[ovirt-users] Unable to add permissions for LDAP users

Michael Burch anonlab at outlook.com
Thu Oct 6 11:47:58 UTC 2016


I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin at internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin at internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>."


I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:


include = <rfc2307-generic.properties>

vars.server = labauth.lan.lab.org

pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true

pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB

sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
sequence.my-objectclass-init-vars.020.description = set objectClass
sequence.my-objectclass-init-vars.020.type = var-set
sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject
sequence.my-objectclass-init-vars.020.var-set.value = (objectClass=labPerson)(uid=*)

search.default.search-request.derefPolicy = NEVER

sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = *

sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(employeeStatus=3)

sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161006/ce6d9c1a/attachment-0001.html>


More information about the Users mailing list