On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <alexis.hauser@telecom-bretagne.eu> wrote:
>> Is their a way to search for attributes into the ovirt web interface, for
>> example "memberof" ?
>>
>> I can't imagine adding hundreds or thousand of users one by one...What
>> would be the solutions ?
>>

>You can assign specific permission to the group that relevant users are
>member of (we support also nested groups if needed)​
>and of course you can select multiple users/groups when you assign
>permissions.

>If the above is not option for you, could you try to describe what exactly
>are you trying to achieve?

>Thanks

>Martin Perina

As I explained, my groups are not in the same dn path than my users. As it is not possible to add multiple dn path, my only solution is to use users.

​Well, that's the 1st time I've heard​ about LDAP setup where users and groups of one domain are not under same baseDN. Usually all LDAP setups have some baseDN (for example 'dc=company,dc=com') and somewhere under this baseDN (not necessarily directly under it) we could find users and groups. The only exception to this is ActiveDirectory with multi-domain trust inside single forrest (which we currently support and user of domainA can be a member of a group from domainB) and multi-forrest trust (which we don't support).

Those users have attributes like "member of" which still keep the information about what group they belong too. I didn't find any way using the interface to filter by attribute, for example to show all users member of group "foo".

​We don't support LDAP searches in the webadmin UI, because we don't distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database (ovirt-engine-extension-aaa-jdbc) providers​, both of them provides users and groups for oVirt using same AAA interface.

I could do that with ldapsearch, but then how would I inject the result to ovirt configuration to add those users to specific ovirt roles ("ovirt permission groups") ?

​So the only way that comes to my mind is to use one of our SDKs (Python,​ Java, Ruby). You would need to implement LDAP query by yourself and them add wanted permission to those users using our SDKs.


Martin Perina