6:10 p.m.
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
To: "Nathan Stratton" <nathan(a)robotics.net>
Cc: "Oved Ourfalli" <ovedo(a)redhat.com>, users(a)ovirt.org
Sent: Sunday, February 26, 2012 5:42:08 PM
Subject: Re: [Users] LDAP
On 02/26/2012 05:21 PM, Nathan Stratton wrote:
> On Sun, 26 Feb 2012, Yaniv Kaul wrote:
>
>> On 02/26/2012 09:46 AM, Yair Zaslavsky wrote:
>>> On 02/26/2012 09:45 AM, Yair Zaslavsky wrote:
>>>> On 02/26/2012 09:18 AM, Oved Ourfalli wrote:
>>>>> Found the problem.
>>>>> We are identifying if the LDAP server is AD or not by checking
>>>>> if
>>>>> the root DSE contains the "defaultNamingContext"
attribute.
>>>>> This attribute is not in the LDAP standard, thus it appears in
>>>>> AD,
>>>>> and not in IPA and RHDS...
>>>>>
>>>>> Looking at the rootDSE you provided it looks like it was added
>>>>> to
>>>>> IPA, therefore we identify it as AD.
>>>>>
>>>>> Can you open us a bug on that upstream?
>>>>> Given that issue, I think we should also provide a way to set
>>>>> the
>>>>> ldap provider type (using the engine-manage-domains utility),
>>>>> in
>>>>> order to workaround such issues in the future.
>>>> Don't you think that now this key (i.e providerType=IPA) kinda
>>>> becomes
>>>> mandatory?
>>> Or actually, maybe we should have it optional - if set - then
>>> this value
>>> will be used for providerType, if not - our "auto-deduction"
>>> mechanism
>>> takes place.
>>>
>>> Thoughts?
>>
>> Drop the auto-detection.
>
> Thats a good point, I think the auto-detection is a bit overkill,
> most
> users know what they are running. Is there someting I can add to
> the
> oVirt DB manually so I can skip the engine-manage-domains utility
> for
> now and move forward with using FreeIPA?
Nathan, IMHO, you will still encounter auto detection issues, during
invocation of rootDSE queries when working with ldap related flows
with
engine-core. This means you will still get wrong provider type.
This is something we should fix.
Oved - am I correct here?
Yair - You are correct.
Nathan - You are more than welcome to push a fix for that upstream.
Some details on what you'll have to do:
To fix the auto-identification issue you'll have to find out other attribute that can
do the differentiation. Do the fix both in the utilities, and in the engine core.
To create ability to set it up you'll have to do the following:
1. Create a new configuration entry (all configuration entries are in the vdc_options
table).
It will be similar to other domain related properties, such as AdUserName, LdapServers and
etc.
a. Create an upgrader to add it to the database (see
<sources_dir>/backend/manager/dbscripts/upgrade for examples).
b. Upon upgrade it should be empty.
2. Check in UsersDomainsCacheManagerService if it exists, and if so update a map of ldap
provider per domain.
3. When trying to check the ldap provider type, you'll have to test first if the type
already appears in the UsersDomainsCacheManagerService, and if so use that. If not,
auto-identify it.
4. Make the engine-manage-domains do something similar, and update this field in the
database according to the user input.
We'll be happy to provide more details on that, and assist in any way.
You can start with one of the fixes at start. They don't have to be in the same
patchset.
Yair - feel free to elaborate on other steps if you believe they are necessary.
Thank you!
Oved
>
>> <>
> Nathan Stratton CTO, BlinkMind, Inc.
> nathan at robotics.net nathan at
> blinkmind.com
> http://www.robotics.net
> http://www.blinkmind.com
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users