Hi Martin, Thanks for the explanation. But what happens on those tests during the setup the same happens as showed in oVirt. Default IPA should just work I guess. I will test your command and report back. Cheers, Matt 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina@redhat.com>:

Hi,

it seem that your schema doesn't match the defaults or you home some configuration issue. Could you please execute following and send us the output for your IPA setup?

ovirt-engine-extensions-tool --log-level=FINE aaa authz-fetch_principal_record --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> --principal-name=<USERNAME>

The above will search for a user by <USERNAME> and tries to fetch all groups he is member of.

Btw you can test both "search users/groups" and "login a user" during aaa-ldap-setup tool (and it's recommended to do so) and the output from those commands should provide you the same details.

Thanks

Martin Perina

On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi,

When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the groups are shown but the users are not.

When I chose 389ds, the users are shown but not the groups.

Is something wrong with the FreeIPA implementation ? I'm on latest IPA 4.4 version from Fedora

Cheers,

Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Hi, True. Are you able to check if it still is good for IPA 4.4 usage, it could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed something ? Would be great! Thanks, Matt 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina@redhat.com>:

On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi Martin,

Thanks for the explanation. But what happens on those tests during the setup the same happens as showed in oVirt.

Exactly, you can execute those tests even before publishing new profile to engine and if something doesn't work you can fix even before users notice that something is wrong.

Also please bear in mind that there are variety of small differences in schema across different setups even for the same LDAP server. So setup tool uses only basic configurations, if you need something more complicated you need to edit configuration manually.

Thanks

Martin Perina

...

Default IPA should just work I guess.

I will test your command and report back.

Cheers,

Matt

2017-01-31 10:24 GMT+01:00 Martin Perina <mperina@redhat.com>:

...

Hi,

it seem that your schema doesn't match the defaults or you home some configuration issue. Could you please execute following and send us the output for your IPA setup?

ovirt-engine-extensions-tool --log-level=FINE aaa authz-fetch_principal_record --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> --principal-name=<USERNAME>

The above will search for a user by <USERNAME> and tries to fetch all groups he is member of.

Btw you can test both "search users/groups" and "login a user" during aaa-ldap-setup tool (and it's recommended to do so) and the output from those commands should provide you the same details.

Thanks

Martin Perina

On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi,

When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the groups are shown but the users are not.

When I chose 389ds, the users are shown but not the groups.

Is something wrong with the FreeIPA implementation ? I'm on latest IPA 4.4 version from Fedora

Cheers,

Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

OK solved. You cannot use anonymous in the full way. Also you need the full DN for the search user. Thanks for the heads up! Matt 2017-01-31 13:03 GMT+01:00 Ondra Machacek <omachace@redhat.com>:

Hi,

I've just tried with:

# ipa --version VERSION: 4.4.0, API_VERSION: 2.213

And all worked good. Can you please share the logs, which Martin asked for, so we can investigate?

Thanks, Ondra

On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi,

True. Are you able to check if it still is good for IPA 4.4 usage, it could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed something ? Would be great!

Thanks,

Matt

2017-01-31 11:30 GMT+01:00 Martin Perina <mperina@redhat.com>:

...

On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi Martin,

Thanks for the explanation. But what happens on those tests during the setup the same happens as showed in oVirt.

Exactly, you can execute those tests even before publishing new profile to engine and if something doesn't work you can fix even before users notice that something is wrong.

Also please bear in mind that there are variety of small differences in schema across different setups even for the same LDAP server. So setup tool uses only basic configurations, if you need something more complicated you need to edit configuration manually.

Thanks

Martin Perina

...

Default IPA should just work I guess.

I will test your command and report back.

Cheers,

Matt

2017-01-31 10:24 GMT+01:00 Martin Perina <mperina@redhat.com>:

...

Hi,

it seem that your schema doesn't match the defaults or you home some configuration issue. Could you please execute following and send us the output for your IPA setup?

ovirt-engine-extensions-tool --log-level=FINE aaa authz-fetch_principal_record --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> --principal-name=<USERNAME>

The above will search for a user by <USERNAME> and tries to fetch all groups he is member of.

Btw you can test both "search users/groups" and "login a user" during aaa-ldap-setup tool (and it's recommended to do so) and the output from those commands should provide you the same details.

Thanks

Martin Perina

On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi,

When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the groups are shown but the users are not.

When I chose 389ds, the users are shown but not the groups.

Is something wrong with the FreeIPA implementation ? I'm on latest IPA 4.4 version from Fedora

Cheers,

Matt _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Hi Ondra, I would add something like "Enter search user DN (uid=user,cn=... OR empty for anonymous):" The reason why is that I have seen other software erroring on the whole DN as it putted the rest behind it and as you say you use IPA, it looksup your base it's pretty understandable that you think, OK the base or whatever will be added as when you select IPA there is know that ovirt knows the scheme what is used. Cheers, Matt 2017-01-31 17:51 GMT+01:00 Ondra Machacek <omachace@redhat.com>:

There is prompt:

"Enter search user DN (empty for anonymous):"

Which says you should input 'DN'. Any ideas how we can improve, that prompt so users are not confused?

Thanks.

On Tue, Jan 31, 2017 at 5:32 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

OK solved. You cannot use anonymous in the full way. Also you need the full DN for the search user.

Thanks for the heads up!

Matt

2017-01-31 13:03 GMT+01:00 Ondra Machacek <omachace@redhat.com>:

...

Hi,

I've just tried with:

# ipa --version VERSION: 4.4.0, API_VERSION: 2.213

And all worked good. Can you please share the logs, which Martin asked for, so we can investigate?

Thanks, Ondra

On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi,

True. Are you able to check if it still is good for IPA 4.4 usage, it could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed something ? Would be great!

Thanks,

Matt

2017-01-31 11:30 GMT+01:00 Martin Perina <mperina@redhat.com>:

...

On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014@gmail.com> wrote:

...

Hi Martin,

Thanks for the explanation. But what happens on those tests during the setup the same happens as showed in oVirt.

Exactly, you can execute those tests even before publishing new profile to engine and if something doesn't work you can fix even before users notice that something is wrong.

Also please bear in mind that there are variety of small differences in schema across different setups even for the same LDAP server. So setup tool uses only basic configurations, if you need something more complicated you need to edit configuration manually.

Thanks

Martin Perina

...

Default IPA should just work I guess.

I will test your command and report back.

Cheers,

Matt

2017-01-31 10:24 GMT+01:00 Martin Perina <mperina@redhat.com>: > Hi, > > it seem that your schema doesn't match the defaults or you home some > configuration issue. Could you please execute following and send us the > output for your IPA setup? > > ovirt-engine-extensions-tool --log-level=FINE aaa > authz-fetch_principal_record --authz-flag=resolve-groups-recursive > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> > --principal-name=<USERNAME> > > The above will search for a user by <USERNAME> and tries to fetch all > groups > he is member of. > > Btw you can test both "search users/groups" and "login a user" during > aaa-ldap-setup tool (and it's recommended to do so) and the output from > those commands should provide you the same details. > > Thanks > > Martin Perina > > > > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014@gmail.com> wrote: >> >> Hi, >> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the >> groups are shown but the users are not. >> >> When I chose 389ds, the users are shown but not the groups. >> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA >> 4.4 version from Fedora >> >> Cheers, >> >> Matt >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > >