Re: [ovirt-users] How to mapping LDAP users in AAA

Tuesday, 14 October 2014

Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this

==============================
/etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties:

ovirt.engine.extension.name = authn-sdju.edu.cn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = sdju.edu.cn
ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn
config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
==============================
/etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties:

ovirt.engine.extension.name = authz-sdju.edu.cn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
==============================

And here's my log:

ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w 
mypassword -s BASE
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
namingContexts: dc=sdju,dc=edu,dc=cn
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4
dataversion: 020121212071504020121212071504
netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
==============================
  ldapsearch  -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D 
'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn
# extended LDIF
#
# LDAPv3
# base <ou=JZG,dc=sdju,dc=edu,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults control: size=100
#

# JZG, sdju.edu.cn
dn: ou=JZG,dc=sdju,dc=edu,dc=cn
ou: JZG
objectClass: organizationalUnit
objectClass: iplanet-am-managed-people-container
objectClass: top

# 30419, JZG, sdju.edu.cn
dn: uid=30419,ou=JZG,dc=sdju,dc=edu,dc=cn
eduPersonCardID: XXXXX219631030057X
uid: 30419
...
...
...
userPassword:: 
e1NTSEF9OUNWcXMxbnA0YjFsU0NzZDNqODRIOTVBQ1VQTlR1cEI0UmNnSEE9PQ=
  =

# search result
search: 2
result: 0 Success

# numResponses: 1251
# numEntries: 1250

在 14-10-14 下午3:18, Alon Bar-Lev 写道:
...

 ----- Original Message -----
> From: "lofyer" <lofyer(a)gmail.com&gt;
> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt;
> Cc: "users" <users(a)ovirt.org&gt;
> Sent: Tuesday, October 14, 2014 9:29:57 AM
> Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
>
> Sun Java Access System Manager
 this is not openldap... why do you use openldap profile?

 please attach full export of this ldap server, output of:

 rootdse:
 $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w
mypassword -s BASE

 entities:
 $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D
'cn=directory manager' -w mypassword -b <NAMING_CONTEXT>

>
> 在 14-10-14 下午1:52, Yair Zaslavsky 写道:
>> ----- Original Message -----
>>> From: "lofyer" <lofyer(a)gmail.com&gt;
>>> To: "users" <users(a)ovirt.org&gt;
>>> Sent: Tuesday, October 14, 2014 5:10:56 AM
>>> Subject: [ovirt-users] How to mapping LDAP users in AAA
>>>
>>> I've got a LDAP server without kerberos and I am trying to intergrate
>>> its users to oVirt-3.5 with AAA.
>>> ==========================
>> Which ldap server is that, what vendor?
>>
>>> /etc/ovirt-engine/aaa/example.properties:
>>>
>>> include = <openldap.properties>
>>>
>>> vars.user = cn=directory manager
>>> vars.password = mypassword
>>> vars.server = example.com
>>>
>>> #pool.default.ssl.startTLS = false
>>> #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
>>> #pool.default.ssl.truststore.password = admin
>>>
>>> pool.default.serverset.single.server = ${global:vars.server}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>> ==========================
>>>
>>> This is my basic ldap infomation:
>>>
>>> ou=Groups
>>> |
>>> +---- cn=UserGroup1
>>> |
>>> +---- cn=UserGroup2
>>>
>>> ou=UserGroup1
>>> |
>>> +---- cn=user1
>>> |
>>> +---- cn=user2
>>>
>>>
>>> ou=UserGroup2
>>> |
>>> +---- cn=user3
>>> |
>>> +---- cn=user4
>>>
>>> ==========================
>>>
>>> Now I can see example.com in web portal but I cannot list users in UG1
>>> or UG2.
>>>
>>> I find that I could map DN, ID NAME, DISPLAY in the config file. What
>>> should I add in the config file then?
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] How to mapping LDAP users in AAA