[ovirt-users] Setting Base DN for LDAP authentication
Alon Bar-Lev
alonbl at redhat.com
Fri Jan 9 09:17:24 UTC 2015
----- Original Message -----
> From: jdeloro at web.de
> To: users at ovirt.org
> Sent: Friday, January 9, 2015 8:31:19 AM
> Subject: [ovirt-users] Setting Base DN for LDAP authentication
>
> Hello,
>
> I'm trying to configure LDAP authentication with oVirt 3.5 and
> ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example.
> But the given examples are missing the explicit specification of a base dn.
> Could you please advise me how this can be done?
>
> My curent configuration:
>
> [jd at om01 ovirt-engine]$ cat aaa/company-ldap.properties
> include = <openldap.properties>
>
> vars.server = ldap.company.de
>
> vars.user = cn=system,dc=company,dc=de
> vars.password = password
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> [jd at om01 ovirt-engine]$ cat company-ldap-authn.properties
> ovirt.engine.extension.name = company-ldap-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = company-ldap
> ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
>
> [jd at om01 ovirt-engine]$ cat company-ldap-authz.properties
> ovirt.engine.extension.name = company-ldap-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
>
> [jd at om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
> cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
> # extended LDIF
> #
> # LDAPv3
> # base <dc=company,dc=de> with scope subtree
> # filter: cn=jdeloro
> # requesting: ALL
> #
>
> # jdeloro, users, admins, company.de
> dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
> [... and many more lines ...]
>
> I could not use namingContexts from RootDSE cause this results in base dn
> dc=de instead of dc=company,dc=de.
Can you explain why the namingContexts is not sufficient? just for me to know and maybe enable easier override?
It should contain a valid base DN for you to use.
You have two options to fix this:
1. add another attribute to openldap let's say myNamingContext with valid value and add the following to profile (company-ldap.properties):
sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
2. another option is to enforce baseDN (company-ldap.properties):
sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN
sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
If you use the 2nd form, please note that it might break if I add proper support in next version.
Regards,
Alon.
>
> Kind regards
>
> Jannick
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list