On Tue, May 31, 2016 at 4:24 PM, Alexis HAUSER <alexis.hauser@telecom-bretagne.eu> wrote:

>> Thank you, this actually works. Yes, I'll remove it as soon as possible.
>> Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it finds most of the groups a user belongs to. RHEV + LDAP is only able to find one group a user belongs to >>(which is not the same group found when I search the same user with ldapsearch...Still not able to solve that mystery....)

>That's very strange, we test it and it works for us. But you said you
>use more namingContexts
>than one, right? It could be the problem as we support only one.

Which attribute is used by RHEV/ovirt to guess which user a group belong (or the controry), in the case of LDAP and in the case of AD ?
I can see that not all attributes are filled in the AD/LDAP database here.

It depends on what profile do you include in /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties:

1) Included ad.properties are defined in /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties

and here are attribute mappings:

      attrmap.map-principal-record.attr.PrincipalRecord_DN.map = _dn
      attrmap.map-principal-record.attr.PrincipalRecord_ID.map = objectGUID
      attrmap.map-principal-record.attr.PrincipalRecord_ID.conversion = BASE64
      attrmap.map-principal-record.attr.PrincipalRecord_NAME.map = name
      attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = userPrincipalName
      attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = displayName
      attrmap.map-principal-record.attr.PrincipalRecord_DEPARTMENT.map = department
      attrmap.map-principal-record.attr.PrincipalRecord_FIRST_NAME.map = givenName
      attrmap.map-principal-record.attr.PrincipalRecord_LAST_NAME.map = sn
      attrmap.map-principal-record.attr.PrincipalRecord_TITLE.map = title
      attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = mail

      attrmap.map-group-record.attr.GroupRecord_DN.map = _dn
      attrmap.map-group-record.attr.GroupRecord_ID.map = objectGUID
      attrmap.map-group-record.attr.GroupRecord_ID.conversion = BASE64
      attrmap.map-group-record.attr.GroupRecord_NAME.map = name
      attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = description

2) In case of LDAP, please take a look at include=<XYZ.properties> to find out what profile are you using

>Run this command:
>$ keytool -storepasswd -keystore /path/to/jks/x.jks
>It will ask you for old and new password.

Thank you, I'll ask rhev-docs to add this to the documentation, as they make you generate a new certificate even when using the automatic setup, which makes the automatically generated certificate useless.

By the way, is there a list of all the possible options/values of .properties file ?

No tool for that, you need to investigate properties files. Please start reading README.profile in aaa-ldap package, which contains doc about the structure of each file.

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users