[ovirt-users] Setting Base DN for LDAP authentication

Alon Bar-Lev alonbl at redhat.com
Fri Jan 9 11:49:58 UTC 2015 


----- Original Message -----
> From: jdeloro at web.de
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Friday, January 9, 2015 1:20:44 PM
> Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication
> 
> Hello Alon,
> 
> > > I'm trying to configure LDAP authentication with oVirt 3.5 and
> > > ovirt-engine-extension-aaa-ldap. I chose the simple bind transport
> > > example.
> > > But the given examples are missing the explicit specification of a base
> > > dn.
> > > Could you please advise me how this can be done?
> > > 
> > > My curent configuration:
> > > 
> > > [jd at om01 ovirt-engine]$ cat aaa/company-ldap.properties
> > > include = <openldap.properties>
> > > 
> > > vars.server = ldap.company.de
> > > 
> > > vars.user = cn=system,dc=company,dc=de
> > > vars.password = password
> > > 
> > > pool.default.serverset.single.server = ${global:vars.server}
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > > 
> > > [jd at om01 ovirt-engine]$ cat company-ldap-authn.properties
> > > ovirt.engine.extension.name = company-ldap-authn
> > > ovirt.engine.extension.bindings.method = jbossmodule
> > > ovirt.engine.extension.binding.jbossmodule.module =
> > > org.ovirt.engine-extensions.aaa.ldap
> > > ovirt.engine.extension.binding.jbossmodule.class =
> > > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > > ovirt.engine.extension.provides =
> > > org.ovirt.engine.api.extensions.aaa.Authn
> > > ovirt.engine.aaa.authn.profile.name = company-ldap
> > > ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
> > > config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
> > > 
> > > [jd at om01 ovirt-engine]$ cat company-ldap-authz.properties
> > > ovirt.engine.extension.name = company-ldap-authz
> > > ovirt.engine.extension.bindings.method = jbossmodule
> > > ovirt.engine.extension.binding.jbossmodule.module =
> > > org.ovirt.engine-extensions.aaa.ldap
> > > ovirt.engine.extension.binding.jbossmodule.class =
> > > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > > ovirt.engine.extension.provides =
> > > org.ovirt.engine.api.extensions.aaa.Authz
> > > config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
> > > 
> > > [jd at om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
> > > cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <dc=company,dc=de> with scope subtree
> > > # filter: cn=jdeloro
> > > # requesting: ALL
> > > #
> > > 
> > > # jdeloro, users, admins, company.de
> > > dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
> > > [... and many more lines ...]
> > > 
> > > I could not use namingContexts from RootDSE cause this results in base dn
> > > dc=de instead of dc=company,dc=de.
> > 
> > Can you explain why the namingContexts is not sufficient? just for me to
> > know and maybe enable easier override?
> > It should contain a valid base DN for you to use.
> 
> [jd at om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
> cn=system,dc=company,dc=de -W -s base namingContexts -LLL
> dn:
> namingContexts: dc=de
> 
> This isn't the correct base dn. I need dc=company,dc=de to find any users. I
> don't know, why LDAP is configured like this. But I need to work with it.
> 
> [jd at om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
> cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro
> # extended LDIF
> #
> # LDAPv3
> # base <dc=de> with scope subtree
> # filter: cn=jdeloro
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 32 No such object
> 
> # numResponses: 1
> 
> [jd at om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
> cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
> # extended LDIF
> #
> # LDAPv3
> # base <dc=company,dc=de> with scope subtree
> # filter: cn=jdeloro
> # requesting: ALL
> #
> 
> # jdeloro, users, admins, company.de
> dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
> [... and many more lines ...]
> 
> > You have two options to fix this:
> > 
> > 1. add another attribute to openldap let's say myNamingContext with valid
> > value and add the following to profile (company-ldap.properties):
> > 
> > sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars
> > sequence.my-openldap-init-vars.010.description = set base dn
> > sequence.my-openldap-init-vars.010.type = var-set
> > sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
> > sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
> 
> I can't use this options, because I'm not allowed to make LDAP changes.
> 
> > 2. another option is to enforce baseDN (company-ldap.properties):
> > 
> > sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars
> > sequence.my-openldap-init-vars.010.description = set base dn
> > sequence.my-openldap-init-vars.010.type = var-set
> > sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN
> > sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
> 
> I have added the lines and restarted ovirt-engine, but the Namespace in 'Add
> Users and Groups' is still 'dc=de' and I can't find any users.

Yes, the namespace will still present dc=de, this is expected.
Can you please send me debug log?

Edit:
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in

Before <root-logger>, add:
       <logger category="org.ovirt.engineextensions.aaa.ldap">
         <level name="ALL"/>
       </logger>

And in 3.5.0 you also need to modify INFO to ALL at <leve name= of ENGINE:

      <file-handler name="ENGINE" autoflush="true">
        <level name="ALL"/>

Thanks!

More information about the Users mailing list