[ovirt-users] ovirt with 389 server inactive groups

Alon Bar-Lev alonbl at redhat.com
Sun Aug 10 19:50:52 UTC 2014 


----- Original Message -----
> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
> Sent: Sunday, August 10, 2014 10:43:14 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> Sorry for my delayed response to this
> 
> I am using ovirt 3.3.
> I am using Kerberos 5, and all of the DNS requirements are in place.
> Finally 389 server is the upstream project for RHDS and one of the
> upstream projects for IPA.
> So I chose to set it as RHDS because its an identical match.
> 
> User authentication works just fine my problem is adding roles to groups.
> I can assign a role to a group but the group always shows an inactive
> status; however if I assign a role directly to to a user it works
> fine.
> In addition if I drill down into a user it knows what groups in the
> 389 server the user is a member of.
> 
> finally I can't see any error in the logs when adding a role to a group
> 

Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.

It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.

> 
> 
> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Maurice James" <mjames at media-node.com>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >> Sent: Saturday, August 9, 2014 3:47:04 AM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> Does this still require the use of kerberos? Will 389-ds work on its own?
> >
> > In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
> > mix.
> >
> > It will be great to receive feedback[2].
> >
> > 389ds is not supported directly, I think it is similar to IPA as it uses
> > 389. Maybe I should rename the profile of ipa to 389 if it works properly.
> >
> > Regards,
> > Alon
> >
> > [1]
> > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> > [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >
> >>
> >> ----- Original Message -----
> >> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >> To: "Itamar Heim" <iheim at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Friday, August 8, 2014 3:45:07 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >>
> >>
> >> ----- Original Message -----
> >> > From: "Itamar Heim" <iheim at redhat.com>
> >> > To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
> >> > Sent: Friday, August 8, 2014 10:37:11 PM
> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >> >
> >> > On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >> > > I have ovirt engine running and connected to a 389 server with the
> >> > > memberof plugin enabled and working properly.
> >> > >
> >> > > I can add users and assign them to roles without any issues.
> >> > >
> >> > > when I look at a user I can see all the LDAP groups they are a member
> >> > > of.
> >> > >
> >> > > when I run engine-manage-domains  -action=validate it tells me the
> >> > > domain is valid.
> >> > >
> >> > > here is my problem when I try to assign a role to an LDAP group it
> >> > > looks like it works but in the general tab when under the group it
> >> > > tells me the status is Inactive.
> >> > >
> >> > > dose any one know how to enable the group?
> >> > > _______________________________________________
> >> > > Users mailing list
> >> > > Users at ovirt.org
> >> > > http://lists.ovirt.org/mailman/listinfo/users
> >> > >
> >> >
> >> > 3.4 or new 3.5 Generic LDAP provider?
> >>
> >>
> >> On case this is 3.5 it is known issue, all groups will be seen as
> >> inactive,
> >> this field will probably be removed from UI, as groups are no longer
> >> fetched
> >> periodically.
> >> This field is totally ignored.
> >>
> >> Alon
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list