11:09 p.m.
I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
serious detail in documentation, the rest is java-programmer-oriented docs
only that I can find;
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
Here's a sample config (sanitized) that I need to adapt to ovirt; *I HAVE
NO control over the LDAP server.
So far I've managed to figure out through search after search to use LDAPS
(TLS isn't an option, thanks!)
Two parts I can't figure out; setting rootDN and setting the organization
filter-- members of that particular organization should have access to
ovirt, and none others.
vars.server = directory.ft.com
#
# Search user and its password.
#
vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.password = Ft######
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.rootDN = ${global:vars.urootdn}
pool.default.auth.simple.password = ${global:vars.password}
# enable SSL
pool.default.ssl.enable = true
#pool.default.ssl.insecure = false
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
pool.default.ssl.truststore.password = changeit
example config from testlink
$tlCfg->authentication['method'] = 'LDAP';
/** LDAP authentication credentials */
$tlCfg->authentication['ldap_server'] = 'ldaps://directory.ft.com';
$tlCfg->authentication['ldap_port'] = '636';
$tlCfg->authentication['ldap_version'] = '3';
$tlCfg->authentication['ldap_root_dn'] =
'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
$tlCfg->authentication['ldap_bind_dn'] =
'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
$tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
$tlCfg->authentication['ldap_tls'] = false; // true -> use tls
$tlCfg->authentication['ldap_organization'] =
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
e.g. '(organizationname=*Traffic)'
$tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
'sAMAccountName' for Active Directory
11:18 p.m.
Hello,
Resources includes sysadmin documentation[1], integrator documentation[2], overview[3],
examples[4].
You did not specify what LDAP vendor it is.
I can guess your directory is Active Directory, hence all you need to do is follow the
"QUICK START"[5].
The rootDSE is determined automatically, all you need is to provide a valid user and
password.
What you are missing in your configuration is the include directive of the proper driver.
Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more flexible and
should be used unless there is an issue.
Alon
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
[2]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
[3] http://www.ovirt.org/Features/AAA
[4]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
[5]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
----- Original Message -----
From: "David Smith" <dsmith(a)mypchelp.com>
To: "users" <users(a)ovirt.org>
Sent: Tuesday, May 5, 2015 11:09:25 PM
Subject: [ovirt-users] AAA LDAP Authentication
I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some serious
detail in documentation, the rest is java-programmer-oriented docs only that
I can find;
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
Here's a sample config (sanitized) that I need to adapt to ovirt; *I HAVE NO
control over the LDAP server.
So far I've managed to figure out through search after search to use LDAPS
(TLS isn't an option, thanks!)
Two parts I can't figure out; setting rootDN and setting the organization
filter-- members of that particular organization should have access to
ovirt, and none others.
vars.server = directory.ft.com
#
# Search user and its password.
#
vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.password = Ft######
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.rootDN = ${global:vars.urootdn}
pool.default.auth.simple.password = ${global:vars.password}
# enable SSL
pool.default.ssl.enable = true
#pool.default.ssl.insecure = false
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
pool.default.ssl.truststore.password = changeit
example config from testlink
$tlCfg->authentication['method'] = 'LDAP';
/** LDAP authentication credentials */
$tlCfg->authentication['ldap_server'] = 'ldaps:// directory.ft.com ';
$tlCfg->authentication['ldap_port'] = '636';
$tlCfg->authentication['ldap_version'] = '3';
$tlCfg->authentication['ldap_root_dn'] =
'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
$tlCfg->authentication['ldap_bind_dn'] =
'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
$tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
$tlCfg->authentication['ldap_tls'] = false; // true -> use tls
$tlCfg->authentication['ldap_organization'] =
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
'(organizationname=*Traffic)'
$tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
'sAMAccountName' for
Active Directory
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:01 a.m.
Hi Alon,
Thanks for the quick reply.
openldap works fine; I use it with testlink (as shown in the example
config). We're not using active directory; Just LDAP. The example config I
provided is fully inclusive of all configuration required for "testlink" to
use LDAP, I also have jenkins and mantis configured using the same
parameters (although their terminology on where to enter the parameters is
varied, they use all the same information)
The rootDSE is being determined automatically; however for my use it's
wrong and needs to be provided manually. Again, I have no control over
this. It's a company-wide configuration that won't be changed just for me.
How would I be able to specify the organization filter line if I added some
other include directive of whatever driver? I don't even understand what
you're saying, exactly. Not all ovirt users/managers are programming
experts.
I use LDAPS because thats what my company supports. StartTLS is NOT
supported (as I stated). Silly on their part, right?
