Hi, In order to help and create a profile for this variant I need the full output of: $ ldapsearch -E pr=100/noprompt -o ldif-wrap=no -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b 'dc=sdju,dc=edu,dc=cn' Please do not paste but paste. You can send me privately. Regards, Alon ----- Original Message -----
From: "lofyer" <lofyer@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, "users" <users@ovirt.org> Sent: Tuesday, October 14, 2014 12:22:03 PM Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this
============================== /etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties:
ovirt.engine.extension.name = authn-sdju.edu.cn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = sdju.edu.cn ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties ============================== /etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties:
ovirt.engine.extension.name = authz-sdju.edu.cn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties ==============================
And here's my log:
ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w mypassword -s BASE # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: dc=sdju,dc=edu,dc=cn namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4 dataversion: 020121212071504020121212071504 netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 ============================== ldapsearch -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn # extended LDIF # # LDAPv3 # base <ou=JZG,dc=sdju,dc=edu,dc=cn> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults control: size=100 #
# JZG, sdju.edu.cn dn: ou=JZG,dc=sdju,dc=edu,dc=cn ou: JZG objectClass: organizationalUnit objectClass: iplanet-am-managed-people-container objectClass: top
# 30419, JZG, sdju.edu.cn dn: uid=30419,ou=JZG,dc=sdju,dc=edu,dc=cn eduPersonCardID: XXXXX219631030057X uid: 30419 ... ... ... userPassword:: e1NTSEF9OUNWcXMxbnA0YjFsU0NzZDNqODRIOTVBQ1VQTlR1cEI0UmNnSEE9PQ= =
# search result search: 2 result: 0 Success
# numResponses: 1251 # numEntries: 1250
在 14-10-14 下午3:18, Alon Bar-Lev 写道:
From: "lofyer" <lofyer@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 14, 2014 9:29:57 AM Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
Sun Java Access System Manager
----- Original Message ----- this is not openldap... why do you use openldap profile?
please attach full export of this ldap server, output of:
rootdse: $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE
entities: $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D 'cn=directory manager' -w mypassword -b <NAMING_CONTEXT>
在 14-10-14 下午1:52, Yair Zaslavsky 写道:
----- Original Message -----
From: "lofyer" <lofyer@gmail.com> To: "users" <users@ovirt.org> Sent: Tuesday, October 14, 2014 5:10:56 AM Subject: [ovirt-users] How to mapping LDAP users in AAA
I've got a LDAP server without kerberos and I am trying to intergrate its users to oVirt-3.5 with AAA. ========================== Which ldap server is that, what vendor?
/etc/ovirt-engine/aaa/example.properties:
include = <openldap.properties>
vars.user = cn=directory manager vars.password = mypassword vars.server = example.com
#pool.default.ssl.startTLS = false #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem #pool.default.ssl.truststore.password = admin
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} ==========================
This is my basic ldap infomation:
ou=Groups | +---- cn=UserGroup1 | +---- cn=UserGroup2
ou=UserGroup1 | +---- cn=user1 | +---- cn=user2
ou=UserGroup2 | +---- cn=user3 | +---- cn=user4
==========================
Now I can see example.com in web portal but I cannot list users in UG1 or UG2.
I find that I could map DN, ID NAME, DISPLAY in the config file. What should I add in the config file then? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users