[ovirt-users] AAA Auth FreeIPA does not show users

Ondra Machacek omachace at redhat.com
Tue Jan 31 12:03:13 UTC 2017 

Hi,

I've just tried with:

 # ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

And all worked good. Can you please share the logs,
which Martin asked for, so we can investigate?

Thanks,
Ondra

On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014 at gmail.com> wrote:
> Hi,
>
> True. Are you able to check if it still is good for IPA 4.4 usage, it
> could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed
> something ? Would be great!
>
> Thanks,
>
> Matt
>
> 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>
>>
>> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>
>>> Hi Martin,
>>>
>>> Thanks for the explanation. But what happens on those tests during the
>>> setup the same happens as showed in oVirt.
>>
>>
>> Exactly, you can execute those tests even before publishing new profile to
>> engine and if something doesn't work you can fix even before users notice
>> that something is wrong.
>>
>> Also please bear in mind that there are variety of small differences in
>> schema across different setups even for the same LDAP server. So setup tool
>> uses only basic configurations, if you need something more complicated you
>> need to edit configuration manually.
>>
>> Thanks
>>
>> Martin Perina
>>
>>>
>>>
>>> Default IPA should just work I guess.
>>>
>>> I will test your command and report back.
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>> > Hi,
>>> >
>>> > it seem that your schema doesn't match the defaults or you home some
>>> > configuration issue. Could you please execute following and send us the
>>> > output for your IPA setup?
>>> >
>>> >   ovirt-engine-extensions-tool --log-level=FINE aaa
>>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive
>>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME>
>>> > --principal-name=<USERNAME>
>>> >
>>> > The above will search for a user by <USERNAME> and tries to fetch all
>>> > groups
>>> > he is member of.
>>> >
>>> > Btw you can test both "search users/groups" and "login a user" during
>>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from
>>> > those commands should provide you the same details.
>>> >
>>> > Thanks
>>> >
>>> > Martin Perina
>>> >
>>> >
>>> >
>>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>> >>
>>> >> Hi,
>>> >>
>>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the
>>> >> groups are shown but the users are not.
>>> >>
>>> >> When I chose 389ds, the users are shown but not the groups.
>>> >>
>>> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA
>>> >> 4.4 version from Fedora
>>> >>
>>> >> Cheers,
>>> >>
>>> >> Matt
>>> >> _______________________________________________
>>> >> Users mailing list
>>> >> Users at ovirt.org
>>> >> http://lists.ovirt.org/mailman/listinfo/users
>>> >
>>> >
>>
>>

More information about the Users mailing list