[ovirt-users] ovirt with 389 server inactive groups

Itamar Heim iheim at redhat.com
Sun Aug 10 20:54:05 UTC 2014 

On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
>
>
> ----- Original Message -----
>> From: "Paul Robert Marino" <prmarino1 at gmail.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
>> Sent: Sunday, August 10, 2014 10:43:14 PM
>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>
>> Sorry for my delayed response to this
>>
>> I am using ovirt 3.3.
>> I am using Kerberos 5, and all of the DNS requirements are in place.
>> Finally 389 server is the upstream project for RHDS and one of the
>> upstream projects for IPA.
>> So I chose to set it as RHDS because its an identical match.
>>
>> User authentication works just fine my problem is adding roles to groups.
>> I can assign a role to a group but the group always shows an inactive
>> status; however if I assign a role directly to to a user it works
>> fine.
>> In addition if I drill down into a user it knows what groups in the
>> 389 server the user is a member of.
>>
>> finally I can't see any error in the logs when adding a role to a group
>>
>
> Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
>
> It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
>

could also be one of these fixed in 3.4:
3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it 
does not inherit the group permissions
3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to 
a group indirectly, it does not inherit the group permissions

>>
>>
>> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Maurice James" <mjames at media-node.com>
>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
>>>> Sent: Saturday, August 9, 2014 3:47:04 AM
>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>>>
>>>> Does this still require the use of kerberos? Will 389-ds work on its own?
>>>
>>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
>>> mix.
>>>
>>> It will be great to receive feedback[2].
>>>
>>> 389ds is not supported directly, I think it is similar to IPA as it uses
>>> 389. Maybe I should rename the profile of ipa to 389 if it works properly.
>>>
>>> Regards,
>>> Alon
>>>
>>> [1]
>>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
>>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> To: "Itamar Heim" <iheim at redhat.com>
>>>> Cc: users at ovirt.org
>>>> Sent: Friday, August 8, 2014 3:45:07 PM
>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Itamar Heim" <iheim at redhat.com>
>>>>> To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
>>>>> Sent: Friday, August 8, 2014 10:37:11 PM
>>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>>>>
>>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
>>>>>> I have ovirt engine running and connected to a 389 server with the
>>>>>> memberof plugin enabled and working properly.
>>>>>>
>>>>>> I can add users and assign them to roles without any issues.
>>>>>>
>>>>>> when I look at a user I can see all the LDAP groups they are a member
>>>>>> of.
>>>>>>
>>>>>> when I run engine-manage-domains  -action=validate it tells me the
>>>>>> domain is valid.
>>>>>>
>>>>>> here is my problem when I try to assign a role to an LDAP group it
>>>>>> looks like it works but in the general tab when under the group it
>>>>>> tells me the status is Inactive.
>>>>>>
>>>>>> dose any one know how to enable the group?
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>> 3.4 or new 3.5 Generic LDAP provider?
>>>>
>>>>
>>>> On case this is 3.5 it is known issue, all groups will be seen as
>>>> inactive,
>>>> this field will probably be removed from UI, as groups are no longer
>>>> fetched
>>>> periodically.
>>>> This field is totally ignored.
>>>>
>>>> Alon
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list