On Mon, May 23, 2016 at 11:31 AM, Alexis HAUSER <
alexis.hauser(a)telecom-bretagne.eu> wrote:
> As I explained, my groups are not in the same dn path than my users. As
it
> is not possible to add multiple dn path, my only solution is to use
users.
> Well, that's the 1st time I've heard about LDAP setup where users and
> groups of one domain are not under same baseDN. Usually all LDAP setups
> have some baseDN (for example 'dc=company,dc=com') and somewhere under
this
> baseDN (not necessarily directly under it) we could find users and
groups.
>The only exception to this is ActiveDirectory with multi-domain trust
>inside single forrest (which we currently support and user of domainA can
>be a member of a group from domainB) and multi-forrest trust (which we
>don't support).
Oh thank you, it actually helped a lot : I just realize the search was
"recursive" and now it actually works and seem to solve my problem.
Great news!
Now I only have to check if adding permissions to group apply to
users who
belong to this group, but I guess it should.
> Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users
member
> of group "foo".
>
>"
> We don't support LDAP searches in the webadmin UI, because we don't
> distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
> (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users
> and groups for oVirt using same AAA interface.
And only a part of the attributes are imported to the database (it doesn't
seem to be able to display them from the web interface) ?
That would be a nice feature to be able to filter from any attribute of
users.
Do you think I should open a new RFE bug about it ?
We fetch only basic attributes common to all LDAPs, for users we fetch
username, first name, last name, display name, department, title, email and
for groups name and display name. But if you miss some attribute, please
create an RFE bug for that.
Thanks
Martin Perina