[ovirt-users] ovirt with 389 server inactive groups

Yair Zaslavsky yzaslavs at redhat.com
Mon Aug 18 00:54:50 UTC 2014



----- Original Message -----
> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: users at ovirt.org
> Sent: Sunday, August 17, 2014 6:32:15 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> I think we now have enough for a proper ticket.
> I will create one latter today. also since I have RHEV support for my
> production instances I will also create a matching case with Red Hat.

Thank you very much for your help here!
Please add a link to this mailing list thread when you open the ticket.

Many thanks,
Yair

> 
> 
> 
> On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino
> <prmarino1 at gmail.com> wrote:
> > Ok
> > I dug in a little further it looks like them memberof plugin in 389
> > server is making them lowercase which from an LDAP and or Posix
> > perspective is not a problem but this seems to be the root cause of
> > the issue of the difference.
> > while this behavior is strange it is not invalid because DN's are case
> > insensitive.
> >
> > The easiest way to fix this is to change the query of the group from
> > the ad_groups table to an ilike. The potential problem here is it
> > conflicts with SAM in windows where group names are case sensitive.
> > This is definitely a conflict in design between AD and LDAP's core design.
> > Interestingly I can add roles to the group and there is no problem it
> > sets it correctly so somewhere else in the code an ilike is being uses
> > to query the groups table.
> >
> >
> > On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino
> > <prmarino1 at gmail.com> wrote:
> >> I found why the group_ids field is wrong
> >>
> >> If you look at the ad_groups table then mane for the group is "<domain
> >> here>/Groups/sysadmin" however if you look at the groups field in the
> >> users table it says "<domain here>/groups/sysadmin"
> >> I tried updating the name field in the ad_groups table to match
> >> "<domain here>/groups/sysadmin" then removed and added a user now the
> >> if for that group in the group_ids field is being set correctly.
> >>
> >> This is at least a usable workaround for now. now we need to find the
> >> root cause.
> >>
> >>
> >> On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino
> >> <prmarino1 at gmail.com> wrote:
> >>> confirmed that does seem to be the cause I updated the group_ids field
> >>> of a user to the appropriate Id's from ad_groups and it fixed that
> >>> user.
> >>> in answer to your question "Did you first add the goup, and then added
> >>> users (that belong to a group) either by adding users, or by adding a
> >>> permission?" Ive tried it ever different way I can think of the
> >>> results are always the same.
> >>>
> >>>
> >>> On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs at redhat.com>
> >>> wrote:
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> >>>>> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> >>>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >>>>> Sent: Sunday, August 17, 2014 4:33:30 PM
> >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>>
> >>>>> here are the results of the queries you asked for
> >>>>>
> >>>>>
> >>>>>                                     group_ids
> >>>>>
> >>>>>           |
> >>>>>
> >>>>>                                  groups
> >>>>>
> >>>>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------
> >>>>> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >>>>> ----
> >>>>>  00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000
> >>>>> | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain
> >>>>> here>/groups/pd managers,<domain here>/groups/qa managers,<domain
> >>>>> here>/groups/accounting managers,<domain here>/directory administrat
> >>>>> ors
> >>>>> (1 row)
> >>>>>
> >>>>>
> >>>>> engine=# select id, name from ad_groups;
> >>>>>                   id                  |                 name
> >>>>> --------------------------------------+---------------------------------------
> >>>>>  eee00000-0000-0000-0000-123456789eee | Everyone
> >>>>>  2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin
> >>>>> (2 rows)
> >>>>
> >>>> It does look that there is something wrong in the association of users
> >>>> to their group IDS.
> >>>> Just to make sure I'm not missing anything -
> >>>> Did you first add the goup, and then added users (that belong to a
> >>>> group) either by adding users, or by adding a permission?
> >>>>
> >>>> Yair
> >>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs at redhat.com>
> >>>>> wrote:
> >>>>> >
> >>>>> >
> >>>>> > ----- Original Message -----
> >>>>> >> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> >>>>> >> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> >>>>> >> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >>>>> >> Sent: Wednesday, August 13, 2014 11:47:40 PM
> >>>>> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>> >>
> >>>>> >> Ok so before I open a bug ticket I want to confirm I'm not doing any
> >>>>> >> thing wrong here.
