[Users] ldap simple
Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. Thank you.
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable.
can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)
This is a multi-part message in MIME format. --------------090006050100020008090701 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=username@users.ourdomain.si <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable.
can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)
--------------090006050100020008090701 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si<br> <br> I dont know how it knows dc=ourdomain,dc=si<br> It should be<br> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si<br> <br> The same with the search: we have users in form as:<br> <a href="mailto:edupersonprincipalname=abagon@guest.arnes.si">edupersonprincipalname=username@users.ourdomain.si</a>,dc=users,dc=ourdomain,dc=si<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id;<br> option_id | option_name | option_value | version <br> -----------+----------------------------+--------------------------------+---------<br> 10 | AdUserName | users.ourdomain.si:ovirt | general<br> 11 | AdUserPassword |users.ourdomain.si:adminpassword | general<br> 69 | DomainName | users.ourdomain.si | general<br> 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general<br> 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general<br> 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite="mid:51430171.2010904@redhat.com" type="cite">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote type="cite">Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> </body> </html> --------------090006050100020008090701--
------=_Part_8850427_1953928570.1363594171897 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. ----- Original Message -----
From: "Andrej Bagon" <andrej.bagon@arnes.si> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org, "Yair Zaslavsky" <yzaslavs@redhat.com>, "Oved Ourfalli" <oourfali@redhat.com> Sent: Monday, March 18, 2013 9:07:06 AM Subject: Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si
The same with the search: we have users in form as: edupersonprincipalname=username@users.ourdomain.si ,dc=users,dc=ourdomain,dc=si
values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows)
Best Regards, Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap
server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
not suitable.
can you please explain why / what you would like to change it to?
(not sure possible now, but there is work to make it more configurable/pluggable)
Re: [Users] ldap simple<br><br> =20 =20 =20 =20 Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=3Dcn=3Dovirt,cn=3DUsers,cn=3DAccounts,dc=3Dourdomain,= dc=3Dsi<br> <br> I dont know how it knows dc=3Dourdomain,dc=3Dsi<br> It should be<br> bind request: cn=3Dovirt,ou=3Dsystem,dc=3Dourdomain,dc=3Dsi" -b "dc=3Darnes,dc=3Dsi<br> <br> The same with the search: we have users in form as:<br> <a href=3D"mailto:edupersonprincipalname=3Dabagon@guest.arnes.si" targe= t=3D"_blank">edupersonprincipalname=3Dusername@users.ourdomain.si</a>,dc=3D= users,dc=3Dourdomain,dc=3Dsi<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderT= ypes','AdUserName','AdUserPassword') order by option_id;<br> option_id | option_name= | &= nbsp; option_value | ve= rsion <br> -----------+----------------------------+--------------------------------+-= --------<br> 10 | AdUserName &= nbsp; &nbs=
------=_Part_8850427_1953928570.1363594171897 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: times new roman,new york,times,serif; font-size: = 12pt; color: #000000'>Hi,<div>We're issuing a RootDSE query (once per LDAP = domain configured).</div><div>We try to obtain from it the "defaultNamingCo= ntext" attribute.</div><div>If does not exist - we try to obtain ""NamingCo= ntexts"</div><div>We store the result at a "domainDn" (we have a data struc= ture which maps domains to information objects, one of the fields at the in= formation object is the DN of the domain) field, and we use it to com= pose the full ldap URL we send the queries to.</div><div><br><br><hr id=3D"= zwchr"><blockquote style=3D"border-left:2px solid rgb(16, 16, 255);margin-l= eft:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;te= xt-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">= <b>From: </b>"Andrej Bagon" <andrej.bagon@arnes.si><br><b>To: </b>"It= amar Heim" <iheim@redhat.com><br><b>Cc: </b>users@ovirt.org, "Yair Za= slavsky" <yzaslavs@redhat.com>, "Oved Ourfalli" <oourfali@redhat.c= om><br><b>Sent: </b>Monday, March 18, 2013 9:07:06 AM<br><b>Subject: </b= p; | users.ourdomain.si:ovirt = ; | general<br> 11 | AdUserPassword &nb= sp; |users.ourdomain.si:adminpassword | gene= ral<br> 69 | DomainName &= nbsp; &nbs= p; | users.ourdomain.si = ; | general<br> 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE &nbs= p; | general<br> 132 | LdapServers = ; | users.ourdomain.si:server.ourdomain.si | general<br> 133 | LDAPProviderTypes = ; | users.ourdomain.si:rhds = | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite=3D"mid:51430171.2010904@redhat.com">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote>Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=3Duser,cn=3DUsers,cn=3DAccounts,cn=3Dour,cn=3Ddomain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> =20 </blockquote><br></div></div></body></html> ------=_Part_8850427_1953928570.1363594171897--
------=_Part_10926841_1100158565.1363706798914 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Why openldap server? We do not support openldap at the moment. ----- Original Message -----
From: "Jure Kranjc" <jure.kranjc@arnes.si> To: users@ovirt.org Sent: Tuesday, March 19, 2013 3:50:49 PM Subject: Re: [Users] ldap simple
Hi.
Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.
Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management?
engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server
server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the "defaultNamingContext" attribute.
If does not exist - we try to obtain ""NamingContexts"
We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to.
----- Original Message -----
From: "Andrej Bagon" <andrej.bagon@arnes.si>
To: "Itamar Heim" <iheim@redhat.com>
Cc: users@ovirt.org , "Yair Zaslavsky" <yzaslavs@redhat.com> , "Oved Ourfalli" <oourfali@redhat.com>
Sent: Monday, March 18, 2013 9:07:06 AM
Subject: Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=username@users.ourdomain.si ,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id;
option_id | option_name | option_value | version
-----------+----------------------------+--------------------------------+---------
10 | AdUserName | users.ourdomain.si:ovirt | general
11 | AdUserPassword |users.ourdomain.si:adminpassword | general
69 | DomainName | users.ourdomain.si | general
130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general
132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes | users.ourdomain.si:rhds | general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap
server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
not suitable.
can you please explain why / what you would like to change it to?
(not sure possible now, but there is work to make it more configurable/pluggable)
_______________________________________________
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
------=_Part_10926841_1100158565.1363706798914 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Why openldap server?<div>We do not support openldap at the moment.</div><div><br></div><div><br><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jure Kranjc" <jure.kranjc@arnes.si><br><b>To: </b>users@ovirt.org<br><b>Sent: </b>Tuesday, March 19, 2013 3:50:49 PM<br><b>Subject: </b>Re: [Users] ldap simple<br><br> Hi.<br> <br> Further testing...<br> - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin),<br> - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls,<br> - with packet inspection we can see ldap responding with requested attributes<br> - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes<br> - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.<br> <br> Can anyone point us to some documentation on this topic?<br> Is really AD the only good solution for user management?<br> <br> engine.log<br> 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null<br> 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server <a class="moz-txt-link-freetext">ldap://ldaphost.domain.si:389</a> due to null. We should try the next server<br> <br> server.log<br> 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl<br> <br> <br> <br> <div class="moz-cite-prefix">On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:<br> </div> <blockquote cite="mid:357546066.8850428.1363594171898.JavaMail.root@redhat.com"> <style>p { margin: 0; }</style> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000">Hi, <div>We're issuing a RootDSE query (once per LDAP domain configured).</div> <div>We try to obtain from it the "defaultNamingContext" attribute.</div> <div>If does not exist - we try to obtain ""NamingContexts"</div> <div>We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to.</div> <div><br> <br> <hr id="zwchr"> <blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Andrej Bagon" <a class="moz-txt-link-rfc2396E" href="mailto:andrej.bagon@arnes.si" target="_blank"><andrej.bagon@arnes.si></a><br> <b>To: </b>"Itamar Heim" <a class="moz-txt-link-rfc2396E" href="mailto:iheim@redhat.com" target="_blank"><iheim@redhat.com></a><br> <b>Cc: </b><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>, "Yair Zaslavsky" <a class="moz-txt-link-rfc2396E" href="mailto:yzaslavs@redhat.com" target="_blank"><yzaslavs@redhat.com></a>, "Oved Ourfalli" <a class="moz-txt-link-rfc2396E" href="mailto:oourfali@redhat.com" target="_blank"><oourfali@redhat.com></a><br> <b>Sent: </b>Monday, March 18, 2013 9:07:06 AM<br> <b>Subject: </b>Re: [Users] ldap simple<br> <br> Hi,<br> <br> the system is trying to bind to ldap as:<br> bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si<br> <br> I dont know how it knows dc=ourdomain,dc=si<br> It should be<br> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si<br> <br> The same with the search: we have users in form as:<br> <a href="mailto:edupersonprincipalname=abagon@guest.arnes.si" target="_blank">edupersonprincipalname=username@users.ourdomain.si</a>,dc=users,dc=ourdomain,dc=si<br> <br> values in database:<br> select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id;<br> option_id | option_name | option_value | version <br> -----------+----------------------------+--------------------------------+---------<br> 10 | AdUserName | users.ourdomain.si:ovirt | general<br> 11 | AdUserPassword |users.ourdomain.si:adminpassword | general<br> 69 | DomainName | users.ourdomain.si | general<br> 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general<br> 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general<br> 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general<br> (6 rows)<br> <br> Best Regards,<br> Andrej Bagon<br> <br> <br> On 03/15/2013 12:09 PM, Itamar Heim wrote: <blockquote cite="mid:51430171.2010904@redhat.com">On 03/14/2013 01:58 PM, Andrej Bagon wrote: <br> <blockquote>Hi, <br> <br> is it possible to change the bind request that is sent to the ldap <br> server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is <br> not suitable. <br> </blockquote> <br> can you please explain why / what you would like to change it to? <br> (not sure possible now, but there is work to make it more configurable/pluggable) <br> <br> </blockquote> <br> </blockquote> <br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre>_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> <br>_______________________________________________<br>Users mailing list<br>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blockquote><br></div></div></body></html> ------=_Part_10926841_1100158565.1363706798914--
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
Why openldap server? We do not support openldap at the moment.
hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there.
------------------------------------------------------------------------
*From: *"Jure Kranjc" <jure.kranjc@arnes.si> *To: *users@ovirt.org *Sent: *Tuesday, March 19, 2013 3:50:49 PM *Subject: *Re: [Users] ldap simple
Hi.
Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.
Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management?
engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server
server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to.
------------------------------------------------------------------------
*From: *"Andrej Bagon" <andrej.bagon@arnes.si> *To: *"Itamar Heim" <iheim@redhat.com> *Cc: *users@ovirt.org, "Yair Zaslavsky" <yzaslavs@redhat.com>, "Oved Ourfalli" <oourfali@redhat.com> *Sent: *Monday, March 18, 2013 9:07:06 AM *Subject: *Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si
The same with the search: we have users in form as: edupersonprincipalname=username@users.ourdomain.si <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si
values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows)
Best Regards, Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable.
can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
389 DS is so far working as expected. Thank you for your clarification, somehow missed that out. On 19.3.2013 21:56, Itamar Heim wrote:
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
Why openldap server? We do not support openldap at the moment.
hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there.
------------------------------------------------------------------------
*From: *"Jure Kranjc" <jure.kranjc@arnes.si> *To: *users@ovirt.org *Sent: *Tuesday, March 19, 2013 3:50:49 PM *Subject: *Re: [Users] ldap simple
Hi.
Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns "Invalid credentials" even though binding is ok and ldap is replying with data.
Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management?
engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(&(objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server
server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to.
------------------------------------------------------------------------
*From: *"Andrej Bagon" <andrej.bagon@arnes.si> *To: *"Itamar Heim" <iheim@redhat.com> *Cc: *users@ovirt.org, "Yair Zaslavsky" <yzaslavs@redhat.com>, "Oved Ourfalli" <oourfali@redhat.com> *Sent: *Monday, March 18, 2013 9:07:06 AM *Subject: *Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si
The same with the search: we have users in form as: edupersonprincipalname=username@users.ourdomain.si <mailto:edupersonprincipalname=abagon@guest.arnes.si>,dc=users,dc=ourdomain,dc=si
values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version -----------+----------------------------+--------------------------------+--------- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows)
Best Regards, Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable.
can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable)
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (4)
-
Andrej Bagon -
Itamar Heim -
Jure Kranjc -
Yair Zaslavsky