[ovirt-users] How to mapping LDAP users in AAA

Alon Bar-Lev alonbl at redhat.com
Tue Oct 14 09:27:14 UTC 2014 

Hi,

In order to help and create a profile for this variant I need the full output of:

$ ldapsearch  -E pr=100/noprompt -o ldif-wrap=no -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b 'dc=sdju,dc=edu,dc=cn'

Please do not paste but paste.

You can send me privately.

Regards,
Alon

----- Original Message -----
> From: "lofyer" <lofyer at gmail.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "users" <users at ovirt.org>
> Sent: Tuesday, October 14, 2014 12:22:03 PM
> Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
> 
> Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this
> 
> ==============================
> /etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties:
> 
> ovirt.engine.extension.name = authn-sdju.edu.cn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = sdju.edu.cn
> ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn
> config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
> ==============================
> /etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties:
> 
> ovirt.engine.extension.name = authz-sdju.edu.cn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
> ==============================
> 
> And here's my log:
> 
> ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w
> mypassword -s BASE
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> #
> dn:
> objectClass: top
> namingContexts: dc=sdju,dc=edu,dc=cn
> namingContexts: o=NetscapeRoot
> supportedExtension: 2.16.840.1.113730.3.5.7
> supportedExtension: 2.16.840.1.113730.3.5.8
> supportedExtension: 2.16.840.1.113730.3.5.3
> supportedExtension: 2.16.840.1.113730.3.5.5
> supportedExtension: 2.16.840.1.113730.3.5.6
> supportedExtension: 2.16.840.1.113730.3.5.4
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 2.16.840.1.113730.3.4.3
> supportedControl: 2.16.840.1.113730.3.4.4
> supportedControl: 2.16.840.1.113730.3.4.5
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.16
> supportedControl: 2.16.840.1.113730.3.4.15
> supportedControl: 2.16.840.1.113730.3.4.17
> supportedControl: 2.16.840.1.113730.3.4.19
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
> supportedControl: 2.16.840.1.113730.3.4.14
> supportedControl: 1.3.6.1.4.1.1466.29539.12
> supportedControl: 2.16.840.1.113730.3.4.12
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.13
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedLDAPVersion: 2
> supportedLDAPVersion: 3
> vendorName: Sun Microsystems, Inc.
> vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4
> dataversion: 020121212071504020121212071504
> netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> ==============================
>   ldapsearch  -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D
> 'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn
> # extended LDIF
> #
> # LDAPv3
> # base <ou=JZG,dc=sdju,dc=edu,dc=cn> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> # with pagedResults control: size=100
> #
> 
> # JZG, sdju.edu.cn
> dn: ou=JZG,dc=sdju,dc=edu,dc=cn
> ou: JZG
> objectClass: organizationalUnit
> objectClass: iplanet-am-managed-people-container
> objectClass: top
> 
> # 30419, JZG, sdju.edu.cn
> dn: uid=30419,ou=JZG,dc=sdju,dc=edu,dc=cn
> eduPersonCardID: XXXXX219631030057X
> uid: 30419
> ...
> ...
> ...
> userPassword::
> e1NTSEF9OUNWcXMxbnA0YjFsU0NzZDNqODRIOTVBQ1VQTlR1cEI0UmNnSEE9PQ=
>   =
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 1251
> # numEntries: 1250
> 
> 
> 在 14-10-14 下午3:18, Alon Bar-Lev 写道:
> >
> > ----- Original Message -----
> >> From: "lofyer" <lofyer at gmail.com>
> >> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> >> Cc: "users" <users at ovirt.org>
> >> Sent: Tuesday, October 14, 2014 9:29:57 AM
> >> Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
> >>
> >> Sun Java Access System Manager
> > this is not openldap... why do you use openldap profile?
> >
> > please attach full export of this ldap server, output of:
> >
> > rootdse:
> > $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w
> > mypassword -s BASE
> >
> > entities:
> > $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D
> > 'cn=directory manager' -w mypassword -b <NAMING_CONTEXT>
> >
> >>
> >> 在 14-10-14 下午1:52, Yair Zaslavsky 写道:
> >>> ----- Original Message -----
> >>>> From: "lofyer" <lofyer at gmail.com>
> >>>> To: "users" <users at ovirt.org>
> >>>> Sent: Tuesday, October 14, 2014 5:10:56 AM
> >>>> Subject: [ovirt-users] How to mapping LDAP users in AAA
> >>>>
> >>>> I've got a LDAP server without kerberos and I am trying to intergrate
> >>>> its users to oVirt-3.5 with AAA.
> >>>> ==========================
> >>> Which ldap server is that, what vendor?
> >>>
> >>>> /etc/ovirt-engine/aaa/example.properties:
> >>>>
> >>>> include = <openldap.properties>
> >>>>
> >>>> vars.user = cn=directory manager
> >>>> vars.password = mypassword
> >>>> vars.server = example.com
> >>>>
> >>>> #pool.default.ssl.startTLS = false
> >>>> #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
> >>>> #pool.default.ssl.truststore.password = admin
> >>>>
> >>>> pool.default.serverset.single.server = ${global:vars.server}
> >>>> pool.default.auth.simple.bindDN = ${global:vars.user}
> >>>> pool.default.auth.simple.password = ${global:vars.password}
> >>>> ==========================
> >>>>
> >>>> This is my basic ldap infomation:
> >>>>
> >>>> ou=Groups
> >>>> |
> >>>> +---- cn=UserGroup1
> >>>> |
> >>>> +---- cn=UserGroup2
> >>>>
> >>>> ou=UserGroup1
> >>>> |
> >>>> +---- cn=user1
> >>>> |
> >>>> +---- cn=user2
> >>>>
> >>>>
> >>>> ou=UserGroup2
> >>>> |
> >>>> +---- cn=user3
> >>>> |
> >>>> +---- cn=user4
> >>>>
> >>>> ==========================
> >>>>
> >>>> Now I can see example.com in web portal but I cannot list users in UG1
> >>>> or UG2.
> >>>>
> >>>> I find that I could map DN, ID NAME, DISPLAY in the config file. What
> >>>> should I add in the config file then?
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> 
>

More information about the Users mailing list