[ovirt-users] Unable to add permissions for LDAP users

Thursday, 6 October 2016

--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can su=
ccessfully authenticate as an LDAP user. I can also login as admin@internal=
 and search for, find, and select LDAP users but I cannot add permissions f=
or them. Each time I get the error "User admin@internal-authz failed to gra=
nt permission for Role UserRole on System to User/Group <UNKNOWN>."

I have no control over the LDAP server, which uses custom objectClasses and=
 uses groupOfNames instead of PosixGroups. I assume I need to set sequence =
variables to accommodate our group configuration but I'm at a loss as to wh=
ere to begin. the The config I have is as follows:

include =3D <rfc2307-generic.properties>

vars.server =3D labauth.lan.lab.org

pool.authz.auth.type =3D none
pool.default.serverset.type =3D single
pool.default.serverset.single.server =3D ${global:vars.server}
pool.default.ssl.startTLS =3D true
pool.default.ssl.insecure =3D true

pool.default.connection-options.connectTimeoutMillis =3D 10000
pool.default.connection-options.responseTimeoutMillis =3D 90000
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars
sequence.my-basedn-init-vars.010.description =3D set baseDN
sequence.my-basedn-init-vars.010.type =3D var-set
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB

sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s
sequence.my-objectclass-init-vars.020.description =3D set objectClass
sequence.my-objectclass-init-vars.020.type =3D var-set
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)

search.default.search-request.derefPolicy =3D NEVER

sequence-init.init.900-local-init-vars =3D local-init-vars
sequence.local-init-vars.010.description =3D override name space
sequence.local-init-vars.010.type =3D var-set
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault
sequence.local-init-vars.010.var-set.value =3D *

sequence.local-init-vars.020.description =3D apply filter to users
sequence.local-init-vars.020.type =3D var-set
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)

sequence.local-init-vars.030.description =3D apply filter to groups
sequence.local-init-vars.030.type =3D var-set
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)

--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P
{margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper"
style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can=
 successfully authenticate as an LDAP user. I can also login as admin@inter=
nal and search for, find, and select LDAP users but I cannot add permission=
s for them. Each time I get the
 error &quot;<span>User admin@internal-authz failed to grant permission for=
 Role UserRole on System to User/Group
&lt;UNKNOWN&gt;.</span>&quot;</p>
<p><br>
</p>
<p>I have no control over the LDAP server, which uses custom objectClasses =
and uses groupOfNames instead of PosixGroups. I assume I need to set sequen=
ce variables to accommodate our group configuration but I'm at a loss as to=
 where to begin. the The config
 I have is as follows:</p>
<p><br>
</p>
<p></p>
<div>include =3D &lt;rfc2307-generic.properties&gt;<br>
<br>
vars.server =3D labauth.lan.lab.org<br>
<br>
pool.authz.auth.type =3D none<br>
pool.default.serverset.type =3D single<br>
pool.default.serverset.single.server =3D ${global:vars.server}<br>
pool.default.ssl.startTLS =3D true<br>
pool.default.ssl.insecure =3D true<br>
<br>
pool.default.connection-options.connectTimeoutMillis =3D 10000<br>
pool.default.connection-options.responseTimeoutMillis =3D 90000<br>
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars<br>
sequence.my-basedn-init-vars.010.description =3D set baseDN<br>
sequence.my-basedn-init-vars.010.type =3D var-set<br>
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN<br>
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB<br>
<br>
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s<br>
sequence.my-objectclass-init-vars.020.description =3D set objectClass<br>
sequence.my-objectclass-init-vars.020.type =3D var-set<br>
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject<br>
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)<br>
<br>
search.default.search-request.derefPolicy =3D NEVER<br>
<br>
sequence-init.init.900-local-init-vars =3D local-init-vars<br>
sequence.local-init-vars.010.description =3D override name space<br>
sequence.local-init-vars.010.type =3D var-set<br>
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault<b=
r>
sequence.local-init-vars.010.var-set.value =3D *<br>
<br>
sequence.local-init-vars.020.description =3D apply filter to users<br>
sequence.local-init-vars.020.type =3D var-set<br>
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject<b=
r>
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)<br>
<br>
sequence.local-init-vars.030.description =3D apply filter to groups<br>
sequence.local-init-vars.030.type =3D var-set<br>
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject<=
br>
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)<br>
<br>
<br>
</div>
<p></p>
</div>
</body>
</html>

--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_--

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[ovirt-users] Unable to add permissions for LDAP users