Thanks,
David
On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
Hello,
Resources includes sysadmin documentation[1], integrator documentation[2],
overview[3], examples[4].
You did not specify what LDAP vendor it is.
I can guess your directory is Active Directory, hence all you need to do
is follow the "QUICK START"[5].
The rootDSE is determined automatically, all you need is to provide a
valid user and password.
What you are missing in your configuration is the include directive of the
proper driver.
Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
flexible and should be used unless there is an issue.
Alon
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
[2]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
[3] http://www.ovirt.org/Features/AAA
[4]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
[5]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
----- Original Message -----
> From: "David Smith" <dsmith(a)mypchelp.com>
> To: "users" <users(a)ovirt.org>
> Sent: Tuesday, May 5, 2015 11:09:25 PM
> Subject: [ovirt-users] AAA LDAP Authentication
>
> I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
serious
> detail in documentation, the rest is java-programmer-oriented docs only
that
> I can find;
>
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
>
> Here's a sample config (sanitized) that I need to adapt to ovirt; *I
HAVE NO
> control over the LDAP server.
>
> So far I've managed to figure out through search after search to use
LDAPS
> (TLS isn't an option, thanks!)
> Two parts I can't figure out; setting rootDN and setting the organization
> filter-- members of that particular organization should have access to
> ovirt, and none others.
>
> vars.server = directory.ft.com
>
> #
> # Search user and its password.
> #
> vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> vars.password = Ft######
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = 636
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # enable SSL
> pool.default.ssl.enable = true
> #pool.default.ssl.insecure = false
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> pool.default.ssl.truststore.password = changeit
>
>
> example config from testlink
> $tlCfg->authentication['method'] = 'LDAP';
>
> /** LDAP authentication credentials */
> $tlCfg->authentication['ldap_server'] = 'ldaps:// directory.ft.com
';
> $tlCfg->authentication['ldap_port'] = '636';
> $tlCfg->authentication['ldap_version'] = '3';
> $tlCfg->authentication['ldap_root_dn'] =
> 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> $tlCfg->authentication['ldap_bind_dn'] =
> 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
> $tlCfg->authentication['ldap_tls'] = false; // true -> use tls
> $tlCfg->authentication['ldap_organization'] =
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> '(organizationname=*Traffic)'
> $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
'sAMAccountName' for
> Active Directory
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
12:08 a.m.
Hi,
So your configuration is working, just you want to filter users?
I do not follow what organization filter is.
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
'(organizationname=*Traffic)'
It looks to me that you want to narrow the results based on specific attribute value.
But first you should confirm that all is working for you, only then we can start customize
the provider to meet your special needs.
Thanks,
Alon.
----- Original Message -----
From: "David Smith" <dsmith(a)mypchelp.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Wednesday, May 6, 2015 12:01:28 AM
Subject: Re: [ovirt-users] AAA LDAP Authentication
Hi Alon,
Thanks for the quick reply.
openldap works fine; I use it with testlink (as shown in the example
config). We're not using active directory; Just LDAP. The example config I
provided is fully inclusive of all configuration required for "testlink" to
use LDAP, I also have jenkins and mantis configured using the same
parameters (although their terminology on where to enter the parameters is
varied, they use all the same information)
The rootDSE is being determined automatically; however for my use it's
wrong and needs to be provided manually. Again, I have no control over
this. It's a company-wide configuration that won't be changed just for me.
How would I be able to specify the organization filter line if I added some
other include directive of whatever driver? I don't even understand what
you're saying, exactly. Not all ovirt users/managers are programming
experts.
I use LDAPS because thats what my company supports. StartTLS is NOT
supported (as I stated). Silly on their part, right?
Thanks,
David
On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> Hello,
>
> Resources includes sysadmin documentation[1], integrator documentation[2],
> overview[3], examples[4].
>
> You did not specify what LDAP vendor it is.
>
> I can guess your directory is Active Directory, hence all you need to do
> is follow the "QUICK START"[5].
>
> The rootDSE is determined automatically, all you need is to provide a
> valid user and password.
>
> What you are missing in your configuration is the include directive of the
> proper driver.
> Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
> flexible and should be used unless there is an issue.
>
> Alon
>
> [1]
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> [2]
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> [3] http://www.ovirt.org/Features/AAA
> [4]
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> [5]
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
>
> ----- Original Message -----
> > From: "David Smith" <dsmith(a)mypchelp.com>
> > To: "users" <users(a)ovirt.org>
> > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > Subject: [ovirt-users] AAA LDAP Authentication
> >
> > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
> serious
> > detail in documentation, the rest is java-programmer-oriented docs only
> that
> > I can find;
> >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> >
> > Here's a sample config (sanitized) that I need to adapt to ovirt; *I
> HAVE NO
> > control over the LDAP server.
