[Users] webadmin login issues with AD
Keith Mitchell
kamitch at cisco.com
Sun Mar 3 12:28:38 UTC 2013
On 3/3/13 6:57 AM, Yair Zaslavsky wrote:
> Please elaborate on "quite a few groups" - actually this is a well known issue.
> I was afraid you might have permissions on "too many objects" or that the account is a member of too many groups.
> However, being a member of too many groups should have caused the search to be slow/hang as well.
I don't have an exact count, but I think its along the order of
magnitude of 300-400.
I didn't notice the searches (when trying to add the account to the
ovirt permissions) was unbearable slow like the logins.
But why does ovirt even care about the groups? I thought it was only
using AD for authentication and that the authorization was all done
internally through the permissions granted. Or is that just a standard
"library" that ovirt is using that is doing this?
I don't suppose there is a work around?
> Hi, you can look at the following link -
>
> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html
>
> we support changing sasl_qop. You can use engine-config to do that.
> engine-config -s sasl_qop=auth will change Quality of Propetction to be only at authentication.
> Please let us know if using that you will be able to see the ldap queries (i.e - have them plain and not encrypted)
Ok, yeah that allows me to see the ldap requests...
Looks like its going through all of the groups I am a member of and
doing a search on each one. And in a not so terribly efficient way
(connect/bind/search/close... repeat).
More information about the Users
mailing list