[Users] ldap simple

Yair Zaslavsky yzaslavs at redhat.com
Tue Mar 19 15:26:38 UTC 2013 

Why openldap server? 
We do not support openldap at the moment. 

----- Original Message -----

> From: "Jure Kranjc" <jure.kranjc at arnes.si>
> To: users at ovirt.org
> Sent: Tuesday, March 19, 2013 3:50:49 PM
> Subject: Re: [Users] ldap simple

> Hi.

> Further testing...
> - Setup: one ldap server with added user to match ovirt searches
> (while adding user in webadmin),
> - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no
> firewalls,
> - with packet inspection we can see ldap responding with requested
> attributes
> - still, there are errors in logs, see below, and no users are listed
> in webadmin, engine fails to parse given attributes
> - engine-manage-domains -action=validate returns "Invalid
> credentials" even though binding is ok and ldap is replying with
> data.

> Can anyone point us to some documentation on this topic?
> Is really AD the only good solution for user management?

> engine.log
> 2013-03-19 15:16:53,042 ERROR
> [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
> filter is (&(&(objectClass=person))
> (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
> is: null
> 2013-03-19 15:16:53,043 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://ldaphost.domain.si:389 due to null. We should try the next
> server

> server.log
> 2013-03-19 15:17:24,113 ERROR
> [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
> (ajp--127.0.0.1-8702-6) No matching response control found for paged
> results - looking for 'class
> javax.naming.ldap.PagedResultsResponseControl

> On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:

> > Hi,
> 
> > We're issuing a RootDSE query (once per LDAP domain configured).
> 
> > We try to obtain from it the "defaultNamingContext" attribute.
> 
> > If does not exist - we try to obtain ""NamingContexts"
> 
> > We store the result at a "domainDn" (we have a data structure which
> > maps domains to information objects, one of the fields at the
> > information object is the DN of the domain) field, and we use it to
> > compose the full ldap URL we send the queries to.
> 

> > ----- Original Message -----
> 

> > > From: "Andrej Bagon" <andrej.bagon at arnes.si>
> > 
> 
> > > To: "Itamar Heim" <iheim at redhat.com>
> > 
> 
> > > Cc: users at ovirt.org , "Yair Zaslavsky" <yzaslavs at redhat.com> ,
> > > "Oved
> > > Ourfalli" <oourfali at redhat.com>
> > 
> 
> > > Sent: Monday, March 18, 2013 9:07:06 AM
> > 
> 
> > > Subject: Re: [Users] ldap simple
> > 
> 

> > > Hi,
> > 
> 

> > > the system is trying to bind to ldap as:
> > 
> 
> > > bind request:
> > > uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
> > 
> 

> > > I dont know how it knows dc=ourdomain,dc=si
> > 
> 
> > > It should be
> > 
> 
> > > bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
> > > "dc=arnes,dc=si
> > 
> 

> > > The same with the search: we have users in form as:
> > 
> 
> > > edupersonprincipalname=username at users.ourdomain.si
> > > ,dc=users,dc=ourdomain,dc=si
> > 
> 

> > > values in database:
> > 
> 
> > > select * from vdc_options where option_name in
> > > ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
> > > order by option_id;
> > 
> 
> > > option_id | option_name | option_value | version
> > 
> 
> > > -----------+----------------------------+--------------------------------+---------
> > 
> 
> > > 10 | AdUserName | users.ourdomain.si:ovirt | general
> > 
> 
> > > 11 | AdUserPassword |users.ourdomain.si:adminpassword | general
> > 
> 
> > > 69 | DomainName | users.ourdomain.si | general
> > 
> 
> > > 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE |
> > > general
> > 
> 
> > > 132 | LdapServers | users.ourdomain.si:server.ourdomain.si |
> > > general
> > 
> 
> > > 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general
> > 
> 
> > > (6 rows)
> > 
> 

> > > Best Regards,
> > 
> 
> > > Andrej Bagon
> > 
> 

> > > On 03/15/2013 12:09 PM, Itamar Heim wrote:
> > 
> 
> > > > On 03/14/2013 01:58 PM, Andrej Bagon wrote:
> > > 
> > 
> 

> > > > > Hi,
> > > > 
> > > 
> > 
> 

> > > > > is it possible to change the bind request that is sent to the
> > > > > ldap
> > > > 
> > > 
> > 
> 
> > > > > server? The default
> > > > > uid=user,cn=Users,cn=Accounts,cn=our,cn=domain
> > > > > is
> > > > 
> > > 
> > 
> 
> > > > > not suitable.
> > > > 
> > > 
> > 
> 

> > > > can you please explain why / what you would like to change it
> > > > to?
> > > 
> > 
> 
> > > > (not sure possible now, but there is work to make it more
> > > > configurable/pluggable)
> > > 
> > 
> 

> > _______________________________________________
> 
> > Users mailing list Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130319/40f4c26a/attachment-0001.html>

More information about the Users mailing list