From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
To: "Itamar Heim" <iheim(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Monday, August 11, 2014 8:13:53 PM
Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 -
the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for
example.
Alon has addressed our plans for this in his previous comments.
I hope this clarifies more..
Yair
----- Original Message -----
> From: "Itamar Heim" <iheim(a)redhat.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Paul Robert
Marino"
> <prmarino1(a)gmail.com>
> Cc: users(a)ovirt.org
> Sent: Sunday, August 10, 2014 11:54:05 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>
> On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
> >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> >> Cc: "Maurice James" <mjames(a)media-node.com>,
users(a)ovirt.org
> >> Sent: Sunday, August 10, 2014 10:43:14 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> Sorry for my delayed response to this
> >>
> >> I am using ovirt 3.3.
> >> I am using Kerberos 5, and all of the DNS requirements are in place.
> >> Finally 389 server is the upstream project for RHDS and one of the
> >> upstream projects for IPA.
> >> So I chose to set it as RHDS because its an identical match.
> >>
> >> User authentication works just fine my problem is adding roles to
> >> groups.
> >> I can assign a role to a group but the group always shows an inactive
> >> status; however if I assign a role directly to to a user it works
> >> fine.
> >> In addition if I drill down into a user it knows what groups in the
> >> 389 server the user is a member of.
> >>
> >> finally I can't see any error in the logs when adding a role to a
group
> >>
> >
> > Please open a bug, I am unsure that it will be addressed before 3.5, as
> > we
> > have done major rework for the authentication and authorization to make
> > it
> > much more versatile. Even if there will be a fix it will be provided to
> > 3.4.z.
> >
> > It will be best if you want to test this scenario in 3.5 release
> > candidate
> > and the new ldap provider, so we can address the issue before 3.5 release
> > if exists.
> >
>
> could also be one of these fixed in 3.4:
> 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> does not inherit the group permissions
> 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> a group indirectly, it does not inherit the group permissions
>
> >>
> >>
> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Maurice James" <mjames(a)media-node.com>
> >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> >>>> Cc: "Itamar Heim" <iheim(a)redhat.com>,
users(a)ovirt.org
> >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>
> >>>> Does this still require the use of kerberos? Will 389-ds work on
its
> >>>> own?
> >>>
> >>> In 3.5 we introduced pure ldap support[1], obsoleting the
kerberos/ldap
> >>> mix.
> >>>
> >>> It will be great to receive feedback[2].
> >>>
> >>> 389ds is not supported directly, I think it is similar to IPA as it
> >>> uses
> >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> >>> properly.
> >>>
> >>> Regards,
> >>> Alon
> >>>
> >>> [1]
> >>>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
> >>> [2]
http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >>>
> >>>>
> >>>> ----- Original Message -----
> >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com>
> >>>> To: "Itamar Heim" <iheim(a)redhat.com>
> >>>> Cc: users(a)ovirt.org
> >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Itamar Heim" <iheim(a)redhat.com>
> >>>>> To: "Paul Robert Marino" <prmarino1(a)gmail.com>,
users(a)ovirt.org
> >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
> >>>>>
> >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >>>>>> I have ovirt engine running and connected to a 389 server
with the
> >>>>>> memberof plugin enabled and working properly.
> >>>>>>
> >>>>>> I can add users and assign them to roles without any
issues.
> >>>>>>
> >>>>>> when I look at a user I can see all the LDAP groups they
are a
> >>>>>> member
> >>>>>> of.
> >>>>>>
> >>>>>> when I run engine-manage-domains -action=validate it tells
me the
> >>>>>> domain is valid.
> >>>>>>
> >>>>>> here is my problem when I try to assign a role to an LDAP
group it
> >>>>>> looks like it works but in the general tab when under the
group it
> >>>>>> tells me the status is Inactive.
> >>>>>>
> >>>>>> dose any one know how to enable the group?
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users(a)ovirt.org
> >>>>>>
http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>
> >>>>>
> >>>>> 3.4 or new 3.5 Generic LDAP provider?
> >>>>
> >>>>
> >>>> On case this is 3.5 it is known issue, all groups will be seen as
> >>>> inactive,
> >>>> this field will probably be removed from UI, as groups are no
longer
> >>>> fetched
> >>>> periodically.
> >>>> This field is totally ignored.
> >>>>
> >>>> Alon
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users(a)ovirt.org
> >>>>
http://lists.ovirt.org/mailman/listinfo/users
> >>>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users(a)ovirt.org
> >>>
http://lists.ovirt.org/mailman/listinfo/users
> >>
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> >
http://lists.ovirt.org/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users