[Users] ldap simple - Users - Ovirt List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[Users] ldap simple

[Users] oVirt 3.2.1 and reports...

[Users] Features requests for the...

Andrej Bagon

Thursday, 14 March 2013 Thu, 14 Mar '13

6:58 a.m.

Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. Thank you.

Reply

Show replies by date

Itamar Heim

Friday, 15 March Fri, 15 Mar

6:09 a.m.

On 03/14/2013 01:58 PM, Andrej Bagon wrote:

Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable.

can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)

Reply

Andrej Bagon

Monday, 18 March Mon, 18 Mar

2:07 a.m.

This is a multi-part message in MIME format. --------------090006050100020008090701 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=username(a)users.ourdomain.si <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote:

On 03/14/2013 01:58 PM, Andrej Bagon wrote: > Hi, > > is it possible to change the bind request that is sent to the ldap > server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is > not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)

--------------090006050100020008090701 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si<br> <br> I dont know how it knows dc=ourdomain,dc=si<br> It should be<br> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si<br> <br> The same with the search: we have users in form as:<br> <a href="mailto:edupersonprincipalname=abagon@guest.arnes.si">edupersonprincipalname=username@users.ourdomain.si</a>,dc=users,dc=ourdomain,dc=si<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id;<br>  option_id |        option_name         |          option_value          | version <br> -----------+----------------------------+--------------------------------+---------<br>         10 | AdUserName                 | users.ourdomain.si:ovirt           | general<br>         11 | AdUserPassword             |users.ourdomain.si:adminpassword       | general<br>         69 | DomainName                 | users.ourdomain.si                 | general<br>        130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE          | general<br>        132 | LdapServers                | users.ourdomain.si:server.ourdomain.si | general<br>        133 | LDAPProviderTypes          | users.ourdomain.si:rhds            | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite="mid:51430171.2010904@redhat.com" type="cite">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote type="cite">Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> </body> </html> --------------090006050100020008090701--

Reply

Yair Zaslavsky

3:09 a.m.

------=_Part_8850427_1953928570.1363594171897 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. ----- Original Message -----

From: "Andrej Bagon" <andrej.bagon(a)arnes.si> To: "Itamar Heim" <iheim(a)redhat.com> Cc: users(a)ovirt.org, "Yair Zaslavsky" <yzaslavs(a)redhat.com>, "Oved Ourfalli" <oourfali(a)redhat.com> Sent: Monday, March 18, 2013 9:07:06 AM Subject: Re: [Users] ldap simple

Hi,

the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si

I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si

The same with the search: we have users in form as: edupersonprincipalname=username(a)users.ourdomain.si ,dc=users,dc=ourdomain,dc=si

values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows)

Best Regards, Andrej Bagon

On 03/15/2013 12:09 PM, Itamar Heim wrote: > On 03/14/2013 01:58 PM, Andrej Bagon wrote:

> >

Hi,

> > >

> > is it possible to change the bind request that is sent to the > > ldap > > > server? The default > > uid=user,cn=Users,cn=Accounts,cn=our,cn=domain > > is > > > not suitable. >

> can you please explain why / what you would like to change it to? > (not sure possible now, but there is work to make it more > configurable/pluggable)

------=_Part_8850427_1953928570.1363594171897 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: times new roman,new york,times,serif; font-size: = 12pt; color: #000000'>Hi,<div>We're issuing a RootDSE query (once per LDAP = domain configured).</div><div>We try to obtain from it the "defaultNamingCo= ntext" attribute.</div><div>If does not exist - we try to obtain ""NamingCo= ntexts"</div><div>We store the result at a "domainDn" (we have a data struc= ture which maps domains to information objects, one of the fields at the in= formation object is the DN of the domain)  field, and we use it to com= pose the full ldap URL we send the queries to.</div><div><br><br><hr id=3D"= zwchr"><blockquote style=3D"border-left:2px solid rgb(16, 16, 255);margin-l= eft:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;te= xt-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">= <b>From: </b>"Andrej Bagon" &lt;andrej.bagon(a)arnes.si&gt;<br><b>To: </b>"It= amar Heim" &lt;iheim(a)redhat.com&gt;<br><b>Cc: </b>users(a)ovirt.org, "Yair Za= slavsky" &lt;yzaslavs(a)redhat.com&gt;, "Oved Ourfalli" &lt;oourfali(a)redhat.c= om><br><b>Sent: </b>Monday, March 18, 2013 9:07:06 AM<br><b>Subject: </b=

