[ovirt-users] Errors while trying to join an external LDPA provider

Martin Perina mperina at redhat.com
Mon May 23 09:41:43 UTC 2016

On Mon, May 23, 2016 at 11:31 AM, Alexis HAUSER <
alexis.hauser at telecom-bretagne.eu> wrote:

> > As I explained, my groups are not in the same dn path than my users. As
> it
> > is not possible to add multiple dn path, my only solution is to use
> users.
> > ​Well, that's the 1st time I've heard​ about LDAP setup where users and
> > groups of one domain are not under same baseDN. Usually all LDAP setups
> > have some baseDN (for example 'dc=company,dc=com') and somewhere under
> this
> > baseDN (not necessarily directly under it) we could find users and
> groups.
> >The only exception to this is ActiveDirectory with multi-domain trust
> >inside single forrest (which we currently support and user of domainA can
> >be a member of a group from domainB) and multi-forrest trust (which we
> >don't support).
> Oh thank you, it actually helped a lot : I just realize the search was
> "recursive" and now it actually works and seem to solve my problem.

​Great news!

> Now I only have to check if adding permissions to group apply to users who
> belong to this group, but I guess it should.

> > Those users have attributes like "member of" which still keep the
> > information about what group they belong too. I didn't find any way using
> > the interface to filter by attribute, for example to show all users
> member
> > of group "foo".
> >
> >"
> ​> We don't support LDAP searches in the webadmin UI, because we don't
> > distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
> > (ovirt-engine-extension-aaa-jdbc) providers​, both of them provides users
> > and groups for oVirt using same AAA interface.
> And only a part of the attributes are imported to the database (it doesn't
> seem to be able to display them from the web interface) ?
> That would be a nice feature to be able to filter from any attribute of
> users.
> Do you think I should open a new RFE bug about it ?

We fetch only basic attributes common to all LDAPs, for users we fetch
username, first name, last name, display name, department, title, email and
for groups name and display name. But if you miss some attribute, please
create an RFE bug for that.


Martin Perina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160523/b5bb9d3b/attachment-0001.html>

More information about the Users mailing list