Re: [ovirt-users] AAA LDAP Authentication

I beginning to understand... although I cannot figure out how login works while search not. Anyway, try to add this to your profile: sequence-init.init.900-local-init-vars = local-init-vars sequence.local-init-vars.010.description = override name space sequence.local-init-vars.010.type = var-set sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault sequence.local-init-vars.010.var-set.value = cn=users,cn=accounts,dc=corp,dc=ft,dc=com sequence.local-init-vars.020.description = apply filter to users sequence.local-init-vars.020.type = var-set sequence.local-init-vars.020.var-set.variable = simple_filterUserObject sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) sequence.local-init-vars.030.description = apply filter to groups sequence.local-init-vars.030.type = var-set sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject sequence.local-init-vars.030.var-set.value = ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) ----- Original Message ----- > From: "David Smith" <dsmith(a)mypchelp.com&gt; > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Cc: "users" <users(a)ovirt.org&gt; > Sent: Wednesday, May 6, 2015 12:17:59 AM > Subject: Re: [ovirt-users] AAA LDAP Authentication > > I can log into ovirt, I can see the profile, it doesn't throw any errors. > However, it doesn't display any users. This is because the automatic rootDN > is wrong. > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search base > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com > Hence my desire to configure rootDN > > Then, I also want to filter based on the above (sorry the traffic part was > a comment from testlink, the line should be) > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; > That filter is was makes sure the results only show users in the specific > group I want to give access to. > > Thanks, > David > > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > Hi, > > > > So your configuration is working, just you want to filter users? > > > > I do not follow what organization filter is. > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g. > > > '(organizationname=*Traffic)' > > > > It looks to me that you want to narrow the results based on specific > > attribute value. > > > > But first you should confirm that all is working for you, only then we can > > start customize the provider to meet your special needs. > > > > Thanks, > > Alon. > > > > ----- Original Message ----- > > > From: "David Smith" <dsmith(a)mypchelp.com&gt; > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > > Cc: "users" <users(a)ovirt.org&gt; > > > Sent: Wednesday, May 6, 2015 12:01:28 AM > > > Subject: Re: [ovirt-users] AAA LDAP Authentication > > > > > > Hi Alon, > > > > > > Thanks for the quick reply. > > > openldap works fine; I use it with testlink (as shown in the example > > > config). We're not using active directory; Just LDAP. The example config > > I > > > provided is fully inclusive of all configuration required for "testlink" > > to > > > use LDAP, I also have jenkins and mantis configured using the same > > > parameters (although their terminology on where to enter the parameters > > is > > > varied, they use all the same information) > > > > > > The rootDSE is being determined automatically; however for my use it's > > > wrong and needs to be provided manually. Again, I have no control over > > > this. It's a company-wide configuration that won't be changed just for > > me. > > > > > > How would I be able to specify the organization filter line if I added > > some > > > other include directive of whatever driver? I don't even understand what > > > you're saying, exactly. Not all ovirt users/managers are programming > > > experts. > > > > > > I use LDAPS because thats what my company supports. StartTLS is NOT > > > supported (as I stated). Silly on their part, right? > > > > > > Thanks, > > > David > > > > > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > > > > > Hello, > > > > > > > > Resources includes sysadmin documentation[1], integrator > > documentation[2], > > > > overview[3], examples[4]. > > > > > > > > You did not specify what LDAP vendor it is. > > > > > > > > I can guess your directory is Active Directory, hence all you need to > > do > > > > is follow the "QUICK START"[5]. > > > > > > > > The rootDSE is determined automatically, all you need is to provide a > > > > valid user and password. > > > > > > > > What you are missing in your configuration is the include directive of > > the > > > > proper driver. > > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more > > > > flexible and should be used unless there is an issue. > > > > > > > > Alon > > > > > > > > [1] > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > [2] > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > [3] http://www.ovirt.org/Features/AAA > > > > [4] > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t... > > > > [5] > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > > > > > ----- Original Message ----- > > > > > From: "David Smith" <dsmith(a)mypchelp.com&gt; > > > > > To: "users" <users(a)ovirt.org&gt; > > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM > > > > > Subject: [ovirt-users] AAA LDAP Authentication > > > > > > > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some > > > > serious > > > > > detail in documentation, the rest is java-programmer-oriented docs > > only > > > > that > > > > > I can find; > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git > > > > > > > > > > Here's a sample config (sanitized) that I need to adapt to ovirt; *I > > > > HAVE NO > > > > > control over the LDAP server. > > > > > > > > > > So far I've managed to figure out through search after search to use > > > > LDAPS > > > > > (TLS isn't an option, thanks!) > > > > > Two parts I can't figure out; setting rootDN and setting the > > organization > > > > > filter-- members of that particular organization should have access > > to > > > > > ovirt, and none others. > > > > > > > > > > vars.server = directory.ft.com > > > > > > > > > > # > > > > > # Search user and its password. > > > > > # > > > > > vars.user = > > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > vars.password = Ft###### > > > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > > pool.default.serverset.single.port = 636 > > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn} > > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > > > # enable SSL > > > > > pool.default.ssl.enable = true > > > > > #pool.default.ssl.insecure = false > > > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > > # if using ssl/tls. > > > > > #pool.default.ssl.startTLS = true > > > > > pool.default.ssl.truststore.file = > > > > > ${local:_basedir}/${global:vars.server}.jks > > > > > pool.default.ssl.truststore.password = changeit > > > > > > > > > > > > > > > example config from testlink > > > > > $tlCfg->authentication['method'] = 'LDAP'; > > > > > > > > > > /** LDAP authentication credentials */ > > > > > $tlCfg->authentication['ldap_server'] = 'ldaps:// directory.ft.com > > '; > > > > > $tlCfg->authentication['ldap_port'] = '636'; > > > > > $tlCfg->authentication['ldap_version'] = '3'; > > > > > $tlCfg->authentication['ldap_root_dn'] = > > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > $tlCfg->authentication['ldap_bind_dn'] = > > > > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######'; > > > > > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls > > > > > $tlCfg->authentication['ldap_organization'] = > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // > > e.g. > > > > > '(organizationname=*Traffic)' > > > > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use > > > > 'sAMAccountName' for > > > > > Active Directory > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > Users(a)ovirt.org > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > >