> As I explained, my groups are not in the same dn path than my users. As it
> is not possible to add multiple dn path, my only solution is to use users.
> Well, that's the 1st time I've heard about LDAP setup where users and
> groups of one domain are not under same baseDN. Usually all LDAP setups
> have some baseDN (for example 'dc=company,dc=com') and somewhere under this
> baseDN (not necessarily directly under it) we could find users and groups.
>The only exception to this is ActiveDirectory with multi-domain trust
>inside single forrest (which we currently support and user of domainA can
>be a member of a group from domainB) and multi-forrest trust (which we
>don't support).
Oh thank you, it actually helped a lot : I just realize the search was "recursive" and now it actually works and seem to solve my problem.
Now I only have to check if adding permissions to group apply to users who belong to this group, but I guess it should.
> Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users member
> of group "foo".
>
>"
> We don't support LDAP searches in the webadmin UI, because we don't
> distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
> (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users
> and groups for oVirt using same AAA interface.
And only a part of the attributes are imported to the database (it doesn't seem to be able to display them from the web interface) ?
That would be a nice feature to be able to filter from any attribute of users.
Do you think I should open a new RFE bug about it ?