Hi, it seem that your schema doesn't match the defaults or you home some configuration issue. Could you please execute following and send us the output for your IPA setup? ovirt-engine-extensions-tool --log-level=FINE aaa authz-fetch_principal_record --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> --principal-name=<USERNAME> The above will search for a user by <USERNAME> and tries to fetch all groups he is member of. Btw you can test both "search users/groups" and "login a user" during aaa-ldap-setup tool (and it's recommended to do so) and the output from those commands should provide you the same details. Thanks Martin Perina On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: > > Hi, > > When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the > groups are shown but the users are not. > > When I chose 389ds, the users are shown but not the groups. > > Is something wrong with the FreeIPA implementation ? I'm on latest IPA > 4.4 version from Fedora > > Cheers, > > Matt > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users

On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: > > Hi Martin, > > Thanks for the explanation. But what happens on those tests during the > setup the same happens as showed in oVirt. Exactly, you can execute those tests even before publishing new profile to engine and if something doesn't work you can fix even before users notice that something is wrong. Also please bear in mind that there are variety of small differences in schema across different setups even for the same LDAP server. So setup tool uses only basic configurations, if you need something more complicated you need to edit configuration manually. Thanks Martin Perina > > > Default IPA should just work I guess. > > I will test your command and report back. > > Cheers, > > Matt > > 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina(a)redhat.com&gt;: > > Hi, > > > > it seem that your schema doesn't match the defaults or you home some > > configuration issue. Could you please execute following and send us the > > output for your IPA setup? > > > > ovirt-engine-extensions-tool --log-level=FINE aaa > > authz-fetch_principal_record --authz-flag=resolve-groups-recursive > > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> > > --principal-name=<USERNAME> > > > > The above will search for a user by <USERNAME> and tries to fetch all > > groups > > he is member of. > > > > Btw you can test both "search users/groups" and "login a user" during > > aaa-ldap-setup tool (and it's recommended to do so) and the output from > > those commands should provide you the same details. > > > > Thanks > > > > Martin Perina > > > > > > > > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: > >> > >> Hi, > >> > >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the > >> groups are shown but the users are not. > >> > >> When I chose 389ds, the users are shown but not the groups. > >> > >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA > >> 4.4 version from Fedora > >> > >> Cheers, > >> > >> Matt > >> _______________________________________________ > >> Users mailing list > >> Users(a)ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > > > >

Hi, I've just tried with: # ipa --version VERSION: 4.4.0, API_VERSION: 2.213 And all worked good. Can you please share the logs, which Martin asked for, so we can investigate? Thanks, Ondra On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: > Hi, > > True. Are you able to check if it still is good for IPA 4.4 usage, it > could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed > something ? Would be great! > > Thanks, > > Matt > > 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina(a)redhat.com&gt;: >> >> >> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: >>> >>> Hi Martin, >>> >>> Thanks for the explanation. But what happens on those tests during the >>> setup the same happens as showed in oVirt. >> >> >> Exactly, you can execute those tests even before publishing new profile to >> engine and if something doesn't work you can fix even before users notice >> that something is wrong. >> >> Also please bear in mind that there are variety of small differences in >> schema across different setups even for the same LDAP server. So setup tool >> uses only basic configurations, if you need something more complicated you >> need to edit configuration manually. >> >> Thanks >> >> Martin Perina >> >>> >>> >>> Default IPA should just work I guess. >>> >>> I will test your command and report back. >>> >>> Cheers, >>> >>> Matt >>> >>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina(a)redhat.com&gt;: >>> > Hi, >>> > >>> > it seem that your schema doesn't match the defaults or you home some >>> > configuration issue. Could you please execute following and send us the >>> > output for your IPA setup? >>> > >>> > ovirt-engine-extensions-tool --log-level=FINE aaa >>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive >>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> >>> > --principal-name=<USERNAME> >>> > >>> > The above will search for a user by <USERNAME> and tries to fetch all >>> > groups >>> > he is member of. >>> > >>> > Btw you can test both "search users/groups" and "login a user" during >>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from >>> > those commands should provide you the same details. >>> > >>> > Thanks >>> > >>> > Martin Perina >>> > >>> > >>> > >>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: >>> >> >>> >> Hi, >>> >> >>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the >>> >> groups are shown but the users are not. >>> >> >>> >> When I chose 389ds, the users are shown but not the groups. >>> >> >>> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA >>> >> 4.4 version from Fedora >>> >> >>> >> Cheers, >>> >> >>> >> Matt >>> >> _______________________________________________ >>> >> Users mailing list >>> >> Users(a)ovirt.org >>> >> http://lists.ovirt.org/mailman/listinfo/users >>> > >>> > >> >>

