[ovirt-users] Errors while trying to join an external LDPA provider
mperina at redhat.com
Wed May 18 08:57:35 UTC 2016
On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <
alexis.hauser at telecom-bretagne.eu> wrote:
> >> Is their a way to search for attributes into the ovirt web interface,
> >> example "memberof" ?
> >> I can't imagine adding hundreds or thousand of users one by one...What
> >> would be the solutions ?
> >You can assign specific permission to the group that relevant users are
> >member of (we support also nested groups if needed)
> >and of course you can select multiple users/groups when you assign
> >If the above is not option for you, could you try to describe what exactly
> >are you trying to achieve?
> >Martin Perina
> As I explained, my groups are not in the same dn path than my users. As it
> is not possible to add multiple dn path, my only solution is to use users.
Well, that's the 1st time I've heard about LDAP setup where users and
groups of one domain are not under same baseDN. Usually all LDAP setups
have some baseDN (for example 'dc=company,dc=com') and somewhere under this
baseDN (not necessarily directly under it) we could find users and groups.
The only exception to this is ActiveDirectory with multi-domain trust
inside single forrest (which we currently support and user of domainA can
be a member of a group from domainB) and multi-forrest trust (which we
Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users member
> of group "foo".
We don't support LDAP searches in the webadmin UI, because we don't
distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
(ovirt-engine-extension-aaa-jdbc) providers, both of them provides users
and groups for oVirt using same AAA interface.
I could do that with ldapsearch, but then how would I inject the result to
> ovirt configuration to add those users to specific ovirt roles ("ovirt
> permission groups") ?
So the only way that comes to my mind is to use one of our SDKs (Python,
Java, Ruby). You would need to implement LDAP query by yourself and them
add wanted permission to those users using our SDKs.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users