[ovirt-users] ovirt with 389 server inactive groups

Yair Zaslavsky yzaslavs at redhat.com
Mon Aug 11 17:41:23 UTC 2014



----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, August 11, 2014 8:13:53 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> I have checked the codebase of 3.3 -
> the "active" field is used for presentation purpose only.

Presentation wise only - means that it is not used for our permissions calculation , for example.

> Alon has addressed our plans for this in his previous comments.
> I hope this clarifies more..
> 
> Yair
> 
> 
> ----- Original Message -----
> > From: "Itamar Heim" <iheim at redhat.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>, "Paul Robert Marino"
> > <prmarino1 at gmail.com>
> > Cc: users at ovirt.org
> > Sent: Sunday, August 10, 2014 11:54:05 PM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > 
> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> > >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> > >> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>
> > >> Sorry for my delayed response to this
> > >>
> > >> I am using ovirt 3.3.
> > >> I am using Kerberos 5, and all of the DNS requirements are in place.
> > >> Finally 389 server is the upstream project for RHDS and one of the
> > >> upstream projects for IPA.
> > >> So I chose to set it as RHDS because its an identical match.
> > >>
> > >> User authentication works just fine my problem is adding roles to
> > >> groups.
> > >> I can assign a role to a group but the group always shows an inactive
> > >> status; however if I assign a role directly to to a user it works
> > >> fine.
> > >> In addition if I drill down into a user it knows what groups in the
> > >> 389 server the user is a member of.
> > >>
> > >> finally I can't see any error in the logs when adding a role to a group
> > >>
> > >
> > > Please open a bug, I am unsure that it will be addressed before 3.5, as
> > > we
> > > have done major rework for the authentication and authorization to make
> > > it
> > > much more versatile. Even if there will be a fix it will be provided to
> > > 3.4.z.
> > >
> > > It will be best if you want to test this scenario in 3.5 release
> > > candidate
> > > and the new ldap provider, so we can address the issue before 3.5 release
> > > if exists.
> > >
> > 
> > could also be one of these fixed in 3.4:
> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> > does not inherit the group permissions
> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> > a group indirectly, it does not inherit the group permissions
> > 
> > >>
> > >>
> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> > >>>
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Maurice James" <mjames at media-node.com>
> > >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> > >>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>>>
> > >>>> Does this still require the use of kerberos? Will 389-ds work on its
> > >>>> own?
> > >>>
> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
> > >>> mix.
> > >>>
> > >>> It will be great to receive feedback[2].
> > >>>
> > >>> 389ds is not supported directly, I think it is similar to IPA as it
> > >>> uses
> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> > >>> properly.
> > >>>
> > >>> Regards,
> > >>> Alon
> > >>>
> > >>> [1]
> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> > >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> > >>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> > >>>> To: "Itamar Heim" <iheim at redhat.com>
> > >>>> Cc: users at ovirt.org
> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>>>
> > >>>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Itamar Heim" <iheim at redhat.com>
> > >>>>> To: "Paul Robert Marino" <prmarino1 at gmail.com>, users at ovirt.org
> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>>>>
> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> > >>>>>> I have ovirt engine running and connected to a 389 server with the
> > >>>>>> memberof plugin enabled and working properly.
> > >>>>>>
> > >>>>>> I can add users and assign them to roles without any issues.
> > >>>>>>
> > >>>>>> when I look at a user I can see all the LDAP groups they are a
> > >>>>>> member
> > >>>>>> of.
> > >>>>>>
> > >>>>>> when I run engine-manage-domains  -action=validate it tells me the
> > >>>>>> domain is valid.
> > >>>>>>
> > >>>>>> here is my problem when I try to assign a role to an LDAP group it
> > >>>>>> looks like it works but in the general tab when under the group it
> > >>>>>> tells me the status is Inactive.
> > >>>>>>
> > >>>>>> dose any one know how to enable the group?
> > >>>>>> _______________________________________________
> > >>>>>> Users mailing list
> > >>>>>> Users at ovirt.org
> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> > >>>>>>
> > >>>>>
> > >>>>> 3.4 or new 3.5 Generic LDAP provider?
> > >>>>
> > >>>>
> > >>>> On case this is 3.5 it is known issue, all groups will be seen as
> > >>>> inactive,
> > >>>> this field will probably be removed from UI, as groups are no longer
> > >>>> fetched
> > >>>> periodically.
> > >>>> This field is totally ignored.
> > >>>>
> > >>>> Alon
> > >>>> _______________________________________________
> > >>>> Users mailing list
> > >>>> Users at ovirt.org
> > >>>> http://lists.ovirt.org/mailman/listinfo/users
> > >>>>
> > >>> _______________________________________________
> > >>> Users mailing list
> > >>> Users at ovirt.org
> > >>> http://lists.ovirt.org/mailman/listinfo/users
> > >>
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list