[ovirt-users] Errors while trying to join an external LDPA provider

Martin Perina mperina at redhat.com
Wed May 18 08:57:35 UTC 2016 

On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <
alexis.hauser at telecom-bretagne.eu> wrote:

> >> Is their a way to search for attributes into the ovirt web interface,
> for
> >> example "memberof" ?
> >>
> >> I can't imagine adding hundreds or thousand of users one by one...What
> >> would be the solutions ?
> >>
>
> >You can assign specific permission to the group that relevant users are
> >member of (we support also nested groups if needed)​
> >and of course you can select multiple users/groups when you assign
> >permissions.
>
> >If the above is not option for you, could you try to describe what exactly
> >are you trying to achieve?
>
> >Thanks
>
> >Martin Perina
>
> As I explained, my groups are not in the same dn path than my users. As it
> is not possible to add multiple dn path, my only solution is to use users.


​Well, that's the 1st time I've heard​ about LDAP setup where users and
groups of one domain are not under same baseDN. Usually all LDAP setups
have some baseDN (for example 'dc=company,dc=com') and somewhere under this
baseDN (not necessarily directly under it) we could find users and groups.
The only exception to this is ActiveDirectory with multi-domain trust
inside single forrest (which we currently support and user of domainA can
be a member of a group from domainB) and multi-forrest trust (which we
don't support).

Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users member
> of group "foo".
>

​We don't support LDAP searches in the webadmin UI, because we don't
distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
(ovirt-engine-extension-aaa-jdbc) providers​, both of them provides users
and groups for oVirt using same AAA interface.

I could do that with ldapsearch, but then how would I inject the result to
> ovirt configuration to add those users to specific ovirt roles ("ovirt
> permission groups") ?
>

​So the only way that comes to my mind is to use one of our SDKs (Python,​
Java, Ruby). You would need to implement LDAP query by yourself and them
add wanted permission to those users using our SDKs.


Martin Perina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160518/a4c09597/attachment-0001.html>

More information about the Users mailing list