[ovirt-users] Apache Directory Server

Martin Perina mperina at redhat.com
Fri Feb 2 08:36:57 UTC 2018 

On Wed, Jan 24, 2018 at 1:35 PM, C Williams <cwilliams3320 at gmail.com> wrote:

> Hello,
>
> Thanks for getting back with me !
>
> Here is some info
>
> 1. Does it use RFC2307 as the schema or something else?
>
> I have tried various flavors of the RFC2307 pre-set configs .  I think
> I,ve tried most of these ..
>
>            1 - 389ds
>            2 - 389ds RFC-2307 Schema
>
>            4 - IBM Security Directory Server
>            5 - IBM Security Directory Server RFC-2307 Schema
>
>            7 - Novell eDirectory RFC-2307 Schema
>            8 - OpenLDAP RFC-2307 Schema
>            9 - OpenLDAP Standard Schema
>           10 - Oracle Unified Directory RFC-2307 Schema
>           11 - RFC-2307 Schema (Generic)
>           12 - RHDS
>           13 - RHDS RFC-2307 Schema
>           14 - iPlanet
>

​Those profiles were created for servers we have tested, but it's highly
probable that you will need a completely new profile for Apache DS. Due to
this you cannot use setup tool, but you need to perform manual
configuration as described in
/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.6/README.


>
> 2. What is the attribute name specifying available base DNs?
>
>     dc=<domain>,dc=com
>

​No, this is the DN, but we need to know the name of attribute within LDAP
which contains the list of existing base DNs. For example for 389ds server
using RFC2307 this information is stored in defaultNamingContext attribute
(for details you can take a look at
/usr/share/ovirt-engine-extension-aaa-ldap/profiles/rfc2307-389ds.properties).
​


>
>
> 3. What is the attribute name specifying unique ID of a record?
>
>  dn: uid=<user>,ou=users,dc=<domain>,dc=com
>

​No, this is the DN, but each record in LDAP is usually uniquely identified
by special attribute (so for example you can move record to different DN).
For example for 389ds server using RFC2307 this unique identified is stored
in nsUniqueId attribute (for details you can take a look at
/usr/share/ovirt-engine-extension-aaa-ldap/profiles/rfc2307-389ds.properties).
​

Above information should be available somewhere in Apache DS documention.​


> More on this ...
>
> I changed the following in  /usr/share/ovirt-engine-
> extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/
> common.py  to meet their need for port 10389 ...
>
>                     636 if self.environment[
>                         constants.LDAPEnv.PROTOCOL
>                     ] == 'ldaps'
>                     #else (389 if port is None else port)
>                     else (10389 if port is None else port)
>
>
​Please don't​
​do that, files in /usr/share are readonly for users and all changes will
be overwritten by next update
​
​


> I  also injected the following into the /var/tmp/*profile.properties"
> prior to testing user authentication using the setup tool
>

​Yes, that's the right way, if you need to change something, but you need
to perform those changes in /etc/ovirt-engine/aaa directory, /var/tmp is
used only as temporary directory for setup tool.


> vars.port = 10389
> pool.default.serverset.single.port = ${global:vars.port}
>
>
> Thank You for Helping !!
>
> Charles Williams
>
>
>
> On Wed, Jan 24, 2018 at 3:50 AM, Martin Perina <mperina at redhat.com> wrote:
>
>> Hi,
>>
>> officially we don't support Apache DS, but aaa-ldap is quite extensible
>> so it should be possible attach it to oVirt.
>> As we don't have Apache DS installed, could you please provide us
>> following information?
>>
>> 1. Does it use RFC2307 as the schema or something else?
>> 2. What is the attribute name specifying available base DNs?
>> 3. What is the attribute name specifying unique ID of a record?
>>
>> Ondro, any other information required?
>>
>> Thanks
>>
>> Martin
>>
>>
>> On Wed, Jan 24, 2018 at 3:34 AM, C Williams <cwilliams3320 at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> Has anyone successfully connected the ovirt-engine to Apache Directory
>>> Server 2.0 ?
>>>
>>> I have tried the pre-set connections offered by oVirt and have been able
>>> to connect to the server on port 10389 after adding the port to a
>>> serverset.port. I can query the directory and see users but I cannot log
>>> onto the console as a user in the directory.
>>>
>>> If any one has any experience/guidance on this, please let me know.
>>>
>>> Thank You
>>>
>>> Charles Williams
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>>
>> --
>> Martin Perina
>> Associate Manager, Software Engineering
>> Red Hat Czech s.r.o.
>>
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180202/ab22d557/attachment.html>

More information about the Users mailing list