Hi Jake,

I'm also using the RFC2307bis schema in my LDAP server.

We are still running 4.3.10 not sure if this will be different in 4.4.
I have changed my aaa properties file to use my own LDAP config file.
Which looks like this:
include = <rfc2307-special.properties>

The file need to be located here: /usr/share/ovirt-engine-extension-aaa-ldap/profiles/rfc2307-special.properties
Content will be like this:
include = <rfc2307-openldap.properties>
search.rfc2307-resolve-groups-memberUid.search-request.filter = &(objectClass=posixGroup)(member=${seq:_rfc2307_dn})

That enabled group support for me.

Maybe it helps you as well.

Best regards
Christoph


Am 23.11.20 um 11:50 schrieb Jake R:
Hi,

I have LDAP with rfc2307bis schema - I have posixGroup, with members defined as FDNs under the member attribute.

Currently, if I login to oVirt via the AAA extension. then my groups are not enumerated. The LDAP searches (recorded on the LDAP server)  are:

 slapd[1503]: conn=7876 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jreynolds))"
 slapd[1503]: conn=7876 op=2 SRCH attr=entryUUID cn description
 slapd[1503]: conn=7871 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(|(objectClass=groupOfUniqueNames)(objectClass=posixGroup))(uniqueMember:uniqueMemberMatch:=cn=jreynolds,ou=users,dc=example,dc=com))"
 slapd[1503]: conn=7871 op=2 SRCH attr=entryUUID cn description

This returns no results, as the search needs to search for 'member' attribute, with an FDN. The issue looks to be inherited from the simple.properties file (regardless of if I use rfc2307, rfc2307-openldap profile), with the line:

search.simple-resolve-groups-member.search-request.filter = &${seq:simple_filterGroupObject}(${seq:simple_attrGroupMemberDN}=${seq:_simple_dn_encoded})

I can fix the issue by replacing "${seq:simple_attrGroupMemberDN}=" with "member=", but this feels pretty hacky. I cannot find where this variable is defined, nor how to change it. Is the correct way to do this to create a new profile that overwrites the filter value? Or am I doing something wrong? I don't think my LDAP schema is particularly unusual, as far as I'm aware it complies with rfc2307bis spec.

Thanks,
Jake

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3XOIVHSOLQ2VWVKGB6T4V5Z6GIDATR76/