[ovirt-users] AAA Auth FreeIPA does not show users

Matt . yamakasi.014 at gmail.com
Tue Jan 31 16:32:32 UTC 2017


OK solved. You cannot use anonymous in the full way. Also you need the
full DN for the search user.

Thanks for the heads up!

Matt

2017-01-31 13:03 GMT+01:00 Ondra Machacek <omachace at redhat.com>:
> Hi,
>
> I've just tried with:
>
>  # ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
>
> And all worked good. Can you please share the logs,
> which Martin asked for, so we can investigate?
>
> Thanks,
> Ondra
>
> On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>> Hi,
>>
>> True. Are you able to check if it still is good for IPA 4.4 usage, it
>> could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed
>> something ? Would be great!
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>>
>>>
>>> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>
>>>> Hi Martin,
>>>>
>>>> Thanks for the explanation. But what happens on those tests during the
>>>> setup the same happens as showed in oVirt.
>>>
>>>
>>> Exactly, you can execute those tests even before publishing new profile to
>>> engine and if something doesn't work you can fix even before users notice
>>> that something is wrong.
>>>
>>> Also please bear in mind that there are variety of small differences in
>>> schema across different setups even for the same LDAP server. So setup tool
>>> uses only basic configurations, if you need something more complicated you
>>> need to edit configuration manually.
>>>
>>> Thanks
>>>
>>> Martin Perina
>>>
>>>>
>>>>
>>>> Default IPA should just work I guess.
>>>>
>>>> I will test your command and report back.
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>>> > Hi,
>>>> >
>>>> > it seem that your schema doesn't match the defaults or you home some
>>>> > configuration issue. Could you please execute following and send us the
>>>> > output for your IPA setup?
>>>> >
>>>> >   ovirt-engine-extensions-tool --log-level=FINE aaa
>>>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive
>>>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME>
>>>> > --principal-name=<USERNAME>
>>>> >
>>>> > The above will search for a user by <USERNAME> and tries to fetch all
>>>> > groups
>>>> > he is member of.
>>>> >
>>>> > Btw you can test both "search users/groups" and "login a user" during
>>>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from
>>>> > those commands should provide you the same details.
>>>> >
>>>> > Thanks
>>>> >
>>>> > Martin Perina
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>> >>
>>>> >> Hi,
>>>> >>
>>>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the
>>>> >> groups are shown but the users are not.
>>>> >>
>>>> >> When I chose 389ds, the users are shown but not the groups.
>>>> >>
>>>> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA
>>>> >> 4.4 version from Fedora
>>>> >>
>>>> >> Cheers,
>>>> >>
>>>> >> Matt
>>>> >> _______________________________________________
>>>> >> Users mailing list
>>>> >> Users at ovirt.org
>>>> >> http://lists.ovirt.org/mailman/listinfo/users
>>>> >
>>>> >
>>>
>>>


More information about the Users mailing list