----- Original Message -----
From: jdeloro@web.de To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, January 12, 2015 4:16:17 PM Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello,
many thanks to Alon! We have a working setup with support for base dn. The special challenge in our setup is the constraint of specifying a base dn for every ldap search and referrals inside the branches that must be processed.
If anyone has the same problem, our working configuration with a slightly newer version of ovirt-engine-extension-aaa-ldap is:
Note that this environment has more than only baseDN issue, it also requires to dereference references at server side. Most environments should not require this, nor have invalid baseDN in their rootDSE naming context. In this specific environment a query for baseDN X result in baseDN Y. Thank you Jannick for the problem determination process. Supporting baseDN X->Y will be formally released in 1.0.2.
$ cat /etc/ovirt-engine/aaa/company-ldap.properties include = <rfc2307-openldap.properties>
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de vars.password = password
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = dc=company,dc=de
search.default.search-request.derefPolicy = ALWAYS
Best regards
Jannick