[ovirt-users] Can't perform search after setting up an Active Directory

Martin Perina mperina at redhat.com
Tue May 31 10:50:41 EDT 2016


On Tue, May 31, 2016 at 4:24 PM, Alexis HAUSER <
alexis.hauser at telecom-bretagne.eu> wrote:

> >> Thank you, this actually works. Yes, I'll remove it as soon as possible.
> >> Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it
> finds most of the groups a user belongs to. RHEV + LDAP is only able to
> find one group a user belongs to >>(which is not the same group found when
> I search the same user with ldapsearch...Still not able to solve that
> mystery....)
>
> >That's very strange, we test it and it works for us. But you said you
> >use more namingContexts
> >than one, right? It could be the problem as we support only one.
>
>
> Which attribute is used by RHEV/ovirt to guess which user a group belong
> (or the controry), in the case of LDAP and in the case of AD ?
> I can see that not all attributes are filled in the AD/LDAP database here.
>

​It depends on what profile do you include in
/etc/ovirt-engine/aaa/<PROFILE_NAME>.properties:

1) Included ad.properties are defined in
/usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties​

​and here are attribute mappings:

      attrmap.map-principal-record.attr.PrincipalRecord_DN.map =
_dn

      attrmap.map-principal-record.attr.PrincipalRecord_ID.map =
objectGUID

      attrmap.map-principal-record.attr.PrincipalRecord_ID.conversion =
BASE64

      attrmap.map-principal-record.attr.PrincipalRecord_NAME.map =
name

      attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map =
userPrincipalName

      attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
displayName

      attrmap.map-principal-record.attr.PrincipalRecord_DEPARTMENT.map =
department

      attrmap.map-principal-record.attr.PrincipalRecord_FIRST_NAME.map =
givenName

      attrmap.map-principal-record.attr.PrincipalRecord_LAST_NAME.map =
sn

      attrmap.map-principal-record.attr.PrincipalRecord_TITLE.map =
title

      attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map =
mail



      attrmap.map-group-record.attr.GroupRecord_DN.map =
_dn

      attrmap.map-group-record.attr.GroupRecord_ID.map =
objectGUID

      attrmap.map-group-record.attr.GroupRecord_ID.conversion =
BASE64

      attrmap.map-group-record.attr.GroupRecord_NAME.map =
name

      attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map =
description

​
2) In case of LDAP, please take a look at include=<XYZ.properties> to find
out what profile are you using


>
> >Run this command:
> >$ keytool -storepasswd -keystore /path/to/jks/x.jks
> >It will ask you for old and new password.
>
>
> Thank you, I'll ask rhev-docs to add this to the documentation, as they
> make you generate a new certificate even when using the automatic setup,
> which makes the automatically generated certificate useless.
>
>
> By the way, is there a list of all the possible options/values of
> .properties file ?
>

​
No tool for that, you need to investigate properties files. Please start
reading README.profile in aaa-ldap package, which contains doc about the
structure of each file.

​


>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160531/1b089fd1/attachment-0001.html>


More information about the Users mailing list