[ovirt-users] ovirt with 389 server inactive groups

Yair Zaslavsky yzaslavs at redhat.com
Mon Aug 11 17:13:53 UTC 2014 

I have checked the codebase of 3.3 -
the "active" field is used for presentation purpose only.
Alon has addressed our plans for this in his previous comments.
I hope this clarifies more..

Yair


----- Original Message -----
> From: "Itamar Heim" <iheim at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Paul Robert Marino" <prmarino1 at gmail.com>
> Cc: users at ovirt.org
> Sent: Sunday, August 10, 2014 11:54:05 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
> >> Sent: Sunday, August 10, 2014 10:43:14 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> Sorry for my delayed response to this
> >>
> >> I am using ovirt 3.3.
> >> I am using Kerberos 5, and all of the DNS requirements are in place.
> >> Finally 389 server is the upstream project for RHDS and one of the
> >> upstream projects for IPA.
> >> So I chose to set it as RHDS because its an identical match.
> >>
> >> User authentication works just fine my problem is adding roles to groups.
> >> I can assign a role to a group but the group always shows an inactive
> >> status; however if I assign a role directly to to a user it works
> >> fine.
> >> In addition if I drill down into a user it knows what groups in the
> >> 389 server the user is a member of.
> >>
> >> finally I can't see any error in the logs when adding a role to a group
> >>
> >
> > Please open a bug, I am unsure that it will be addressed before 3.5, as we
> > have done major rework for the authentication and authorization to make it
> > much more versatile. Even if there will be a fix it will be provided to
> > 3.4.z.
> >
> > It will be best if you want to test this scenario in 3.5 release candidate
> > and the new ldap provider, so we can address the issue before 3.5 release
> > if exists.
> >
> 
> could also be one of these fixed in 3.4:
> 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> does not inherit the group permissions
> 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> a group indirectly, it does not inherit the group permissions
> 
> >>
> >>
> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Maurice James" <mjames at media-node.com>
> >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>
> >>>> Does this still require the use of kerberos? Will 389-ds work on its
> >>>> own?
> >>>
> >>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
> >>> mix.
> >>>
> >>> It will be great to receive feedback[2].
> >>>
> >>> 389ds is not supported directly, I think it is similar to IPA as it uses
> >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> >>> properly.
> >>>
> >>> Regards,
> >>> Alon
> >>>
> >>> [1]
> >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >>>
> >>>>
> >>>> ----- Original Message -----
> >>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> To: "Itamar Heim" <iheim at redhat.com>
> >>>> Cc: users at ovirt.org
> >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Itamar Heim" <iheim at redhat.com>
> >>>>> To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
> >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>>
> >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >>>>>> I have ovirt engine running and connected to a 389 server with the
> >>>>>> memberof plugin enabled and working properly.
> >>>>>>
> >>>>>> I can add users and assign them to roles without any issues.
> >>>>>>
> >>>>>> when I look at a user I can see all the LDAP groups they are a member
> >>>>>> of.
> >>>>>>
> >>>>>> when I run engine-manage-domains  -action=validate it tells me the
> >>>>>> domain is valid.
> >>>>>>
> >>>>>> here is my problem when I try to assign a role to an LDAP group it
> >>>>>> looks like it works but in the general tab when under the group it
> >>>>>> tells me the status is Inactive.
> >>>>>>
> >>>>>> dose any one know how to enable the group?
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at ovirt.org
> >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>
> >>>>>
> >>>>> 3.4 or new 3.5 Generic LDAP provider?
> >>>>
> >>>>
> >>>> On case this is 3.5 it is known issue, all groups will be seen as
> >>>> inactive,
> >>>> this field will probably be removed from UI, as groups are no longer
> >>>> fetched
> >>>> periodically.
> >>>> This field is totally ignored.
> >>>>
> >>>> Alon
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list