >>
>> >> Hi,
>> >>
>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the
>> >> groups are shown but the users are not.
>> >>
>> >> When I chose 389ds, the users are shown but not the groups.
>> >>
>> >> Is something wrong with the FreeIPA implementation ? I'm on latest
IPA
>> >> 4.4 version from Fedora
>> >>
>> >> Cheers,
>> >>
>> >> Matt
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users(a)ovirt.org
>> >> http://lists.ovirt.org/mailman/listinfo/users
>> >
>> >
>
>