> >
> > So far I've managed to figure out through search after search to use
> LDAPS
> > (TLS isn't an option, thanks!)
> > Two parts I can't figure out; setting rootDN and setting the organization
> > filter-- members of that particular organization should have access to
> > ovirt, and none others.
> >
> > vars.server = directory.ft.com
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > vars.password = Ft######
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.serverset.single.port = 636
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # enable SSL
> > pool.default.ssl.enable = true
> > #pool.default.ssl.insecure = false
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.server}.jks
> > pool.default.ssl.truststore.password = changeit
> >
> >
> > example config from testlink
> > $tlCfg->authentication['method'] = 'LDAP';
> >
> > /** LDAP authentication credentials */
> > $tlCfg->authentication['ldap_server'] = 'ldaps://
directory.ft.com ';
> > $tlCfg->authentication['ldap_port'] = '636';
> > $tlCfg->authentication['ldap_version'] = '3';
> > $tlCfg->authentication['ldap_root_dn'] =
> > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > $tlCfg->authentication['ldap_bind_dn'] =
> > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
> > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls
> > $tlCfg->authentication['ldap_organization'] =
> > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
e.g.
> > '(organizationname=*Traffic)'
> > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
> 'sAMAccountName' for
> > Active Directory
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
12:17 a.m.
I can log into ovirt, I can see the profile, it doesn't throw any errors.
However, it doesn't display any users. This is because the automatic rootDN
is wrong.
oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search base
it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
Hence my desire to configure rootDN
Then, I also want to filter based on the above (sorry the traffic part was
a comment from testlink, the line should be)
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
That filter is was makes sure the results only show users in the specific
group I want to give access to.
Thanks,
David
On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
Hi,
So your configuration is working, just you want to filter users?
I do not follow what organization filter is.
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> '(organizationname=*Traffic)'
It looks to me that you want to narrow the results based on specific
attribute value.
But first you should confirm that all is working for you, only then we can
start customize the provider to meet your special needs.
Thanks,
Alon.
----- Original Message -----
> From: "David Smith" <dsmith(a)mypchelp.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Wednesday, May 6, 2015 12:01:28 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
>
> Hi Alon,
>
> Thanks for the quick reply.
> openldap works fine; I use it with testlink (as shown in the example
> config). We're not using active directory; Just LDAP. The example config
I
> provided is fully inclusive of all configuration required for "testlink"
to
> use LDAP, I also have jenkins and mantis configured using the same
> parameters (although their terminology on where to enter the parameters
is
> varied, they use all the same information)
>
> The rootDSE is being determined automatically; however for my use it's
> wrong and needs to be provided manually. Again, I have no control over
> this. It's a company-wide configuration that won't be changed just for
me.
>
> How would I be able to specify the organization filter line if I added
some
> other include directive of whatever driver? I don't even understand what
> you're saying, exactly. Not all ovirt users/managers are programming
> experts.
>
> I use LDAPS because thats what my company supports. StartTLS is NOT
> supported (as I stated). Silly on their part, right?
>
> Thanks,
> David
>
> On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> > Hello,
> >
> > Resources includes sysadmin documentation[1], integrator
documentation[2],
> > overview[3], examples[4].
> >
> > You did not specify what LDAP vendor it is.
> >
> > I can guess your directory is Active Directory, hence all you need to
do
> > is follow the "QUICK START"[5].
> >
> > The rootDSE is determined automatically, all you need is to provide a
> > valid user and password.
> >
> > What you are missing in your configuration is the include directive of
the
> > proper driver.
> > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
> > flexible and should be used unless there is an issue.
> >
> > Alon
> >
> > [1]
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > [2]
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > [3] http://www.ovirt.org/Features/AAA
> > [4]
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> > [5]
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> >
> > ----- Original Message -----
> > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > To: "users" <users(a)ovirt.org>
> > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > Subject: [ovirt-users] AAA LDAP Authentication
> > >
> > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking
some
> > serious
> > > detail in documentation, the rest is java-programmer-oriented docs
only
> > that
> > > I can find;
> > >
> > >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > >
> > > Here's a sample config (sanitized) that I need to adapt to ovirt; *I
> > HAVE NO
> > > control over the LDAP server.