> >>>>> >> I upgraded to 3.4
> >>>>> >> now it says "Active:    false " on LDAP groups.
> >>>>> >>
> >>>>> >> Again I tried to add the sysadmin group from the directory server
> >>>>> >> and
> >>>>> >> set the power user and super user roles on the group
> >>>>> >> it shows up as "<domain name>/Groups/sysadmin"
> >>>>> >> I adder the permisions by clicking on the configure link on the top
> >>>>> >> of
> >>>>> >> the screen and set them in the "System Permissions" tab
> >>>>> >
> >>>>> > Sounds good so far.
> >>>>> > I assume also you see the permissiosn in the permissions sub tab when
> >>>>> > you
> >>>>> > click the group.
> >>>>> >
> >>>>> >>
> >>>>> >> I added a user (pmarino) to the system which shows in the "Directory
> >>>>> >> Group" tab shows "sysadmin    groups       <domian name>" among
> >>>>> >> others
> >>>>> >> however it only shows in the Permissions tab the permissions
> >>>>> >> inherited
> >>>>> >> by "Everyone" it does not show any permissions inherited by the
> >>>>> >> sysadmin group.
> >>>>> >
> >>>>> > This is not good - I mean, should have worked.
> >>>>> >
> >>>>> >>
> >>>>> >> just to prove it didnt work I logged out and attempted to log back
> >>>>> >> in
> >>>>> >> as the user (pmarino) it wouldn't let me log in
> >>>>> >>
> >>>>> >> I logged back in as the internal admin user then I added the
> >>>>> >> SuperUser
> >>>>> >> permissions directly to the pmarino account and logged back out
> >>>>> >> again.
> >>>>> >> Now when I logged in as pmarino it gave me the access I expected.
> >>>>> >
> >>>>> > Can I please ask you to provide some database info ?
> >>>>> >
> >>>>> > It will be awesome if you can provide the following SQL queries
> >>>>> > results -
> >>>>> >
> >>>>> > select group_ids, groups from users where username ilike '%pmarino%';
> >>>>> >
> >>>>> > In addition, please perform - select id, name from ad_groups;
> >>>>> >
> >>>>> > Thanks for your help.
> >>>>> >
> >>>>> > P.S - As far as I understand the two bugs mentioend by Itamar (I
> >>>>> > mean, the
> >>>>> > solution to the bugs) should have fixed your issue as well.
> >>>>> >
> >>>>> >
> >>>>> >
> >>>>> >>
> >>>>> >>
> >>>>> >>
> >>>>> >> Here is the relevant portion of the engine log
> >>>>> >> "
> >>>>> >> 2014-08-13 16:00:38,801 INFO
> >>>>> >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
> >>>>> >> [1e7fa420] Running command: AddGroupCommand internal: false.
> >>>>> >> Entities
> >>>>> >> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
> >>>>> >> 2014-08-13 16:00:38,813 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
> >>>>> >> Stack: null, Custom Event ID: -1, Message: User '<domain
> >>>>> >> name>/Groups/sysadmin' was added successfully to the system.
> >>>>> >> 2014-08-13 16:09:01,352 INFO
> >>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> >>>>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
> >>>>> >> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> >>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System,  ID:
> >>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
> >>>>> >> 2014-08-13 16:09:01,371 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
> >>>>> >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
> >>>>> >> <domain name>/Groups/sysadmin was granted permission for Role
> >>>>> >> SuperUser on System by admin.
> >>>>> >> 2014-08-13 16:10:40,963 INFO
> >>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> >>>>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
> >>>>> >> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> >>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System,  ID:
> >>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
> >>>>> >> 2014-08-13 16:10:40,979 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID:
> >>>>> >> b42abcb,
> >>>>> >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain
> >>>>> >> name>/Groups/sysadmin was granted permission for Role PowerUserRole
> >>>>> >> on
> >>>>> >> System by admin.