Re: [Users] ldap simple<br><br>

=20 =20 =20 =20 Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=3Dcn=3Dovirt,cn=3DUsers,cn=3DAccounts,dc=3Dourdomain,= dc=3Dsi<br> <br> I dont know how it knows dc=3Dourdomain,dc=3Dsi<br> It should be<br> bind request: cn=3Dovirt,ou=3Dsystem,dc=3Dourdomain,dc=3Dsi" -b "dc=3Darnes,dc=3Dsi<br> <br> The same with the search: we have users in form as:<br> <a href=3D"mailto:edupersonprincipalname=3Dabagon@guest.arnes.si" targe= t=3D"_blank">edupersonprincipalname=3Dusername(a)users.ourdomain.si</a>,dc=3D= users,dc=3Dourdomain,dc=3Dsi<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderT= ypes','AdUserName','AdUserPassword') order by option_id;<br>  option_id |        option_name=          |    &= nbsp;     option_value          | ve= rsion <br> -----------+----------------------------+--------------------------------+-= --------<br>         10 | AdUserName  &= nbsp;           &nbs= p;  | users.ourdomain.si:ovirt       &nbsp= ;   | general<br>         11 | AdUserPassword &nb= sp;           |users.ourdomain.si:adminpassword       | gene= ral<br>         69 | DomainName  &= nbsp;           &nbs= p;  | users.ourdomain.si            &nbsp= ;    | general<br>        130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE       &nbs= p;  | general<br>        132 | LdapServers  &nbsp= ;             | users.ourdomain.si:server.ourdomain.si | general<br>        133 | LDAPProviderTypes &nbsp= ;        | users.ourdomain.si:rhds        =     | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite=3D"mid:51430171.2010904@redhat.com">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote>Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=3Duser,cn=3DUsers,cn=3DAccounts,cn=3Dour,cn=3Ddomain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> =20 </blockquote><br></div></div></body></html> ------=_Part_8850427_1953928570.1363594171897--

Reply

Jure Kranjc

Tuesday, 19 March Tue, 19 Mar

8:50 a.m.

Reply

Yair Zaslavsky

10:26 a.m.

------=_Part_10926841_1100158565.1363706798914 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Why openldap server? We do not support openldap at the moment. ----- Original Message -----

From: "Jure Kranjc" <jure.kranjc(a)arnes.si> To: users(a)ovirt.org Sent: Tuesday, March 19, 2013 3:50:49 PM Subject: Re: [Users] ldap simple

Hi.

Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.

Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management?

engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server

server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl

On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:

> Hi, > We're issuing a RootDSE query (once per LDAP domain configured). > We try to obtain from it the "defaultNamingContext" attribute. > If does not exist - we try to obtain ""NamingContexts" > We store the result at a "domainDn" (we have a data structure which > maps domains to information objects, one of the fields at the > information object is the DN of the domain) field, and we use it to > compose the full ldap URL we send the queries to.

> ----- Original Message -----

> > From: "Andrej Bagon" <andrej.bagon(a)arnes.si> > > > To: "Itamar Heim" <iheim(a)redhat.com> > > > Cc: users(a)ovirt.org , "Yair Zaslavsky" <yzaslavs(a)redhat.com> , > > "Oved > > Ourfalli" <oourfali(a)redhat.com> > > > Sent: Monday, March 18, 2013 9:07:06 AM > > > Subject: Re: [Users] ldap simple >

> > Hi, >

> > the system is trying to bind to ldap as: > > > bind request: > > uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si >

> > I dont know how it knows dc=ourdomain,dc=si > > > It should be > > > bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b > > "dc=arnes,dc=si >

> > The same with the search: we have users in form as: > > > edupersonprincipalname=username(a)users.ourdomain.si > > ,dc=users,dc=ourdomain,dc=si >

> > values in database: > > > select * from vdc_options where option_name in > > ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') > > order by option_id; > > > option_id | option_name | option_value | version > > > -----------+----------------------------+--------------------------------+--------- > > > 10 | AdUserName | users.ourdomain.si:ovirt | general > > > 11 | AdUserPassword |users.ourdomain.si:adminpassword | general > > > 69 | DomainName | users.ourdomain.si | general > > > 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | > > general > > > 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | > > general > > > 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general > > > (6 rows) >

> > Best Regards, > > > Andrej Bagon >

> > On 03/15/2013 12:09 PM, Itamar Heim wrote: > > > > On 03/14/2013 01:58 PM, Andrej Bagon wrote: > > >

> > > > Hi, > > > > > >

> > > > is it possible to change the bind request that is sent to the > > > > ldap > > > > > > > > > > server? The default > > > > uid=user,cn=Users,cn=Accounts,cn=our,cn=domain > > > > is > > > > > > > > > > not suitable. > > > > > >

