[Users] ldap simple

Tue Mar 19 20:56:32 UTC 2013

On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
> Why openldap server?
> We do not support openldap at the moment.

hopefully, the changes to auth part will make it for 3.3 to cover that, 
but depends on progress there.

>
>
> ------------------------------------------------------------------------
>
>     *From: *"Jure Kranjc" <jure.kranjc at arnes.si>
>     *To: *users at ovirt.org
>     *Sent: *Tuesday, March 19, 2013 3:50:49 PM
>     *Subject: *Re: [Users] ldap simple
>
>     Hi.
>
>     Further testing...
>     - Setup: one ldap server with added user to match ovirt searches
>     (while adding user in webadmin),
>     - Fedora 18, engine 3.2.1, openldap-server, simple authentication,
>     no firewalls,
>     - with packet inspection we can see ldap responding with requested
>     attributes
>     - still, there are errors in logs, see below, and no users are
>     listed in webadmin, engine fails to parse given attributes
>     - engine-manage-domains -action=validate returns "Invalid
>     credentials" even though binding is ok and ldap is replying with data.
>
>     Can anyone point us to some documentation on this topic?
>     Is really AD the only good solution for user management?
>
>     engine.log
>     2013-03-19 15:16:53,042 ERROR
>     [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
>     (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
>     filter is (&(&(objectClass=person))
>     (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
>     is: null
>     2013-03-19 15:16:53,043 ERROR
>     [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>     (ajp--127.0.0.1-8702-3) Failed ldap search server
>     ldap://ldaphost.domain.si:389 due to null. We should try the next server
>
>     server.log
>     2013-03-19 15:17:24,113 ERROR
>     [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
>     (ajp--127.0.0.1-8702-6) No matching response control found for paged
>     results - looking for 'class
>     javax.naming.ldap.PagedResultsResponseControl
>
>
>
>     On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
>
>         Hi,
>         We're issuing a RootDSE query (once per LDAP domain configured).
>         We try to obtain from it the "defaultNamingContext" attribute.
>         If does not exist - we try to obtain ""NamingContexts"
>         We store the result at a "domainDn" (we have a data structure
>         which maps domains to information objects, one of the fields at
>         the information object is the DN of the domain)  field, and we
>         use it to compose the full ldap URL we send the queries to.
>
>
>         ------------------------------------------------------------------------
>
>             *From: *"Andrej Bagon" <andrej.bagon at arnes.si>
>             *To: *"Itamar Heim" <iheim at redhat.com>
>             *Cc: *users at ovirt.org, "Yair Zaslavsky"
>             <yzaslavs at redhat.com>, "Oved Ourfalli" <oourfali at redhat.com>
>             *Sent: *Monday, March 18, 2013 9:07:06 AM
>             *Subject: *Re: [Users] ldap simple
>
>             Hi,
>
>             the system is trying to bind to ldap as:
>             bind request:
>             uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
>
>             I dont know how it knows dc=ourdomain,dc=si
>             It should be
>             bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
>             "dc=arnes,dc=si
>
>             The same with the search: we have users in form as:
>             edupersonprincipalname=username at users.ourdomain.si
>             <mailto:edupersonprincipalname=abagon at guest.arnes.si>,dc=users,dc=ourdomain,dc=si
>
>             values in database:
>             select * from vdc_options where option_name in
>             ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
>             order by option_id;
>               option_id |        option_name         |
>             option_value          | version
>             -----------+----------------------------+--------------------------------+---------
>                      10 | AdUserName                 |
>             users.ourdomain.si:ovirt           | general
>                      11 | AdUserPassword
>             |users.ourdomain.si:adminpassword       | general
>                      69 | DomainName                 |
>             users.ourdomain.si                 | general
>                     130 | LDAPSecurityAuthentication|
>             users.ourdomain.si:SIMPLE          | general
>                     132 | LdapServers                |
>             users.ourdomain.si:server.ourdomain.si | general
>                     133 | LDAPProviderTypes          |
>             users.ourdomain.si:rhds            | general
>             (6 rows)
>
>             Best Regards,
>             Andrej Bagon
>
>
>             On 03/15/2013 12:09 PM, Itamar Heim wrote:
>
>                 On 03/14/2013 01:58 PM, Andrej Bagon wrote:
>
>                     Hi,
>
>                     is it possible to change the bind request that is
>                     sent to the ldap
>                     server? The default
>                     uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
>                     not suitable.
>
>
>                 can you please explain why / what you would like to
>                 change it to?
>                 (not sure possible now, but there is work to make it
>                 more configurable/pluggable)
>
>
>
>
>
>         _______________________________________________
>         Users mailing list
>         Users at ovirt.org
>         http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>     _______________________________________________
>     Users mailing list
>     Users at ovirt.org
>     http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>