> > >
> > > So far I've managed to figure out through search after search to use
> > LDAPS
> > > (TLS isn't an option, thanks!)
> > > Two parts I can't figure out; setting rootDN and setting the
organization
> > > filter-- members of that particular organization should have access
to
> > > ovirt, and none others.
> > >
> > > vars.server = directory.ft.com
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user =
uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > vars.password = Ft######
> > >
> > > pool.default.serverset.single.server = ${global:vars.server}
> > > pool.default.serverset.single.port = 636
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > >
> > > # enable SSL
> > > pool.default.ssl.enable = true
> > > #pool.default.ssl.insecure = false
> > >
> > > # Create keystore, import certificate chain and uncomment
> > > # if using ssl/tls.
> > > #pool.default.ssl.startTLS = true
> > > pool.default.ssl.truststore.file =
> > > ${local:_basedir}/${global:vars.server}.jks
> > > pool.default.ssl.truststore.password = changeit
> > >
> > >
> > > example config from testlink
> > > $tlCfg->authentication['method'] = 'LDAP';
> > >
> > > /** LDAP authentication credentials */
> > > $tlCfg->authentication['ldap_server'] = 'ldaps://
directory.ft.com
';
> > > $tlCfg->authentication['ldap_port'] = '636';
> > > $tlCfg->authentication['ldap_version'] = '3';
> > > $tlCfg->authentication['ldap_root_dn'] =
> > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > $tlCfg->authentication['ldap_bind_dn'] =
> > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > $tlCfg->authentication['ldap_bind_passwd'] =
'Ft######';
> > > $tlCfg->authentication['ldap_tls'] = false; // true -> use
tls
> > > $tlCfg->authentication['ldap_organization'] =
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
//
e.g.
> > > '(organizationname=*Traffic)'
> > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; //
Use
> > 'sAMAccountName' for
> > > Active Directory
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
>
12:34 a.m.
I beginning to understand... although I cannot figure out how login works while search
not.
Anyway, try to add this to your profile:
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
----- Original Message -----
From: "David Smith" <dsmith(a)mypchelp.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Wednesday, May 6, 2015 12:17:59 AM
Subject: Re: [ovirt-users] AAA LDAP Authentication
I can log into ovirt, I can see the profile, it doesn't throw any errors.
However, it doesn't display any users. This is because the automatic rootDN
is wrong.
oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search base
it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
Hence my desire to configure rootDN
Then, I also want to filter based on the above (sorry the traffic part was
a comment from testlink, the line should be)
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
That filter is was makes sure the results only show users in the specific
group I want to give access to.
Thanks,
David
On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> Hi,
>
> So your configuration is working, just you want to filter users?
>
> I do not follow what organization filter is.
>
> > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
e.g.
> > '(organizationname=*Traffic)'
>
> It looks to me that you want to narrow the results based on specific
> attribute value.
>
> But first you should confirm that all is working for you, only then we can
> start customize the provider to meet your special needs.
>
> Thanks,
> Alon.
>
> ----- Original Message -----
> > From: "David Smith" <dsmith(a)mypchelp.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: "users" <users(a)ovirt.org>
> > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > Subject: Re: [ovirt-users] AAA LDAP Authentication
> >
> > Hi Alon,
> >
> > Thanks for the quick reply.
> > openldap works fine; I use it with testlink (as shown in the example
> > config). We're not using active directory; Just LDAP. The example config
> I
> > provided is fully inclusive of all configuration required for
"testlink"
> to
> > use LDAP, I also have jenkins and mantis configured using the same
> > parameters (although their terminology on where to enter the parameters
> is
> > varied, they use all the same information)
> >
> > The rootDSE is being determined automatically; however for my use it's
> > wrong and needs to be provided manually. Again, I have no control over
> > this. It's a company-wide configuration that won't be changed just for
> me.
> >
> > How would I be able to specify the organization filter line if I added
> some
> > other include directive of whatever driver? I don't even understand what
> > you're saying, exactly. Not all ovirt users/managers are programming
> > experts.
> >
> > I use LDAPS because thats what my company supports. StartTLS is NOT
> > supported (as I stated). Silly on their part, right?
> >
> > Thanks,
> > David
> >
> > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> >
> > > Hello,
> > >
> > > Resources includes sysadmin documentation[1], integrator
> documentation[2],
> > > overview[3], examples[4].
> > >
> > > You did not specify what LDAP vendor it is.
> > >
> > > I can guess your directory is Active Directory, hence all you need to
> do
> > > is follow the "QUICK START"[5].
