[Users] LDAP
Oved Ourfalli
ovedo at redhat.com
Sun Feb 26 16:10:32 UTC 2012
----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> To: "Nathan Stratton" <nathan at robotics.net>
> Cc: "Oved Ourfalli" <ovedo at redhat.com>, users at ovirt.org
> Sent: Sunday, February 26, 2012 5:42:08 PM
> Subject: Re: [Users] LDAP
>
> On 02/26/2012 05:21 PM, Nathan Stratton wrote:
> > On Sun, 26 Feb 2012, Yaniv Kaul wrote:
> >
> >> On 02/26/2012 09:46 AM, Yair Zaslavsky wrote:
> >>> On 02/26/2012 09:45 AM, Yair Zaslavsky wrote:
> >>>> On 02/26/2012 09:18 AM, Oved Ourfalli wrote:
> >>>>> Found the problem.
> >>>>> We are identifying if the LDAP server is AD or not by checking
> >>>>> if
> >>>>> the root DSE contains the "defaultNamingContext" attribute.
> >>>>> This attribute is not in the LDAP standard, thus it appears in
> >>>>> AD,
> >>>>> and not in IPA and RHDS...
> >>>>>
> >>>>> Looking at the rootDSE you provided it looks like it was added
> >>>>> to
> >>>>> IPA, therefore we identify it as AD.
> >>>>>
> >>>>> Can you open us a bug on that upstream?
> >>>>> Given that issue, I think we should also provide a way to set
> >>>>> the
> >>>>> ldap provider type (using the engine-manage-domains utility),
> >>>>> in
> >>>>> order to workaround such issues in the future.
> >>>> Don't you think that now this key (i.e providerType=IPA) kinda
> >>>> becomes
> >>>> mandatory?
> >>> Or actually, maybe we should have it optional - if set - then
> >>> this value
> >>> will be used for providerType, if not - our "auto-deduction"
> >>> mechanism
> >>> takes place.
> >>>
> >>> Thoughts?
> >>
> >> Drop the auto-detection.
> >
> > Thats a good point, I think the auto-detection is a bit overkill,
> > most
> > users know what they are running. Is there someting I can add to
> > the
> > oVirt DB manually so I can skip the engine-manage-domains utility
> > for
> > now and move forward with using FreeIPA?
> Nathan, IMHO, you will still encounter auto detection issues, during
> invocation of rootDSE queries when working with ldap related flows
> with
> engine-core. This means you will still get wrong provider type.
> This is something we should fix.
> Oved - am I correct here?
Yair - You are correct.
Nathan - You are more than welcome to push a fix for that upstream.
Some details on what you'll have to do:
To fix the auto-identification issue you'll have to find out other attribute that can do the differentiation. Do the fix both in the utilities, and in the engine core.
To create ability to set it up you'll have to do the following:
1. Create a new configuration entry (all configuration entries are in the vdc_options table).
It will be similar to other domain related properties, such as AdUserName, LdapServers and etc.
a. Create an upgrader to add it to the database (see <sources_dir>/backend/manager/dbscripts/upgrade for examples).
b. Upon upgrade it should be empty.
2. Check in UsersDomainsCacheManagerService if it exists, and if so update a map of ldap provider per domain.
3. When trying to check the ldap provider type, you'll have to test first if the type already appears in the UsersDomainsCacheManagerService, and if so use that. If not, auto-identify it.
4. Make the engine-manage-domains do something similar, and update this field in the database according to the user input.
We'll be happy to provide more details on that, and assist in any way.
You can start with one of the fixes at start. They don't have to be in the same patchset.
Yair - feel free to elaborate on other steps if you believe they are necessary.
Thank you!
Oved
> >
> >> <>
> > Nathan Stratton CTO, BlinkMind, Inc.
> > nathan at robotics.net nathan at
> > blinkmind.com
> > http://www.robotics.net
> > http://www.blinkmind.com
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list