There is prompt: "Enter search user DN (empty for anonymous):" Which says you should input 'DN'. Any ideas how we can improve, that prompt so users are not confused? Thanks. On Tue, Jan 31, 2017 at 5:32 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: > OK solved. You cannot use anonymous in the full way. Also you need the > full DN for the search user. > > Thanks for the heads up! > > Matt > > 2017-01-31 13:03 GMT+01:00 Ondra Machacek <omachace(a)redhat.com&gt;: >> Hi, >> >> I've just tried with: >> >> # ipa --version >> VERSION: 4.4.0, API_VERSION: 2.213 >> >> And all worked good. Can you please share the logs, >> which Martin asked for, so we can investigate? >> >> Thanks, >> Ondra >> >> On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: >>> Hi, >>> >>> True. Are you able to check if it still is good for IPA 4.4 usage, it >>> could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed >>> something ? Would be great! >>> >>> Thanks, >>> >>> Matt >>> >>> 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina(a)redhat.com&gt;: >>>> >>>> >>>> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: >>>>> >>>>> Hi Martin, >>>>> >>>>> Thanks for the explanation. But what happens on those tests during the >>>>> setup the same happens as showed in oVirt. >>>> >>>> >>>> Exactly, you can execute those tests even before publishing new profile to >>>> engine and if something doesn't work you can fix even before users notice >>>> that something is wrong. >>>> >>>> Also please bear in mind that there are variety of small differences in >>>> schema across different setups even for the same LDAP server. So setup tool >>>> uses only basic configurations, if you need something more complicated you >>>> need to edit configuration manually. >>>> >>>> Thanks >>>> >>>> Martin Perina >>>> >>>>> >>>>> >>>>> Default IPA should just work I guess. >>>>> >>>>> I will test your command and report back. >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina(a)redhat.com&gt;: >>>>> > Hi, >>>>> > >>>>> > it seem that your schema doesn't match the defaults or you home some >>>>> > configuration issue. Could you please execute following and send us the >>>>> > output for your IPA setup? >>>>> > >>>>> > ovirt-engine-extensions-tool --log-level=FINE aaa >>>>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive >>>>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME> >>>>> > --principal-name=<USERNAME> >>>>> > >>>>> > The above will search for a user by <USERNAME> and tries to fetch all >>>>> > groups >>>>> > he is member of. >>>>> > >>>>> > Btw you can test both "search users/groups" and "login a user" during >>>>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from >>>>> > those commands should provide you the same details. >>>>> > >>>>> > Thanks >>>>> > >>>>> > Martin Perina >>>>> > >>>>> > >>>>> > >>>>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014(a)gmail.com&gt; wrote: >>>>> >> >>>>> >> Hi, >>>>> >> >>>>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the >>>>> >> groups are shown but the users are not. >>>>> >> >>>>> >> When I chose 389ds, the users are shown but not the groups. >>>>> >> >>>>> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA >>>>> >> 4.4 version from Fedora >>>>> >> >>>>> >> Cheers, >>>>> >> >>>>> >> Matt >>>>> >> _______________________________________________ >>>>> >> Users mailing list >>>>> >> Users(a)ovirt.org >>>>> >> http://lists.ovirt.org/mailman/listinfo/users >>>>> > >>>>> > >>>> >>>>