> > >
> > > The rootDSE is determined automatically, all you need is to provide a
> > > valid user and password.
> > >
> > > What you are missing in your configuration is the include directive of
> the
> > > proper driver.
> > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
> > > flexible and should be used unless there is an issue.
> > >
> > > Alon
> > >
> > > [1]
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > [2]
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > [3] http://www.ovirt.org/Features/AAA
> > > [4]
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> > > [5]
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > >
> > > ----- Original Message -----
> > > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > > To: "users" <users(a)ovirt.org>
> > > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > > Subject: [ovirt-users] AAA LDAP Authentication
> > > >
> > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's
lacking some
> > > serious
> > > > detail in documentation, the rest is java-programmer-oriented docs
> only
> > > that
> > > > I can find;
> > > >
> > > >
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > > >
> > > > Here's a sample config (sanitized) that I need to adapt to ovirt;
*I
> > > HAVE NO
> > > > control over the LDAP server.
> > > >
> > > > So far I've managed to figure out through search after search to
use
> > > LDAPS
> > > > (TLS isn't an option, thanks!)
> > > > Two parts I can't figure out; setting rootDN and setting the
> organization
> > > > filter-- members of that particular organization should have access
> to
> > > > ovirt, and none others.
> > > >
> > > > vars.server = directory.ft.com
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
> > > > vars.user =
> uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > vars.password = Ft######
> > > >
> > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > pool.default.serverset.single.port = 636
> > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > > > pool.default.auth.simple.password = ${global:vars.password}
> > > >
> > > > # enable SSL
> > > > pool.default.ssl.enable = true
> > > > #pool.default.ssl.insecure = false
> > > >
> > > > # Create keystore, import certificate chain and uncomment
> > > > # if using ssl/tls.
> > > > #pool.default.ssl.startTLS = true
> > > > pool.default.ssl.truststore.file =
> > > > ${local:_basedir}/${global:vars.server}.jks
> > > > pool.default.ssl.truststore.password = changeit
> > > >
> > > >
> > > > example config from testlink
> > > > $tlCfg->authentication['method'] = 'LDAP';
> > > >
> > > > /** LDAP authentication credentials */
> > > > $tlCfg->authentication['ldap_server'] = 'ldaps://
directory.ft.com
> ';
> > > > $tlCfg->authentication['ldap_port'] = '636';
> > > > $tlCfg->authentication['ldap_version'] = '3';
> > > > $tlCfg->authentication['ldap_root_dn'] =
> > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > $tlCfg->authentication['ldap_bind_dn'] =
> > > >
'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > $tlCfg->authentication['ldap_bind_passwd'] =
'Ft######';
> > > > $tlCfg->authentication['ldap_tls'] = false; // true ->
use tls
> > > > $tlCfg->authentication['ldap_organization'] =
> > > >
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
> e.g.
> > > > '(organizationname=*Traffic)'
> > > > $tlCfg->authentication['ldap_uid_field'] = 'uid';
// Use
> > > 'sAMAccountName' for
> > > > Active Directory
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users(a)ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > >
> > >
> >
>
12:49 a.m.
I added that to the end, since there wasn't any reference on it as to where
to put it;
I restarted the engine and didn't notice any changes, the namespace still
reads the same as before, and no users show up
Note that in the field to the right of namespace it's blank, whereby with
"internal" or our other pre-aaa ldap config it shows "*" and can be
changed
to a username as a filter, in this case it doesn't allow me to enter
anything
On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
I beginning to understand... although I cannot figure out how login works
while search not.
Anyway, try to add this to your profile:
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value =
cn=users,cn=accounts,dc=corp,dc=ft,dc=com
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
----- Original Message -----
> From: "David Smith" <dsmith(a)mypchelp.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Wednesday, May 6, 2015 12:17:59 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
>
> I can log into ovirt, I can see the profile, it doesn't throw any errors.
> However, it doesn't display any users. This is because the automatic
rootDN
> is wrong.
> oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search
base
> it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
> Hence my desire to configure rootDN
>
> Then, I also want to filter based on the above (sorry the traffic part
was
> a comment from testlink, the line should be)
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> That filter is was makes sure the results only show users in the specific
> group I want to give access to.
>
> Thanks,
> David
>
> On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> > Hi,
> >
> > So your configuration is working, just you want to filter users?
> >
> > I do not follow what organization filter is.
> >
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
//
e.g.
> > > '(organizationname=*Traffic)'
> >
> > It looks to me that you want to narrow the results based on specific
> > attribute value.
> >
> > But first you should confirm that all is working for you, only then we
can
> > start customize the provider to meet your special needs.
