[Users] ldap simple
Itamar Heim
iheim at redhat.com
Tue Mar 19 16:56:32 EDT 2013
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
> Why openldap server?
> We do not support openldap at the moment.
hopefully, the changes to auth part will make it for 3.3 to cover that,
but depends on progress there.
>
>
> ------------------------------------------------------------------------
>
> *From: *"Jure Kranjc" <jure.kranjc at arnes.si>
> *To: *users at ovirt.org
> *Sent: *Tuesday, March 19, 2013 3:50:49 PM
> *Subject: *Re: [Users] ldap simple
>
> Hi.
>
> Further testing...
> - Setup: one ldap server with added user to match ovirt searches
> (while adding user in webadmin),
> - Fedora 18, engine 3.2.1, openldap-server, simple authentication,
> no firewalls,
> - with packet inspection we can see ldap responding with requested
> attributes
> - still, there are errors in logs, see below, and no users are
> listed in webadmin, engine fails to parse given attributes
> - engine-manage-domains -action=validate returns "Invalid
> credentials" even though binding is ok and ldap is replying with data.
>
> Can anyone point us to some documentation on this topic?
> Is really AD the only good solution for user management?
>
> engine.log
> 2013-03-19 15:16:53,042 ERROR
> [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
> filter is (&(&(objectClass=person))
> (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
> is: null
> 2013-03-19 15:16:53,043 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://ldaphost.domain.si:389 due to null. We should try the next server
>
> server.log
> 2013-03-19 15:17:24,113 ERROR
> [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
> (ajp--127.0.0.1-8702-6) No matching response control found for paged
> results - looking for 'class
> javax.naming.ldap.PagedResultsResponseControl
>
>
>
> On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
>
> Hi,
> We're issuing a RootDSE query (once per LDAP domain configured).
> We try to obtain from it the "defaultNamingContext" attribute.
> If does not exist - we try to obtain ""NamingContexts"
> We store the result at a "domainDn" (we have a data structure
> which maps domains to information objects, one of the fields at
> the information object is the DN of the domain) field, and we
> use it to compose the full ldap URL we send the queries to.
>
>
> ------------------------------------------------------------------------
>
> *From: *"Andrej Bagon" <andrej.bagon at arnes.si>
> *To: *"Itamar Heim" <iheim at redhat.com>
> *Cc: *users at ovirt.org, "Yair Zaslavsky"
> <yzaslavs at redhat.com>, "Oved Ourfalli" <oourfali at redhat.com>
> *Sent: *Monday, March 18, 2013 9:07:06 AM
> *Subject: *Re: [Users] ldap simple
>
> Hi,
>
> the system is trying to bind to ldap as:
> bind request:
> uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
>
> I dont know how it knows dc=ourdomain,dc=si
> It should be
> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
> "dc=arnes,dc=si
>
> The same with the search: we have users in form as:
> edupersonprincipalname=username at users.ourdomain.si
> <mailto:edupersonprincipalname=abagon at guest.arnes.si>,dc=users,dc=ourdomain,dc=si
>
> values in database:
> select * from vdc_options where option_name in
> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
> order by option_id;
> option_id | option_name |
> option_value | version
> -----------+----------------------------+--------------------------------+---------
> 10 | AdUserName |
> users.ourdomain.si:ovirt | general
> 11 | AdUserPassword
> |users.ourdomain.si:adminpassword | general
> 69 | DomainName |
> users.ourdomain.si | general
> 130 | LDAPSecurityAuthentication|
> users.ourdomain.si:SIMPLE | general
> 132 | LdapServers |
> users.ourdomain.si:server.ourdomain.si | general
> 133 | LDAPProviderTypes |
> users.ourdomain.si:rhds | general
> (6 rows)
>
> Best Regards,
> Andrej Bagon
>
>
> On 03/15/2013 12:09 PM, Itamar Heim wrote:
>
> On 03/14/2013 01:58 PM, Andrej Bagon wrote:
>
> Hi,
>
> is it possible to change the bind request that is
> sent to the ldap
> server? The default
> uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
> not suitable.
>
>
> can you please explain why / what you would like to
> change it to?
> (not sure possible now, but there is work to make it
> more configurable/pluggable)
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list