Re: [Users] webadmin login issues with AD
----- Original Message -----
From: "Keith Mitchell" <kamitch(a)cisco.com>
To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Cc: users(a)ovirt.org, "Juan Antonio Hernandez Fernandez"
<jhernand(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>
Sent: Sunday, March 3, 2013 2:28:38 PM
Subject: Re: [Users] webadmin login issues with AD
On 3/3/13 6:57 AM, Yair Zaslavsky wrote:
> Please elaborate on "quite a few groups" - actually this is a well
> known issue.
> I was afraid you might have permissions on "too many objects" or
> that the account is a member of too many groups.
> However, being a member of too many groups should have caused the
> search to be slow/hang as well.
I don't have an exact count, but I think its along the order of
magnitude of 300-400.
Hi,
I gave an incorrect explanation before (I thought about it and understood where my error
lies ).
If I add a user using engine-manage-domains and do not provide -addPermissions, I will
still be able to login to the system using admin@internal, and perform search for users
& groups.
This means I do not need to have permissions for the user I added for that domain to
perform search so the "permissions" check is of course not performed at search!
The number of groups is important in login - oVirt will try to calculate all the
permissions of the users, and this is based on the permission the user have directly on an
object, or that its group has.
If the user is a member of 300 groups, oVirt tries to get information for all that
groups.
THis is why login hands, but search does not hang.
I hope my answer is more clear now,
If not , I will try to elaborate.
Yair
I didn't notice the searches (when trying to add the account to the
ovirt permissions) was unbearable slow like the logins.
But why does ovirt even care about the groups? I thought it was only
using AD for authentication and that the authorization was all done
internally through the permissions granted. Or is that just a
standard
"library" that ovirt is using that is doing this?
I don't suppose there is a work around?
> Hi, you can look at the following link -
>
> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html
>
> we support changing sasl_qop. You can use engine-config to do that.
> engine-config -s sasl_qop=auth will change Quality of Propetction
> to be only at authentication.
> Please let us know if using that you will be able to see the ldap
> queries (i.e - have them plain and not encrypted)
Ok, yeah that allows me to see the ldap requests...
Looks like its going through all of the groups I am a member of and
doing a search on each one. And in a not so terribly efficient way
(connect/bind/search/close... repeat).