Hi,
I have LDAP with rfc2307bis schema - I have posixGroup, with
members defined as FDNs under the member attribute.
Currently, if I login to oVirt via the AAA extension. then my
groups are not enumerated. The LDAP searches (recorded on the
LDAP server) are:
slapd[1503]: conn=7876 op=2 SRCH base="dc=example,dc=com"
scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=jreynolds))"
slapd[1503]: conn=7876 op=2 SRCH attr=entryUUID cn description
slapd[1503]: conn=7871 op=2 SRCH base="dc=example,dc=com"
scope=2 deref=0
filter="(&(|(objectClass=groupOfUniqueNames)(objectClass=posixGroup))(uniqueMember:uniqueMemberMatch:=cn=jreynolds,ou=users,dc=example,dc=com))"
slapd[1503]: conn=7871 op=2 SRCH attr=entryUUID cn description
This returns no results, as the search needs to search for
'member' attribute, with an FDN. The issue looks to be inherited
from the simple.properties file (regardless of if I use rfc2307,
rfc2307-openldap profile), with the line:
search.simple-resolve-groups-member.search-request.filter =
&${seq:simple_filterGroupObject}(${seq:simple_attrGroupMemberDN}=${seq:_simple_dn_encoded})
I can fix the issue by replacing
"${seq:simple_attrGroupMemberDN}=" with "member=", but this
feels pretty hacky. I cannot find where this variable is
defined, nor how to change it. Is the correct way to do this to
create a new profile that overwrites the filter value? Or am I
doing something wrong? I don't think my LDAP schema is
particularly unusual, as far as I'm aware it complies with
rfc2307bis spec.
Thanks,
Jake
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3XOIVHSOLQ2VWVKGB6T4V5Z6GIDATR76/