> > > can you please explain why / what you would like to change it > > > to? > > > > > > (not sure possible now, but there is work to make it more > > > configurable/pluggable) > > >

> _______________________________________________ > Users mailing list Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

------=_Part_10926841_1100158565.1363706798914 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Why openldap server?<div>We do not support openldap at the moment.</div><div><br></div><div><br><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jure Kranjc" &lt;jure.kranjc(a)arnes.si&gt;<br><b>To: </b>users(a)ovirt.org<br><b>Sent: </b>Tuesday, March 19, 2013 3:50:49 PM<br><b>Subject: </b>Re: [Users] ldap simple<br><br> Hi.<br> <br> Further testing...<br> - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin),<br> - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls,<br> - with packet inspection we can see ldap responding with requested attributes<br> - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes<br> - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.<br> <br> Can anyone point us to some documentation on this topic?<br> Is really AD the only good solution for user management?<br> <br> engine.log<br> 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null<br> 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server <a class="moz-txt-link-freetext">ldap://ldaphost.domain.si:389</a> due to null. We should try the next server<br> <br> server.log<br> 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl<br> <br> <br> <br> <div class="moz-cite-prefix">On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:<br> </div> <blockquote cite="mid:357546066.8850428.1363594171898.JavaMail.root@redhat.com"> <style>p { margin: 0; }</style> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000">Hi, <div>We're issuing a RootDSE query (once per LDAP domain configured).</div> <div>We try to obtain from it the "defaultNamingContext" attribute.</div> <div>If does not exist - we try to obtain ""NamingContexts"</div> <div>We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain)  field, and we use it to compose the full ldap URL we send the queries to.</div> <div><br> <br> <hr id="zwchr"> <blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Andrej Bagon" <a class="moz-txt-link-rfc2396E" href="mailto:andrej.bagon@arnes.si" target="_blank">&lt;andrej.bagon(a)arnes.si&gt;</a><br> <b>To: </b>"Itamar Heim" <a class="moz-txt-link-rfc2396E" href="mailto:iheim@redhat.com" target="_blank">&lt;iheim(a)redhat.com&gt;</a><br> <b>Cc: </b><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org" target="_blank">users(a)ovirt.org</a>, "Yair Zaslavsky" <a class="moz-txt-link-rfc2396E" href="mailto:yzaslavs@redhat.com" target="_blank">&lt;yzaslavs(a)redhat.com&gt;</a>, "Oved Ourfalli" <a class="moz-txt-link-rfc2396E" href="mailto:oourfali@redhat.com" target="_blank">&lt;oourfali(a)redhat.com&gt;</a><br> <b>Sent: </b>Monday, March 18, 2013 9:07:06 AM<br> <b>Subject: </b>Re: [Users] ldap simple<br> <br> Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si<br> <br> I dont know how it knows dc=ourdomain,dc=si<br> It should be<br> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si<br> <br> The same with the search: we have users in form as:<br> <a href="mailto:edupersonprincipalname=abagon@guest.arnes.si" target="_blank">edupersonprincipalname=username(a)users.ourdomain.si</a>,dc=users,dc=ourdomain,dc=si<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id;<br>  option_id |        option_name         |          option_value          | version <br> -----------+----------------------------+--------------------------------+---------<br>         10 | AdUserName                 | users.ourdomain.si:ovirt           | general<br>         11 | AdUserPassword             |users.ourdomain.si:adminpassword       | general<br>         69 | DomainName                 | users.ourdomain.si                 | general<br>        130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE          | general<br>        132 | LdapServers                | users.ourdomain.si:server.ourdomain.si | general<br>        133 | LDAPProviderTypes          | users.ourdomain.si:rhds            | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite="mid:51430171.2010904@redhat.com">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote>Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> </blockquote> <br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre>_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" target="_blank">Users(a)ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/user... </pre> </blockquote> <br> <br>_______________________________________________<br>Users mailing list<br>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blockquote><br></div></div></body></html> ------=_Part_10926841_1100158565.1363706798914--

Reply

Itamar Heim

3:56 p.m.

On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:

Why openldap server? We do not support openldap at the moment.

hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there.

------------------------------------------------------------------------ *From: *"Jure Kranjc" <jure.kranjc(a)arnes.si> *To: *users(a)ovirt.org *Sent: *Tuesday, March 19, 2013 3:50:49 PM *Subject: *Re: [Users] ldap simple Hi. Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data. Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management? engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. ------------------------------------------------------------------------ *From: *"Andrej Bagon" <andrej.bagon(a)arnes.si> *To: *"Itamar Heim" <iheim(a)redhat.com> *Cc: *users(a)ovirt.org, "Yair Zaslavsky" <yzaslavs(a)redhat.com>, "Oved Ourfalli" <oourfali(a)redhat.com> *Sent: *Monday, March 18, 2013 9:07:06 AM *Subject: *Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=username(a)users.ourdomain.si <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Reply

Jure Kranjc

5:18 p.m.

