[ovirt-users] AAA LDAP Authentication

David Smith dsmith at mypchelp.com
Tue May 5 20:09:25 UTC 2015

I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
serious detail in documentation, the rest is java-programmer-oriented docs
only that I can find;


Here's a sample config (sanitized) that I need to adapt to ovirt; *I HAVE
NO control over the LDAP server.

So far I've managed to figure out through search after search to use LDAPS
(TLS isn't an option, thanks!)
Two parts I can't figure out; setting rootDN and setting the organization
filter-- members of that particular organization should have access to
ovirt, and none others.

vars.server = directory.ft.com

# Search user and its password.
vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
vars.password = Ft######

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.rootDN = ${global:vars.urootdn}
pool.default.auth.simple.password = ${global:vars.password}

# enable SSL
pool.default.ssl.enable = true
#pool.default.ssl.insecure = false

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
pool.default.ssl.truststore.password = changeit

example config from testlink
$tlCfg->authentication['method'] = 'LDAP';

/** LDAP authentication credentials */
$tlCfg->authentication['ldap_server'] = 'ldaps://directory.ft.com';
$tlCfg->authentication['ldap_port'] = '636';
$tlCfg->authentication['ldap_version'] = '3';
$tlCfg->authentication['ldap_root_dn'] =
$tlCfg->authentication['ldap_bind_dn'] =
$tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
$tlCfg->authentication['ldap_tls'] = false; // true -> use tls
$tlCfg->authentication['ldap_organization'] =
'(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
e.g. '(organizationname=*Traffic)'
$tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
'sAMAccountName' for Active Directory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150505/e10e6a53/attachment-0001.html>

More information about the Users mailing list