On Tue, May 31, 2016 at 4:24 PM, Alexis HAUSER <alexis.hauser@telecom-bretagne.eu> wrote:
>> Thank you, this actually works. Yes, I'll remove it as soon as possible.
>> Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it finds most of the groups a user belongs to. RHEV + LDAP is only able to find one group a user belongs to >>(which is not the same group found when I search the same user with ldapsearch...Still not able to solve that mystery....)

>That's very strange, we test it and it works for us. But you said you
>use more namingContexts
>than one, right? It could be the problem as we support only one.


Which attribute is used by RHEV/ovirt to guess which user a group belong (or the controry), in the case of LDAP and in the case of AD ?
I can see that not all attributes are filled in the AD/LDAP database here.

​It depends on what profile do you include in /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties:

1) Included ad.properties are defined in /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties​
 
​and here are attribute mappings:

      attrmap.map-principal-record.attr.PrincipalRecord_DN.map = _dn                                                                                                                                               
      attrmap.map-principal-record.attr.PrincipalRecord_ID.map = objectGUID                                                                                                                                        
      attrmap.map-principal-record.attr.PrincipalRecord_ID.conversion = BASE64                                                                                                                                     
      attrmap.map-principal-record.attr.PrincipalRecord_NAME.map = name                                                                                                                                            
      attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = userPrincipalName                                                                                                                          
      attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = displayName                                                                                                                             
      attrmap.map-principal-record.attr.PrincipalRecord_DEPARTMENT.map = department                                                                                                                                
      attrmap.map-principal-record.attr.PrincipalRecord_FIRST_NAME.map = givenName                                                                                                                                 
      attrmap.map-principal-record.attr.PrincipalRecord_LAST_NAME.map = sn                                                                                                                                         
      attrmap.map-principal-record.attr.PrincipalRecord_TITLE.map = title                                                                                                                                          
      attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = mail                                                                                                                                           
                                                                                                                                                                                                             
      attrmap.map-group-record.attr.GroupRecord_DN.map = _dn                                                                                                                                                       
      attrmap.map-group-record.attr.GroupRecord_ID.map = objectGUID                                                                                                                                                
      attrmap.map-group-record.attr.GroupRecord_ID.conversion = BASE64                                                                                                                                             
      attrmap.map-group-record.attr.GroupRecord_NAME.map = name                                                                                                                                                    
      attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = description                                                                                                                                     

2) In case of LDAP, please take a look at include=<XYZ.properties> to find out what profile are you using



>Run this command:
>$ keytool -storepasswd -keystore /path/to/jks/x.jks
>It will ask you for old and new password.


Thank you, I'll ask rhev-docs to add this to the documentation, as they make you generate a new certificate even when using the automatic setup, which makes the automatically generated certificate useless.


By the way, is there a list of all the possible options/values of .properties file ?


No tool for that, you need to investigate properties files. Please start reading README.profile in aaa-ldap package, which contains doc about the structure of each file.

 

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users