> >>>>> >> 2014-08-13 16:20:53,891 INFO
> >>>>> >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
> >>>>> >> [58e00be1] Running command: AddUserCommand internal: false. Entities
> >>>>> >> affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: System
> >>>>> >> 2014-08-13 16:20:53,919 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
> >>>>> >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added
> >>>>> >> successfully to the system.
> >>>>> >> 2014-08-13 16:35:52,202 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
> >>>>> >> Custom Event ID: -1, Message: User pmarino failed to log in.
> >>>>> >> 2014-08-13 16:35:52,202 WARN
> >>>>> >> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> >>>>> >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser
> >>>>> >> failed.
> >>>>> >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> >>>>> >> 2014-08-13 16:39:48,048 INFO
> >>>>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> >>>>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
> >>>>> >> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> >>>>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
> >>>>> >> 2014-08-13 16:39:48,069 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
> >>>>> >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group
> >>>>> >> pmarino was granted permission for Role SuperUser on System by
> >>>>> >> admin.
> >>>>> >> 2014-08-13 16:40:43,357 INFO
> >>>>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>>> >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null,
> >>>>> >> Custom
> >>>>> >> Event ID: -1, Message: User pmarino logged in.
> >>>>> >>
> >>>>> >> "
> >>>>> >>
> >>>>> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky
> >>>>> >> <yzaslavs at redhat.com>
> >>>>> >> wrote:
> >>>>> >> >
> >>>>> >> >
> >>>>> >> > ----- Original Message -----
> >>>>> >> >> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> >>>>> >> >> To: "Itamar Heim" <iheim at redhat.com>
> >>>>> >> >> Cc: users at ovirt.org
> >>>>> >> >> Sent: Monday, August 11, 2014 8:13:53 PM
> >>>>> >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>> >> >>
> >>>>> >> >> I have checked the codebase of 3.3 -
> >>>>> >> >> the "active" field is used for presentation purpose only.
> >>>>> >> >
> >>>>> >> > Presentation wise only - means that it is not used for our
> >>>>> >> > permissions
> >>>>> >> > calculation , for example.
> >>>>> >> >
> >>>>> >> >> Alon has addressed our plans for this in his previous comments.
> >>>>> >> >> I hope this clarifies more..
> >>>>> >> >>
> >>>>> >> >> Yair
> >>>>> >> >>
> >>>>> >> >>
> >>>>> >> >> ----- Original Message -----
> >>>>> >> >> > From: "Itamar Heim" <iheim at redhat.com>
> >>>>> >> >> > To: "Alon Bar-Lev" <alonbl at redhat.com>, "Paul Robert Marino"
> >>>>> >> >> > <prmarino1 at gmail.com>
> >>>>> >> >> > Cc: users at ovirt.org
> >>>>> >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM
> >>>>> >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive
> >>>>> >> >> > groups
> >>>>> >> >> >
> >>>>> >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> >>>>> >> >> > >
> >>>>> >> >> > >
> >>>>> >> >> > > ----- Original Message -----
> >>>>> >> >> > >> From: "Paul Robert Marino" <prmarino1 at gmail.com>
> >>>>> >> >> > >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>> >> >> > >> Cc: "Maurice James" <mjames at media-node.com>, users at ovirt.org
> >>>>> >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
> >>>>> >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive
> >>>>> >> >> > >> groups
> >>>>> >> >> > >>
> >>>>> >> >> > >> Sorry for my delayed response to this
> >>>>> >> >> > >>
> >>>>> >> >> > >> I am using ovirt 3.3.
> >>>>> >> >> > >> I am using Kerberos 5, and all of the DNS requirements are
> >>>>> >> >> > >> in
> >>>>> >> >> > >> place.
> >>>>> >> >> > >> Finally 389 server is the upstream project for RHDS and one
> >>>>> >> >> > >> of the
> >>>>> >> >> > >> upstream projects for IPA.
> >>>>> >> >> > >> So I chose to set it as RHDS because its an identical match.
