[ovirt-users] ovirt with 389 server inactive groups
Paul Robert Marino
prmarino1 at gmail.com
Sun Aug 10 19:43:14 UTC 2014
Sorry for my delayed response to this
I am using ovirt 3.3.
I am using Kerberos 5, and all of the DNS requirements are in place.
Finally 389 server is the upstream project for RHDS and one of the
upstream projects for IPA.
So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups.
I can assign a role to a group but the group always shows an inactive
status; however if I assign a role directly to to a user it works
fine.
In addition if I drill down into a user it knows what groups in the
389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>
>
> ----- Original Message -----
>> From: "Maurice James" <mjames at media-node.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
>> Sent: Saturday, August 9, 2014 3:47:04 AM
>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>
>> Does this still require the use of kerberos? Will 389-ds work on its own?
>
> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
>
> It will be great to receive feedback[2].
>
> 389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
>
> Regards,
> Alon
>
> [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
>
>>
>> ----- Original Message -----
>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>> To: "Itamar Heim" <iheim at redhat.com>
>> Cc: users at ovirt.org
>> Sent: Friday, August 8, 2014 3:45:07 PM
>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>
>>
>>
>> ----- Original Message -----
>> > From: "Itamar Heim" <iheim at redhat.com>
>> > To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
>> > Sent: Friday, August 8, 2014 10:37:11 PM
>> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>> >
>> > On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
>> > > I have ovirt engine running and connected to a 389 server with the
>> > > memberof plugin enabled and working properly.
>> > >
>> > > I can add users and assign them to roles without any issues.
>> > >
>> > > when I look at a user I can see all the LDAP groups they are a member of.
>> > >
>> > > when I run engine-manage-domains -action=validate it tells me the
>> > > domain is valid.
>> > >
>> > > here is my problem when I try to assign a role to an LDAP group it
>> > > looks like it works but in the general tab when under the group it
>> > > tells me the status is Inactive.
>> > >
>> > > dose any one know how to enable the group?
>> > > _______________________________________________
>> > > Users mailing list
>> > > Users at ovirt.org
>> > > http://lists.ovirt.org/mailman/listinfo/users
>> > >
>> >
>> > 3.4 or new 3.5 Generic LDAP provider?
>>
>>
>> On case this is 3.5 it is known issue, all groups will be seen as inactive,
>> this field will probably be removed from UI, as groups are no longer fetched
>> periodically.
>> This field is totally ignored.
>>
>> Alon
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list