> >
> > Thanks,
> > Alon.
> >
> > ----- Original Message -----
> > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > Cc: "users" <users(a)ovirt.org>
> > > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > >
> > > Hi Alon,
> > >
> > > Thanks for the quick reply.
> > > openldap works fine; I use it with testlink (as shown in the example
> > > config). We're not using active directory; Just LDAP. The example
config
> > I
> > > provided is fully inclusive of all configuration required for
"testlink"
> > to
> > > use LDAP, I also have jenkins and mantis configured using the same
> > > parameters (although their terminology on where to enter the
parameters
> > is
> > > varied, they use all the same information)
> > >
> > > The rootDSE is being determined automatically; however for my use
it's
> > > wrong and needs to be provided manually. Again, I have no control
over
> > > this. It's a company-wide configuration that won't be changed
just
for
> > me.
> > >
> > > How would I be able to specify the organization filter line if I
added
> > some
> > > other include directive of whatever driver? I don't even understand
what
> > > you're saying, exactly. Not all ovirt users/managers are programming
> > > experts.
> > >
> > > I use LDAPS because thats what my company supports. StartTLS is NOT
> > > supported (as I stated). Silly on their part, right?
> > >
> > > Thanks,
> > > David
> > >
> > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
> > >
> > > > Hello,
> > > >
> > > > Resources includes sysadmin documentation[1], integrator
> > documentation[2],
> > > > overview[3], examples[4].
> > > >
> > > > You did not specify what LDAP vendor it is.
> > > >
> > > > I can guess your directory is Active Directory, hence all you need
to
> > do
> > > > is follow the "QUICK START"[5].
> > > >
> > > > The rootDSE is determined automatically, all you need is to
provide a
> > > > valid user and password.
> > > >
> > > > What you are missing in your configuration is the include
directive of
> > the
> > > > proper driver.
> > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is
more
> > > > flexible and should be used unless there is an issue.
> > > >
> > > > Alon
> > > >
> > > > [1]
> > > >
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > > [2]
> > > >
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > > [3] http://www.ovirt.org/Features/AAA
> > > > [4]
> > > >
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> > > > [5]
> > > >
> >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > >
> > > > ----- Original Message -----
> > > > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > > > To: "users" <users(a)ovirt.org>
> > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > > > Subject: [ovirt-users] AAA LDAP Authentication
> > > > >
> > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's
lacking
some
> > > > serious
> > > > > detail in documentation, the rest is java-programmer-oriented
docs
> > only
> > > > that
> > > > > I can find;
> > > > >
> > > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > > > >
> > > > > Here's a sample config (sanitized) that I need to adapt to
ovirt; *I
> > > > HAVE NO
> > > > > control over the LDAP server.
> > > > >
> > > > > So far I've managed to figure out through search after
search to
use
> > > > LDAPS
> > > > > (TLS isn't an option, thanks!)
> > > > > Two parts I can't figure out; setting rootDN and setting
the
> > organization
> > > > > filter-- members of that particular organization should have
access
> > to
> > > > > ovirt, and none others.
> > > > >
> > > > > vars.server = directory.ft.com
> > > > >
> > > > > #
> > > > > # Search user and its password.
> > > > > #
> > > > > vars.user =
> > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > vars.password = Ft######
> > > > >
> > > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > > pool.default.serverset.single.port = 636
> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > > > > pool.default.auth.simple.password = ${global:vars.password}
> > > > >
> > > > > # enable SSL
> > > > > pool.default.ssl.enable = true
> > > > > #pool.default.ssl.insecure = false
> > > > >
> > > > > # Create keystore, import certificate chain and uncomment
> > > > > # if using ssl/tls.
> > > > > #pool.default.ssl.startTLS = true
> > > > > pool.default.ssl.truststore.file =
> > > > > ${local:_basedir}/${global:vars.server}.jks
> > > > > pool.default.ssl.truststore.password = changeit
> > > > >
> > > > >
> > > > > example config from testlink
> > > > > $tlCfg->authentication['method'] = 'LDAP';
> > > > >
> > > > > /** LDAP authentication credentials */
> > > > > $tlCfg->authentication['ldap_server'] =
'ldaps://
directory.ft.com
> > ';
> > > > > $tlCfg->authentication['ldap_port'] = '636';
> > > > > $tlCfg->authentication['ldap_version'] =
'3';
> > > > > $tlCfg->authentication['ldap_root_dn'] =
> > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > $tlCfg->authentication['ldap_bind_dn'] =
> > > > >
'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > $tlCfg->authentication['ldap_bind_passwd'] =
'Ft######';
> > > > > $tlCfg->authentication['ldap_tls'] = false; // true
-> use tls
> > > > > $tlCfg->authentication['ldap_organization'] =
> > > > >
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
//
> > e.g.
