[ovirt-users] AAA Auth FreeIPA does not show users

Ondra Machacek omachace at redhat.com
Tue Jan 31 16:51:24 UTC 2017 

There is prompt:

 "Enter search user DN (empty for anonymous):"

Which says you should input 'DN'. Any ideas how we can improve,
that prompt so users are not confused?

Thanks.

On Tue, Jan 31, 2017 at 5:32 PM, Matt . <yamakasi.014 at gmail.com> wrote:
> OK solved. You cannot use anonymous in the full way. Also you need the
> full DN for the search user.
>
> Thanks for the heads up!
>
> Matt
>
> 2017-01-31 13:03 GMT+01:00 Ondra Machacek <omachace at redhat.com>:
>> Hi,
>>
>> I've just tried with:
>>
>>  # ipa --version
>> VERSION: 4.4.0, API_VERSION: 2.213
>>
>> And all worked good. Can you please share the logs,
>> which Martin asked for, so we can investigate?
>>
>> Thanks,
>> Ondra
>>
>> On Tue, Jan 31, 2017 at 12:50 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>> Hi,
>>>
>>> True. Are you able to check if it still is good for IPA 4.4 usage, it
>>> could be still IPA 3.x maybe or between 4.2 and 4.4 has been changed
>>> something ? Would be great!
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> 2017-01-31 11:30 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>>>
>>>>
>>>> On Tue, Jan 31, 2017 at 11:17 AM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>
>>>>> Hi Martin,
>>>>>
>>>>> Thanks for the explanation. But what happens on those tests during the
>>>>> setup the same happens as showed in oVirt.
>>>>
>>>>
>>>> Exactly, you can execute those tests even before publishing new profile to
>>>> engine and if something doesn't work you can fix even before users notice
>>>> that something is wrong.
>>>>
>>>> Also please bear in mind that there are variety of small differences in
>>>> schema across different setups even for the same LDAP server. So setup tool
>>>> uses only basic configurations, if you need something more complicated you
>>>> need to edit configuration manually.
>>>>
>>>> Thanks
>>>>
>>>> Martin Perina
>>>>
>>>>>
>>>>>
>>>>> Default IPA should just work I guess.
>>>>>
>>>>> I will test your command and report back.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-01-31 10:24 GMT+01:00 Martin Perina <mperina at redhat.com>:
>>>>> > Hi,
>>>>> >
>>>>> > it seem that your schema doesn't match the defaults or you home some
>>>>> > configuration issue. Could you please execute following and send us the
>>>>> > output for your IPA setup?
>>>>> >
>>>>> >   ovirt-engine-extensions-tool --log-level=FINE aaa
>>>>> > authz-fetch_principal_record --authz-flag=resolve-groups-recursive
>>>>> > --authz-flag=resolve-groups --extension-name=<PROFILE-NAME>
>>>>> > --principal-name=<USERNAME>
>>>>> >
>>>>> > The above will search for a user by <USERNAME> and tries to fetch all
>>>>> > groups
>>>>> > he is member of.
>>>>> >
>>>>> > Btw you can test both "search users/groups" and "login a user" during
>>>>> > aaa-ldap-setup tool (and it's recommended to do so) and the output from
>>>>> > those commands should provide you the same details.
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> > Martin Perina
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Mon, Jan 30, 2017 at 9:27 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>> >>
>>>>> >> Hi,
>>>>> >>
>>>>> >> When I do a ovirt-engine-extension-aaa-ldap-setup and chose IPA the
>>>>> >> groups are shown but the users are not.
>>>>> >>
>>>>> >> When I chose 389ds, the users are shown but not the groups.
>>>>> >>
>>>>> >> Is something wrong with the FreeIPA implementation ? I'm on latest IPA
>>>>> >> 4.4 version from Fedora
>>>>> >>
>>>>> >> Cheers,
>>>>> >>
>>>>> >> Matt
>>>>> >> _______________________________________________
>>>>> >> Users mailing list
>>>>> >> Users at ovirt.org
>>>>> >> http://lists.ovirt.org/mailman/listinfo/users
>>>>> >
>>>>> >
>>>>
>>>>

More information about the Users mailing list