[Users] ldap simple
Jure Kranjc
jure.kranjc at arnes.si
Tue Mar 19 18:18:56 EDT 2013
389 DS is so far working as expected. Thank you for your clarification,
somehow missed that out.
On 19.3.2013 21:56, Itamar Heim wrote:
> On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
>> Why openldap server?
>> We do not support openldap at the moment.
>
> hopefully, the changes to auth part will make it for 3.3 to cover
> that, but depends on progress there.
>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From: *"Jure Kranjc" <jure.kranjc at arnes.si>
>> *To: *users at ovirt.org
>> *Sent: *Tuesday, March 19, 2013 3:50:49 PM
>> *Subject: *Re: [Users] ldap simple
>>
>> Hi.
>>
>> Further testing...
>> - Setup: one ldap server with added user to match ovirt searches
>> (while adding user in webadmin),
>> - Fedora 18, engine 3.2.1, openldap-server, simple authentication,
>> no firewalls,
>> - with packet inspection we can see ldap responding with requested
>> attributes
>> - still, there are errors in logs, see below, and no users are
>> listed in webadmin, engine fails to parse given attributes
>> - engine-manage-domains -action=validate returns "Invalid
>> credentials" even though binding is ok and ldap is replying with
>> data.
>>
>> Can anyone point us to some documentation on this topic?
>> Is really AD the only good solution for user management?
>>
>> engine.log
>> 2013-03-19 15:16:53,042 ERROR
>> [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
>> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
>> filter is (&(&(objectClass=person))
>> (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
>> is: null
>> 2013-03-19 15:16:53,043 ERROR
>> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://ldaphost.domain.si:389 due to null. We should try the next
>> server
>>
>> server.log
>> 2013-03-19 15:17:24,113 ERROR
>> [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
>> (ajp--127.0.0.1-8702-6) No matching response control found for paged
>> results - looking for 'class
>> javax.naming.ldap.PagedResultsResponseControl
>>
>>
>>
>> On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
>>
>> Hi,
>> We're issuing a RootDSE query (once per LDAP domain configured).
>> We try to obtain from it the "defaultNamingContext" attribute.
>> If does not exist - we try to obtain ""NamingContexts"
>> We store the result at a "domainDn" (we have a data structure
>> which maps domains to information objects, one of the fields at
>> the information object is the DN of the domain) field, and we
>> use it to compose the full ldap URL we send the queries to.
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From: *"Andrej Bagon" <andrej.bagon at arnes.si>
>> *To: *"Itamar Heim" <iheim at redhat.com>
>> *Cc: *users at ovirt.org, "Yair Zaslavsky"
>> <yzaslavs at redhat.com>, "Oved Ourfalli" <oourfali at redhat.com>
>> *Sent: *Monday, March 18, 2013 9:07:06 AM
>> *Subject: *Re: [Users] ldap simple
>>
>> Hi,
>>
>> the system is trying to bind to ldap as:
>> bind request:
>> uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
>>
>> I dont know how it knows dc=ourdomain,dc=si
>> It should be
>> bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
>> "dc=arnes,dc=si
>>
>> The same with the search: we have users in form as:
>> edupersonprincipalname=username at users.ourdomain.si
>> <mailto:edupersonprincipalname=abagon at guest.arnes.si>,dc=users,dc=ourdomain,dc=si
>>
>> values in database:
>> select * from vdc_options where option_name in
>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
>> order by option_id;
>> option_id | option_name |
>> option_value | version
>> -----------+----------------------------+--------------------------------+---------
>> 10 | AdUserName |
>> users.ourdomain.si:ovirt | general
>> 11 | AdUserPassword
>> |users.ourdomain.si:adminpassword | general
>> 69 | DomainName |
>> users.ourdomain.si | general
>> 130 | LDAPSecurityAuthentication|
>> users.ourdomain.si:SIMPLE | general
>> 132 | LdapServers |
>> users.ourdomain.si:server.ourdomain.si | general
>> 133 | LDAPProviderTypes |
>> users.ourdomain.si:rhds | general
>> (6 rows)
>>
>> Best Regards,
>> Andrej Bagon
>>
>>
>> On 03/15/2013 12:09 PM, Itamar Heim wrote:
>>
>> On 03/14/2013 01:58 PM, Andrej Bagon wrote:
>>
>> Hi,
>>
>> is it possible to change the bind request that is
>> sent to the ldap
>> server? The default
>> uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
>> not suitable.
>>
>>
>> can you please explain why / what you would like to
>> change it to?
>> (not sure possible now, but there is work to make it
>> more configurable/pluggable)
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
More information about the Users
mailing list