Re: [ovirt-users] Apache Directory Server
On Wed, Jan 24, 2018 at 1:35 PM, C Williams <cwilliams3320@gmail.com> wrote:
Hello,
Thanks for getting back with me !
Here is some info
1. Does it use RFC2307 as the schema or something else?
I have tried various flavors of the RFC2307 pre-set configs . I think I,ve tried most of these ..
1 - 389ds 2 - 389ds RFC-2307 Schema
4 - IBM Security Directory Server 5 - IBM Security Directory Server RFC-2307 Schema
7 - Novell eDirectory RFC-2307 Schema 8 - OpenLDAP RFC-2307 Schema 9 - OpenLDAP Standard Schema 10 - Oracle Unified Directory RFC-2307 Schema 11 - RFC-2307 Schema (Generic) 12 - RHDS 13 - RHDS RFC-2307 Schema 14 - iPlanet
Those profiles were created for servers we have tested, but it's highly probable that you will need a completely new profile for Apache DS. Due to this you cannot use setup tool, but you need to perform manual configuration as described in /usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.6/README.
2. What is the attribute name specifying available base DNs?
dc=<domain>,dc=com
No, this is the DN, but we need to know the name of attribute within LDAP which contains the list of existing base DNs. For example for 389ds server using RFC2307 this information is stored in defaultNamingContext attribute (for details you can take a look at /usr/share/ovirt-engine-extension-aaa-ldap/profiles/rfc2307-389ds.properties).
3. What is the attribute name specifying unique ID of a record?
dn: uid=<user>,ou=users,dc=<domain>,dc=com
No, this is the DN, but each record in LDAP is usually uniquely identified by special attribute (so for example you can move record to different DN). For example for 389ds server using RFC2307 this unique identified is stored in nsUniqueId attribute (for details you can take a look at /usr/share/ovirt-engine-extension-aaa-ldap/profiles/rfc2307-389ds.properties). Above information should be available somewhere in Apache DS documention.
I changed the following in /usr/share/ovirt-engine- extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/ common.py to meet their need for port 10389 ...
636 if self.environment[ constants.LDAPEnv.PROTOCOL ] == 'ldaps' #else (389 if port is None else port) else (10389 if port is None else port)
Please don't do that, files in /usr/share are readonly for users and all changes will be overwritten by next update
I also injected the following into the /var/tmp/*profile.properties" prior to testing user authentication using the setup tool
Yes, that's the right way, if you need to change something, but you need to perform those changes in /etc/ovirt-engine/aaa directory, /var/tmp is used only as temporary directory for setup tool.
vars.port = 10389 pool.default.serverset.single.port = ${global:vars.port}
Thank You for Helping !!
Charles Williams
On Wed, Jan 24, 2018 at 3:50 AM, Martin Perina <mperina@redhat.com> wrote:
Hi,
officially we don't support Apache DS, but aaa-ldap is quite extensible so it should be possible attach it to oVirt. As we don't have Apache DS installed, could you please provide us following information?
1. Does it use RFC2307 as the schema or something else? 2. What is the attribute name specifying available base DNs? 3. What is the attribute name specifying unique ID of a record?
Ondro, any other information required?
Thanks
Martin
On Wed, Jan 24, 2018 at 3:34 AM, C Williams <cwilliams3320@gmail.com> wrote:
Hello,
Has anyone successfully connected the ovirt-engine to Apache Directory Server 2.0 ?
I have tried the pre-set connections offered by oVirt and have been able to connect to the server on port 10389 after adding the port to a serverset.port. I can query the directory and see users but I cannot log onto the console as a user in the directory.
If any one has any experience/guidance on this, please let me know.
Thank You
Charles Williams
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
participants (1)
-
Martin Perina