On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <
alexis.hauser(a)telecom-bretagne.eu> wrote:
>> Is their a way to search for attributes into the ovirt web
interface,
for
>> example "memberof" ?
>>
>> I can't imagine adding hundreds or thousand of users one by one...What
>> would be the solutions ?
>>
>You can assign specific permission to the group that relevant users are
>member of (we support also nested groups if needed)
>and of course you can select multiple users/groups when you assign
>permissions.
>If the above is not option for you, could you try to describe what exactly
>are you trying to achieve?
>Thanks
>Martin Perina
As I explained, my groups are not in the same dn path than my users. As it
is not possible to add multiple dn path, my only solution is to use users.
Well, that's the 1st time I've heard about LDAP setup where users and
groups of one domain are not under same baseDN. Usually all LDAP setups
have some baseDN (for example 'dc=company,dc=com') and somewhere under this
baseDN (not necessarily directly under it) we could find users and groups.
The only exception to this is ActiveDirectory with multi-domain trust
inside single forrest (which we currently support and user of domainA can
be a member of a group from domainB) and multi-forrest trust (which we
don't support).
Those users have attributes like "member of" which still keep the
information about what group they belong too. I didn't find any
way using
the interface to filter by attribute, for example to show all users member
of group "foo".
We don't support LDAP searches in the webadmin UI, because we don't
distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
(ovirt-engine-extension-aaa-jdbc) providers, both of them provides users
and groups for oVirt using same AAA interface.
I could do that with ldapsearch, but then how would I inject the result to
ovirt configuration to add those users to specific ovirt roles
("ovirt
permission groups") ?
So the only way that comes to my mind is to use one of our SDKs (Python,
Java, Ruby). You would need to implement LDAP query by yourself and them
add wanted permission to those users using our SDKs.
Martin Perina