> > > > > '(organizationname=*Traffic)'
> > > > > $tlCfg->authentication['ldap_uid_field'] =
'uid'; // Use
> > > > 'sAMAccountName' for
> > > > > Active Directory
> > > > >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users(a)ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > > >
> > >
> >
>
12:54 a.m.
blank suggests that there is initialization error.
please attach (do not paste) the ldap profile, extension properties and engine.log.
I may need debug log as well, but lets start with this.
----- Original Message -----
From: "David Smith" <dsmith(a)mypchelp.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Wednesday, May 6, 2015 12:49:09 AM
Subject: Re: [ovirt-users] AAA LDAP Authentication
I added that to the end, since there wasn't any reference on it as to where
to put it;
I restarted the engine and didn't notice any changes, the namespace still
reads the same as before, and no users show up
Note that in the field to the right of namespace it's blank, whereby with
"internal" or our other pre-aaa ldap config it shows "*" and can be
changed
to a username as a filter, in this case it doesn't allow me to enter
anything
On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> I beginning to understand... although I cannot figure out how login works
> while search not.
>
> Anyway, try to add this to your profile:
>
> sequence-init.init.900-local-init-vars = local-init-vars
> sequence.local-init-vars.010.description = override name space
> sequence.local-init-vars.010.type = var-set
> sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
> sequence.local-init-vars.010.var-set.value =
> cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> sequence.local-init-vars.020.description = apply filter to users
> sequence.local-init-vars.020.type = var-set
> sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
> sequence.local-init-vars.020.var-set.value =
>
${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
> sequence.local-init-vars.030.description = apply filter to groups
> sequence.local-init-vars.030.type = var-set
> sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
> sequence.local-init-vars.030.var-set.value =
>
${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
>
>
> ----- Original Message -----
> > From: "David Smith" <dsmith(a)mypchelp.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: "users" <users(a)ovirt.org>
> > Sent: Wednesday, May 6, 2015 12:17:59 AM
> > Subject: Re: [ovirt-users] AAA LDAP Authentication
> >
> > I can log into ovirt, I can see the profile, it doesn't throw any errors.
> > However, it doesn't display any users. This is because the automatic
> rootDN
> > is wrong.
> > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the
search
> base
> > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
> > Hence my desire to configure rootDN
> >
> > Then, I also want to filter based on the above (sorry the traffic part
> was
> > a comment from testlink, the line should be)
> > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> > That filter is was makes sure the results only show users in the specific
> > group I want to give access to.
> >
> > Thanks,
> > David
> >
> > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> >
> > > Hi,
> > >
> > > So your configuration is working, just you want to filter users?
> > >
> > > I do not follow what organization filter is.
> > >
> > > >
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
> e.g.
> > > > '(organizationname=*Traffic)'
> > >
> > > It looks to me that you want to narrow the results based on specific
> > > attribute value.
> > >
> > > But first you should confirm that all is working for you, only then we
> can
> > > start customize the provider to meet your special needs.
> > >
> > > Thanks,
> > > Alon.
> > >
> > > ----- Original Message -----
> > > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > Cc: "users" <users(a)ovirt.org>
> > > > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > > >
> > > > Hi Alon,
> > > >
> > > > Thanks for the quick reply.
> > > > openldap works fine; I use it with testlink (as shown in the example
> > > > config). We're not using active directory; Just LDAP. The
example
> config
> > > I
> > > > provided is fully inclusive of all configuration required for
> "testlink"
> > > to
> > > > use LDAP, I also have jenkins and mantis configured using the same
> > > > parameters (although their terminology on where to enter the
> parameters
> > > is
> > > > varied, they use all the same information)
> > > >
> > > > The rootDSE is being determined automatically; however for my use
> it's
> > > > wrong and needs to be provided manually. Again, I have no control
> over
> > > > this. It's a company-wide configuration that won't be changed
just
> for
> > > me.
> > > >
> > > > How would I be able to specify the organization filter line if I
> added
> > > some
> > > > other include directive of whatever driver? I don't even
understand
> what
> > > > you're saying, exactly. Not all ovirt users/managers are
programming
> > > > experts.
> > > >
> > > > I use LDAPS because thats what my company supports. StartTLS is NOT
> > > > supported (as I stated). Silly on their part, right?
