[ovirt-users] How to mapping LDAP users in AAA

Alon Bar-Lev alonbl at redhat.com
Tue Oct 14 07:14:22 UTC 2014 


----- Original Message -----
> From: "lofyer" <lofyer at gmail.com>
> To: "users" <users at ovirt.org>
> Sent: Tuesday, October 14, 2014 5:10:56 AM
> Subject: [ovirt-users] How to mapping LDAP users in AAA
> 
> I've got a LDAP server without kerberos and I am trying to intergrate
> its users to oVirt-3.5 with AAA.
> ==========================
> /etc/ovirt-engine/aaa/example.properties:

You need to create two extensions, one for authentication and another for authorization at /etc/ovirt-engine/extensions.d/ see[1], both should refer to your example.properties.

But I see you created these based on bellow.

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l17

> 
> include = <openldap.properties>
> 
> vars.user = cn=directory manager

are you sure this ^ is the full dn of the user?

> vars.password = mypassword
> vars.server = example.com
> 
> #pool.default.ssl.startTLS = false
> #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
> #pool.default.ssl.truststore.password = admin
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> ==========================
> 
> This is my basic ldap infomation:
> 
> ou=Groups
> |
> +---- cn=UserGroup1
> |
> +---- cn=UserGroup2
> 
> ou=UserGroup1
> |
> +---- cn=user1
> |
> +---- cn=user2
> 
> 
> ou=UserGroup2
> |
> +---- cn=user3
> |
> +---- cn=user4
> 
> ==========================
> 
> Now I can see example.com in web portal but I cannot list users in UG1
> or UG2.

in admin portal?

> 
> I find that I could map DN, ID NAME, DISPLAY in the config file. What
> should I add in the config file then?

you do not need to touch these...

1. which version of ovirt-engine do you use?
2. which version of ovirt-engine-extension-aaa-ldap do you use?

what is your root dse?

$ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE 

seek namingContexts it should contain first entry a suffix for all objects.

if you try to search users within "Users" add tab within webadmin and find nothing and rootdse is ok please modify /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in and set:

      <file-handler name="SERVER">       <--- find this
        <level name="FINEST"/>           <--- modify this


      <logger category="org.ovirt.engineextensions.aaa.ldap">   <--- add this
        <level name="FINEST"/>           <--- add this
      </logger>                          <--- add this
      <logger category="com.arjuna">     <--- find this


stop engine
remove /var/log/ovirt-engine/engine.log
start engine
try to search
send me engine.log

Regards,
Alon

More information about the Users mailing list