> >>>>> >> >> > >>
> >>>>> >> >> > >> User authentication works just fine my problem is adding
> >>>>> >> >> > >> roles to
> >>>>> >> >> > >> groups.
> >>>>> >> >> > >> I can assign a role to a group but the group always shows an
> >>>>> >> >> > >> inactive
> >>>>> >> >> > >> status; however if I assign a role directly to to a user it
> >>>>> >> >> > >> works
> >>>>> >> >> > >> fine.
> >>>>> >> >> > >> In addition if I drill down into a user it knows what groups
> >>>>> >> >> > >> in
> >>>>> >> >> > >> the
> >>>>> >> >> > >> 389 server the user is a member of.
> >>>>> >> >> > >>
> >>>>> >> >> > >> finally I can't see any error in the logs when adding a role
> >>>>> >> >> > >> to a
> >>>>> >> >> > >> group
> >>>>> >> >> > >>
> >>>>> >> >> > >
> >>>>> >> >> > > Please open a bug, I am unsure that it will be addressed
> >>>>> >> >> > > before
> >>>>> >> >> > > 3.5,
> >>>>> >> >> > > as
> >>>>> >> >> > > we
> >>>>> >> >> > > have done major rework for the authentication and
> >>>>> >> >> > > authorization to
> >>>>> >> >> > > make
> >>>>> >> >> > > it
> >>>>> >> >> > > much more versatile. Even if there will be a fix it will be
> >>>>> >> >> > > provided
> >>>>> >> >> > > to
> >>>>> >> >> > > 3.4.z.
> >>>>> >> >> > >
> >>>>> >> >> > > It will be best if you want to test this scenario in 3.5
> >>>>> >> >> > > release
> >>>>> >> >> > > candidate
> >>>>> >> >> > > and the new ldap provider, so we can address the issue before
> >>>>> >> >> > > 3.5
> >>>>> >> >> > > release
> >>>>> >> >> > > if exists.
> >>>>> >> >> > >
> >>>>> >> >> >
> >>>>> >> >> > could also be one of these fixed in 3.4:
> >>>>> >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a
> >>>>> >> >> > group, it
> >>>>> >> >> > does not inherit the group permissions
> >>>>> >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that
> >>>>> >> >> > belongs
> >>>>> >> >> > to
> >>>>> >> >> > a group indirectly, it does not inherit the group permissions
> >>>>> >> >> >
> >>>>> >> >> > >>
> >>>>> >> >> > >>
> >>>>> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev
> >>>>> >> >> > >> <alonbl at redhat.com>
> >>>>> >> >> > >> wrote:
> >>>>> >> >> > >>>
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> ----- Original Message -----
> >>>>> >> >> > >>>> From: "Maurice James" <mjames at media-node.com>
> >>>>> >> >> > >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>> >> >> > >>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >>>>> >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> >>>>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
> >>>>> >> >> > >>>> groups
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>> Does this still require the use of kerberos? Will 389-ds
> >>>>> >> >> > >>>> work on
> >>>>> >> >> > >>>> its
> >>>>> >> >> > >>>> own?
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the
> >>>>> >> >> > >>> kerberos/ldap
> >>>>> >> >> > >>> mix.
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> It will be great to receive feedback[2].
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> 389ds is not supported directly, I think it is similar to
> >>>>> >> >> > >>> IPA as
> >>>>> >> >> > >>> it
> >>>>> >> >> > >>> uses
> >>>>> >> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it
> >>>>> >> >> > >>> works
> >>>>> >> >> > >>> properly.
