Hello Alon,
I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = <openldap.properties>
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de vars.password = password
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base <dc=company,dc=de> with scope subtree # filter: cn=jdeloro # requesting: ALL #
# jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de.
Can you explain why the namingContexts is not sufficient? just for me to know and maybe enable easier override? It should contain a valid base DN for you to use.
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -s base namingContexts -LLL dn: namingContexts: dc=de This isn't the correct base dn. I need dc=company,dc=de to find any users. I don't know, why LDAP is configured like this. But I need to work with it. [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base <dc=de> with scope subtree # filter: cn=jdeloro # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base <dc=company,dc=de> with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...]
You have two options to fix this:
1. add another attribute to openldap let's say myNamingContext with valid value and add the following to profile (company-ldap.properties):
sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
I can't use this options, because I'm not allowed to make LDAP changes.
2. another option is to enforce baseDN (company-ldap.properties):
sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
I have added the lines and restarted ovirt-engine, but the Namespace in 'Add Users and Groups' is still 'dc=de' and I can't find any users. Kind regards Jannick