On 10/06/2016 01:47 PM, Michael Burch wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>."
This error usually means bad unique attribute used.
I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000 sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars sequence.my-objectclass-init-vars.020.description = set objectClass sequence.my-objectclass-init-vars.020.type = var-set sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject sequence.my-objectclass-init-vars.020.var-set.value = (objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars sequence.local-init-vars.010.description = override name space sequence.local-init-vars.010.type = var-set sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault sequence.local-init-vars.010.var-set.value = *
What's this^ for? I think it's unusable.
sequence.local-init-vars.020.description = apply filter to users sequence.local-init-vars.020.type = var-set sequence.local-init-vars.020.var-set.variable = simple_filterUserObject sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups sequence.local-init-vars.030.type = var-set sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)
This looks as hard to maintain file. I would suggest you to insert into this file just following: include = <rfc2307-mycustom.properties> vars.server = labauth.lan.lab.org pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000 # Set custom base DN sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB And then create in directory '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 'rfc2307-mycustom.properties' with content: include = <rfc2307.properties> sequence-init.init.100-rfc2307-mycustom-init-vars = rfc2307-mycustom-init-vars sequence.rfc2307-mycustom-init-vars.010.description = set unique attr sequence.rfc2307-mycustom-init-vars.010.type = var-set sequence.rfc2307-mycustom-init-vars.010.var-set.variable = rfc2307_attrsUniqueId sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE sequence.rfc2307-mycustom-init-vars.020.type = var-set sequence.rfc2307-mycustom-init-vars.020.var-set.variable = simple_filterUserObject sequence.rfc2307-mycustom-init-vars.020.var-set.value = (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*) The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I guess). It can be extended attribute(+,++). $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson' maybe (or even with two +): $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson' + The question is if even your implementation has unique attribute, does it? Also may you share what's your LDAP provider? And maybe if you share content of some user it would help as well.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users