[ovirt-users] Errors while trying to join an external LDPA provider

Alexis HAUSER alexis.hauser at telecom-bretagne.eu
Mon May 23 09:31:04 UTC 2016

> As I explained, my groups are not in the same dn path than my users. As it
> is not possible to add multiple dn path, my only solution is to use users.

> ​Well, that's the 1st time I've heard​ about LDAP setup where users and
> groups of one domain are not under same baseDN. Usually all LDAP setups
> have some baseDN (for example 'dc=company,dc=com') and somewhere under this
> baseDN (not necessarily directly under it) we could find users and groups.
>The only exception to this is ActiveDirectory with multi-domain trust
>inside single forrest (which we currently support and user of domainA can
>be a member of a group from domainB) and multi-forrest trust (which we
>don't support).

Oh thank you, it actually helped a lot : I just realize the search was "recursive" and now it actually works and seem to solve my problem.
Now I only have to check if adding permissions to group apply to users who belong to this group, but I guess it should.

> Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users member
> of group "foo".
​> We don't support LDAP searches in the webadmin UI, because we don't
> distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
> (ovirt-engine-extension-aaa-jdbc) providers​, both of them provides users
> and groups for oVirt using same AAA interface.

And only a part of the attributes are imported to the database (it doesn't seem to be able to display them from the web interface) ? 
That would be a nice feature to be able to filter from any attribute of users. 
Do you think I should open a new RFE bug about it ?

More information about the Users mailing list