> > > >
> > > > Thanks,
> > > > David
> > > >
> > > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev
<alonbl(a)redhat.com>
> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > Resources includes sysadmin documentation[1], integrator
> > > documentation[2],
> > > > > overview[3], examples[4].
> > > > >
> > > > > You did not specify what LDAP vendor it is.
> > > > >
> > > > > I can guess your directory is Active Directory, hence all you
need
> to
> > > do
> > > > > is follow the "QUICK START"[5].
> > > > >
> > > > > The rootDSE is determined automatically, all you need is to
> provide a
> > > > > valid user and password.
> > > > >
> > > > > What you are missing in your configuration is the include
> directive of
> > > the
> > > > > proper driver.
> > > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS
is
> more
> > > > > flexible and should be used unless there is an issue.
> > > > >
> > > > > Alon
> > > > >
> > > > > [1]
> > > > >
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > > > [2]
> > > > >
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > > > [3] http://www.ovirt.org/Features/AAA
> > > > > [4]
> > > > >
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t...
> > > > > [5]
> > > > >
> > >
>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "David Smith" <dsmith(a)mypchelp.com>
> > > > > > To: "users" <users(a)ovirt.org>
> > > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > > > > Subject: [ovirt-users] AAA LDAP Authentication
> > > > > >
> > > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but
it's lacking
> some
> > > > > serious
> > > > > > detail in documentation, the rest is
java-programmer-oriented
> docs
> > > only
> > > > > that
> > > > > > I can find;
> > > > > >
> > > > > >
> > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > > > > >
> > > > > > Here's a sample config (sanitized) that I need to adapt
to
> ovirt; *I
> > > > > HAVE NO
> > > > > > control over the LDAP server.
> > > > > >
> > > > > > So far I've managed to figure out through search after
search to
> use
> > > > > LDAPS
> > > > > > (TLS isn't an option, thanks!)
> > > > > > Two parts I can't figure out; setting rootDN and
setting the
> > > organization
> > > > > > filter-- members of that particular organization should
have
> access
> > > to
> > > > > > ovirt, and none others.
> > > > > >
> > > > > > vars.server = directory.ft.com
> > > > > >
> > > > > > #
> > > > > > # Search user and its password.
> > > > > > #
> > > > > > vars.user =
> > > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > > vars.password = Ft######
> > > > > >
> > > > > > pool.default.serverset.single.server =
${global:vars.server}
> > > > > > pool.default.serverset.single.port = 636
> > > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > > > > > pool.default.auth.simple.password =
${global:vars.password}
> > > > > >
> > > > > > # enable SSL
> > > > > > pool.default.ssl.enable = true
> > > > > > #pool.default.ssl.insecure = false
> > > > > >
> > > > > > # Create keystore, import certificate chain and uncomment
> > > > > > # if using ssl/tls.
> > > > > > #pool.default.ssl.startTLS = true
> > > > > > pool.default.ssl.truststore.file =
> > > > > > ${local:_basedir}/${global:vars.server}.jks
> > > > > > pool.default.ssl.truststore.password = changeit
> > > > > >
> > > > > >
> > > > > > example config from testlink
> > > > > > $tlCfg->authentication['method'] =
'LDAP';
> > > > > >
> > > > > > /** LDAP authentication credentials */
> > > > > > $tlCfg->authentication['ldap_server'] =
'ldaps://
> directory.ft.com
> > > ';
> > > > > > $tlCfg->authentication['ldap_port'] =
'636';
> > > > > > $tlCfg->authentication['ldap_version'] =
'3';
> > > > > > $tlCfg->authentication['ldap_root_dn'] =
> > > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > > $tlCfg->authentication['ldap_bind_dn'] =
> > > > > >
'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > > $tlCfg->authentication['ldap_bind_passwd'] =
'Ft######';
> > > > > > $tlCfg->authentication['ldap_tls'] = false; //
true -> use tls
> > > > > > $tlCfg->authentication['ldap_organization'] =
> > > > > >
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> //
> > > e.g.
> > > > > > '(organizationname=*Traffic)'
> > > > > > $tlCfg->authentication['ldap_uid_field'] =
'uid'; // Use
> > > > > 'sAMAccountName' for
> > > > > > Active Directory
> > > > > >
> > > > > > _______________________________________________
> > > > > > Users mailing list
> > > > > > Users(a)ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > >
> > > > >
> > > >
> > >
> >
>
3489
days inactive
3489
days old
7 comments
2 participants
participants (2)
-
Alon Bar-Lev -
David Smith