[Users] ldap simple

Jure Kranjc jure.kranjc at arnes.si
Tue Mar 19 18:18:56 EDT 2013


389 DS is so far working as expected. Thank you for your clarification, 
somehow missed that out.

On 19.3.2013 21:56, Itamar Heim wrote:
> On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
>> Why openldap server?
>> We do not support openldap at the moment.
>
> hopefully, the changes to auth part will make it for 3.3 to cover 
> that, but depends on progress there.
>
>>
>>
>> ------------------------------------------------------------------------
>>
>>     *From: *"Jure Kranjc" <jure.kranjc at arnes.si>
>>     *To: *users at ovirt.org
>>     *Sent: *Tuesday, March 19, 2013 3:50:49 PM
>>     *Subject: *Re: [Users] ldap simple
>>
>>     Hi.
>>
>>     Further testing...
>>     - Setup: one ldap server with added user to match ovirt searches
>>     (while adding user in webadmin),
>>     - Fedora 18, engine 3.2.1, openldap-server, simple authentication,
>>     no firewalls,
>>     - with packet inspection we can see ldap responding with requested
>>     attributes
>>     - still, there are errors in logs, see below, and no users are
>>     listed in webadmin, engine fails to parse given attributes
>>     - engine-manage-domains -action=validate returns "Invalid
>>     credentials" even though binding is ok and ldap is replying with 
>> data.
>>
>>     Can anyone point us to some documentation on this topic?
>>     Is really AD the only good solution for user management?
>>
>>     engine.log
>>     2013-03-19 15:16:53,042 ERROR
>>     [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
>>     (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
>>     filter is (&(&(objectClass=person))
>>     (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
>>     is: null
>>     2013-03-19 15:16:53,043 ERROR
>>     [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>>     (ajp--127.0.0.1-8702-3) Failed ldap search server
>>     ldap://ldaphost.domain.si:389 due to null. We should try the next 
>> server
>>
>>     server.log
>>     2013-03-19 15:17:24,113 ERROR
>> [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
>>     (ajp--127.0.0.1-8702-6) No matching response control found for paged
>>     results - looking for 'class
>>     javax.naming.ldap.PagedResultsResponseControl
>>
>>
>>
>>     On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
>>
>>         Hi,
>>         We're issuing a RootDSE query (once per LDAP domain configured).
>>         We try to obtain from it the "defaultNamingContext" attribute.
>>         If does not exist - we try to obtain ""NamingContexts"
>>         We store the result at a "domainDn" (we have a data structure
>>         which maps domains to information objects, one of the fields at
>>         the information object is the DN of the domain)  field, and we
>>         use it to compose the full ldap URL we send the queries to.
>>
>>
>> ------------------------------------------------------------------------
>>
>>             *From: *"Andrej Bagon" <andrej.bagon at arnes.si>
>>             *To: *"Itamar Heim" <iheim at redhat.com>
>>             *Cc: *users at ovirt.org, "Yair Zaslavsky"
>>             <yzaslavs at redhat.com>, "Oved Ourfalli" <oourfali at redhat.com>
>>             *Sent: *Monday, March 18, 2013 9:07:06 AM
>>             *Subject: *Re: [Users] ldap simple
>>
>>             Hi,
>>
>>             the system is trying to bind to ldap as:
>>             bind request:
>>             uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
>>
>>             I dont know how it knows dc=ourdomain,dc=si
>>             It should be
>>             bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
>>             "dc=arnes,dc=si
>>
>>             The same with the search: we have users in form as:
>>             edupersonprincipalname=username at users.ourdomain.si
>> <mailto:edupersonprincipalname=abagon at guest.arnes.si>,dc=users,dc=ourdomain,dc=si
>>
>>             values in database:
>>             select * from vdc_options where option_name in
>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
>>             order by option_id;
>>               option_id |        option_name         |
>>             option_value          | version
>> -----------+----------------------------+--------------------------------+---------
>>                      10 | AdUserName                 |
>>             users.ourdomain.si:ovirt           | general
>>                      11 | AdUserPassword
>>             |users.ourdomain.si:adminpassword       | general
>>                      69 | DomainName                 |
>>             users.ourdomain.si                 | general
>>                     130 | LDAPSecurityAuthentication|
>>             users.ourdomain.si:SIMPLE          | general
>>                     132 | LdapServers                |
>>             users.ourdomain.si:server.ourdomain.si | general
>>                     133 | LDAPProviderTypes          |
>>             users.ourdomain.si:rhds            | general
>>             (6 rows)
>>
>>             Best Regards,
>>             Andrej Bagon
>>
>>
>>             On 03/15/2013 12:09 PM, Itamar Heim wrote:
>>
>>                 On 03/14/2013 01:58 PM, Andrej Bagon wrote:
>>
>>                     Hi,
>>
>>                     is it possible to change the bind request that is
>>                     sent to the ldap
>>                     server? The default
>> uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
>>                     not suitable.
>>
>>
>>                 can you please explain why / what you would like to
>>                 change it to?
>>                 (not sure possible now, but there is work to make it
>>                 more configurable/pluggable)
>>
>>
>>
>>
>>
>>         _______________________________________________
>>         Users mailing list
>>         Users at ovirt.org
>>         http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at ovirt.org
>>     http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>



More information about the Users mailing list