389 DS is so far working as expected. Thank you for your clarification, somehow missed that out. On 19.3.2013 21:56, Itamar Heim wrote:

On 03/19/2013 05:26 PM, Yair Zaslavsky wrote: > Why openldap server? > We do not support openldap at the moment. hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there. > > > ------------------------------------------------------------------------ > > *From: *"Jure Kranjc" <jure.kranjc(a)arnes.si> > *To: *users(a)ovirt.org > *Sent: *Tuesday, March 19, 2013 3:50:49 PM > *Subject: *Re: [Users] ldap simple > > Hi. > > Further testing... > - Setup: one ldap server with added user to match ovirt searches > (while adding user in webadmin), > - Fedora 18, engine 3.2.1, openldap-server, simple authentication, > no firewalls, > - with packet inspection we can see ldap responding with requested > attributes > - still, there are errors in logs, see below, and no users are > listed in webadmin, engine fails to parse given attributes > - engine-manage-domains -action=validate returns "Invalid > credentials" even though binding is ok and ldap is replying with > data. > > Can anyone point us to some documentation on this topic? > Is really AD the only good solution for user management? > > engine.log > 2013-03-19 15:16:53,042 ERROR > [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] > (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , > filter is (&(&(objectClass=person)) > (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message > is: null > 2013-03-19 15:16:53,043 ERROR > [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] > (ajp--127.0.0.1-8702-3) Failed ldap search server > ldap://ldaphost.domain.si:389 due to null. We should try the next > server > > server.log > 2013-03-19 15:17:24,113 ERROR > [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] > (ajp--127.0.0.1-8702-6) No matching response control found for paged > results - looking for 'class > javax.naming.ldap.PagedResultsResponseControl > > > > On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: > > Hi, > We're issuing a RootDSE query (once per LDAP domain configured). > We try to obtain from it the "defaultNamingContext" attribute. > If does not exist - we try to obtain ""NamingContexts" > We store the result at a "domainDn" (we have a data structure > which maps domains to information objects, one of the fields at > the information object is the DN of the domain) field, and we > use it to compose the full ldap URL we send the queries to. > > > ------------------------------------------------------------------------ > > *From: *"Andrej Bagon" <andrej.bagon(a)arnes.si> > *To: *"Itamar Heim" <iheim(a)redhat.com> > *Cc: *users(a)ovirt.org, "Yair Zaslavsky" > <yzaslavs(a)redhat.com>, "Oved Ourfalli" <oourfali(a)redhat.com> > *Sent: *Monday, March 18, 2013 9:07:06 AM > *Subject: *Re: [Users] ldap simple > > Hi, > > the system is trying to bind to ldap as: > bind request: > uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si > > I dont know how it knows dc=ourdomain,dc=si > It should be > bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b > "dc=arnes,dc=si > > The same with the search: we have users in form as: > edupersonprincipalname=username(a)users.ourdomain.si > <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si > > values in database: > select * from vdc_options where option_name in > ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') > order by option_id; > option_id | option_name | > option_value | version > -----------+----------------------------+--------------------------------+--------- > 10 | AdUserName | > users.ourdomain.si:ovirt | general > 11 | AdUserPassword > |users.ourdomain.si:adminpassword | general > 69 | DomainName | > users.ourdomain.si | general > 130 | LDAPSecurityAuthentication| > users.ourdomain.si:SIMPLE | general > 132 | LdapServers | > users.ourdomain.si:server.ourdomain.si | general > 133 | LDAPProviderTypes | > users.ourdomain.si:rhds | general > (6 rows) > > Best Regards, > Andrej Bagon > > > On 03/15/2013 12:09 PM, Itamar Heim wrote: > > On 03/14/2013 01:58 PM, Andrej Bagon wrote: > > Hi, > > is it possible to change the bind request that is > sent to the ldap > server? The default > uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is > not suitable. > > > can you please explain why / what you would like to > change it to? > (not sure possible now, but there is work to make it > more configurable/pluggable) > > > > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >

Reply

4313

days inactive

4318

days old

users@ovirt.org

Manage subscription

7 comments

4 participants

tags (0)

participants (4)

Andrej Bagon
Itamar Heim
Jure Kranjc
Yair Zaslavsky