Re: [Users] webadmin login issues with AD
On 3/3/13 6:57 AM, Yair Zaslavsky wrote:
Please elaborate on "quite a few groups" - actually this is
a well known issue.
I was afraid you might have permissions on "too many objects" or that the
account is a member of too many groups.
However, being a member of too many groups should have caused the search to be slow/hang
as well.
I don't have an exact count, but I think its along the order of
magnitude of 300-400.
I didn't notice the searches (when trying to add the account to the
ovirt permissions) was unbearable slow like the logins.
But why does ovirt even care about the groups? I thought it was only
using AD for authentication and that the authorization was all done
internally through the permissions granted. Or is that just a standard
"library" that ovirt is using that is doing this?
I don't suppose there is a work around?
Hi, you can look at the following link -
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html
we support changing sasl_qop. You can use engine-config to do that.
engine-config -s sasl_qop=auth will change Quality of Propetction to be only at
authentication.
Please let us know if using that you will be able to see the ldap queries (i.e - have
them plain and not encrypted)
Ok, yeah that allows me to see the ldap requests...
Looks like its going through all of the groups I am a member of and
doing a search on each one. And in a not so terribly efficient way
(connect/bind/search/close... repeat).