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> Regards,
> >>>>> >> >> > >>> Alon
> >>>>> >> >> > >>>
> >>>>> >> >> > >>> [1]
> >>>>> >> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> >>>>> >> >> > >>> [2]
> >>>>> >> >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >>>>> >> >> > >>>
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>> ----- Original Message -----
> >>>>> >> >> > >>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>> >> >> > >>>> To: "Itamar Heim" <iheim at redhat.com>
> >>>>> >> >> > >>>> Cc: users at ovirt.org
> >>>>> >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> >>>>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
> >>>>> >> >> > >>>> groups
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>> ----- Original Message -----
> >>>>> >> >> > >>>>> From: "Itamar Heim" <iheim at redhat.com>
> >>>>> >> >> > >>>>> To: "Paul Robert Marino" <prmarino1 at gmail.com>,
> >>>>> >> >> > >>>>> users at ovirt.org
> >>>>> >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> >>>>> >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
> >>>>> >> >> > >>>>> groups
> >>>>> >> >> > >>>>>
> >>>>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >>>>> >> >> > >>>>>> I have ovirt engine running and connected to a 389
> >>>>> >> >> > >>>>>> server with
> >>>>> >> >> > >>>>>> the
> >>>>> >> >> > >>>>>> memberof plugin enabled and working properly.
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>> I can add users and assign them to roles without any
> >>>>> >> >> > >>>>>> issues.
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>> when I look at a user I can see all the LDAP groups they
> >>>>> >> >> > >>>>>> are a
> >>>>> >> >> > >>>>>> member
> >>>>> >> >> > >>>>>> of.
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>> when I run engine-manage-domains  -action=validate it
> >>>>> >> >> > >>>>>> tells me
> >>>>> >> >> > >>>>>> the
> >>>>> >> >> > >>>>>> domain is valid.
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>> here is my problem when I try to assign a role to an
> >>>>> >> >> > >>>>>> LDAP
> >>>>> >> >> > >>>>>> group
> >>>>> >> >> > >>>>>> it
> >>>>> >> >> > >>>>>> looks like it works but in the general tab when under
> >>>>> >> >> > >>>>>> the
> >>>>> >> >> > >>>>>> group
> >>>>> >> >> > >>>>>> it
> >>>>> >> >> > >>>>>> tells me the status is Inactive.
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>> dose any one know how to enable the group?
> >>>>> >> >> > >>>>>> _______________________________________________
> >>>>> >> >> > >>>>>> Users mailing list
> >>>>> >> >> > >>>>>> Users at ovirt.org
> >>>>> >> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >> > >>>>>>
> >>>>> >> >> > >>>>>
> >>>>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider?
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>> On case this is 3.5 it is known issue, all groups will be
> >>>>> >> >> > >>>> seen
> >>>>> >> >> > >>>> as
> >>>>> >> >> > >>>> inactive,
> >>>>> >> >> > >>>> this field will probably be removed from UI, as groups are
> >>>>> >> >> > >>>> no
> >>>>> >> >> > >>>> longer
> >>>>> >> >> > >>>> fetched
> >>>>> >> >> > >>>> periodically.
> >>>>> >> >> > >>>> This field is totally ignored.
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>>> Alon
> >>>>> >> >> > >>>> _______________________________________________
> >>>>> >> >> > >>>> Users mailing list
> >>>>> >> >> > >>>> Users at ovirt.org
> >>>>> >> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >> > >>>>
> >>>>> >> >> > >>> _______________________________________________
> >>>>> >> >> > >>> Users mailing list
> >>>>> >> >> > >>> Users at ovirt.org
> >>>>> >> >> > >>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >> > >>
> >>>>> >> >> > > _______________________________________________
> >>>>> >> >> > > Users mailing list
> >>>>> >> >> > > Users at ovirt.org
> >>>>> >> >> > > http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >> > >
> >>>>> >> >> >
> >>>>> >> >> > _______________________________________________
> >>>>> >> >> > Users mailing list
> >>>>> >> >> > Users at ovirt.org
> >>>>> >> >> > http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >> >
> >>>>> >> >> _______________________________________________
> >>>>> >> >> Users mailing list
> >>>>> >> >> Users at ovirt.org
> >>>>> >> >> http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >> >>
> >>>>> >> > _______________________________________________
> >>>>> >> > Users mailing list
> >>>>> >> > Users at ovirt.org
> >>>>> >> > http://lists.ovirt.org/mailman/listinfo/users
> >>>>> >>
> >>>>>
> 



More information about the Users mailing list