--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can su= ccessfully authenticate as an LDAP user. I can also login as admin@internal= and search for, find, and select LDAP users but I cannot add permissions f= or them. Each time I get the error "User admin@internal-authz failed to gra= nt permission for Role UserRole on System to User/Group <UNKNOWN>." I have no control over the LDAP server, which uses custom objectClasses and= uses groupOfNames instead of PosixGroups. I assume I need to set sequence = variables to accommodate our group configuration but I'm at a loss as to wh= ere to begin. the The config I have is as follows: include =3D <rfc2307-generic.properties> vars.server =3D labauth.lan.lab.org pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var= s sequence.my-objectclass-init-vars.020.description =3D set objectClass sequence.my-objectclass-init-vars.020.type =3D var-set sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse= rObject sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP= erson)(uid=3D*) search.default.search-request.derefPolicy =3D NEVER sequence-init.init.900-local-init-vars =3D local-init-vars sequence.local-init-vars.010.description =3D override name space sequence.local-init-vars.010.type =3D var-set sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault sequence.local-init-vars.010.var-set.value =3D * sequence.local-init-vars.020.description =3D apply filter to users sequence.local-init-vars.020.type =3D var-set sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec= t}(employeeStatus=3D3) sequence.local-init-vars.030.description =3D apply filter to groups sequence.local-init-vars.030.type =3D var-set sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique= Names) --_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font= -family:Calibri,Arial,Helvetica,sans-serif;"> <p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can= successfully authenticate as an LDAP user. I can also login as admin@inter= nal and search for, find, and select LDAP users but I cannot add permission= s for them. Each time I get the error "<span>User admin@internal-authz failed to grant permission for= Role UserRole on System to User/Group <UNKNOWN>.</span>"</p> <p><br> </p> <p>I have no control over the LDAP server, which uses custom objectClasses = and uses groupOfNames instead of PosixGroups. I assume I need to set sequen= ce variables to accommodate our group configuration but I'm at a loss as to= where to begin. the The config I have is as follows:</p> <p><br> </p> <p></p> <div>include =3D <rfc2307-generic.properties><br> <br> vars.server =3D labauth.lan.lab.org<br> <br> pool.authz.auth.type =3D none<br> pool.default.serverset.type =3D single<br> pool.default.serverset.single.server =3D ${global:vars.server}<br> pool.default.ssl.startTLS =3D true<br> pool.default.ssl.insecure =3D true<br> <br> pool.default.connection-options.connectTimeoutMillis =3D 10000<br> pool.default.connection-options.responseTimeoutMillis =3D 90000<br> sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars<br> sequence.my-basedn-init-vars.010.description =3D set baseDN<br> sequence.my-basedn-init-vars.010.type =3D var-set<br> sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN<br> sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB<br> <br> sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var= s<br> sequence.my-objectclass-init-vars.020.description =3D set objectClass<br> sequence.my-objectclass-init-vars.020.type =3D var-set<br> sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse= rObject<br> sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP= erson)(uid=3D*)<br> <br> search.default.search-request.derefPolicy =3D NEVER<br> <br> sequence-init.init.900-local-init-vars =3D local-init-vars<br> sequence.local-init-vars.010.description =3D override name space<br> sequence.local-init-vars.010.type =3D var-set<br> sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault<b= r> sequence.local-init-vars.010.var-set.value =3D *<br> <br> sequence.local-init-vars.020.description =3D apply filter to users<br> sequence.local-init-vars.020.type =3D var-set<br> sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject<b= r> sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec= t}(employeeStatus=3D3)<br> <br> sequence.local-init-vars.030.description =3D apply filter to groups<br> sequence.local-init-vars.030.type =3D var-set<br> sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject<= br> sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique= Names)<br> <br> <br> </div> <p></p> </div> </body> </html> --_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_--