Re: [Users] ldap simple
Hi.
Further testing...
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),
- Fedora 18, engine 3.2.1, openldap-server, simple authentication,
no firewalls,
- with packet inspection we can see ldap responding with requested
attributes
- still, there are errors in logs, see below, and no users are
listed in webadmin, engine fails to parse given attributes
- engine-manage-domains -action="" returns "Invalid
credentials" even though binding is ok and ldap is replying with
data.
Can anyone point us to some documentation on this topic?
Is really AD the only good solution for user management?
engine.log
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (((objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://ldaphost.domain.si:389 due to null. We should try the next
server
server.log
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky
wrote:
Hi,
We're issuing a RootDSE query (once per LDAP domain
configured).
We try to obtain from it the "defaultNamingContext"
attribute.
If does not exist - we try to obtain ""NamingContexts"
We store the result at a "domainDn" (we have a data
structure which maps domains to information objects, one of
the fields at the information object is the DN of the domain)
field, and we use it to compose the full ldap URL we send the
queries to.
From:
"Andrej Bagon" andrej.ba...@arnes.si
To: "Itamar Heim" ih...@redhat.com
Cc: users@ovirt.org, "Yair Zaslavsky"
yzasl...@redhat.com, "Oved Ourfalli"
oourf...@redhat.com
Sent: Monday, March 18, 2013 9:07:06 AM
Subject: Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
"dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id | option_name |
option_value | version
---+++-
10 | AdUserName |
users.ourdomain.si:ovirt | general
11 | AdUserPassword
|users.ourdomain.si:adminpassword | general
69 | DomainName | users.ourdomain.si
| general
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE | general
132 | LdapServers |
users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes |
users.ourdomain.si:rhds | general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On
03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent
to the ldap
server? The default
uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
not suitable.
can you please explain why / what you would like to change
it to?
Re: [Users] ldap simple
Why openldap server?
We do not support openldap at the moment.
- Original Message -
From: Jure Kranjc jure.kra...@arnes.si
To: users@ovirt.org
Sent: Tuesday, March 19, 2013 3:50:49 PM
Subject: Re: [Users] ldap simple
Hi.
Further testing...
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),
- Fedora 18, engine 3.2.1, openldap-server, simple authentication, no
firewalls,
- with packet inspection we can see ldap responding with requested
attributes
- still, there are errors in logs, see below, and no users are listed
in webadmin, engine fails to parse given attributes
- engine-manage-domains -action=validate returns Invalid
credentials even though binding is ok and ldap is replying with
data.
Can anyone point us to some documentation on this topic?
Is really AD the only good solution for user management?
engine.log
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (((objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://ldaphost.domain.si:389 due to null. We should try the next
server
server.log
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the defaultNamingContext attribute.
If does not exist - we try to obtain NamingContexts
We store the result at a domainDn (we have a data structure which
maps domains to information objects, one of the fields at the
information object is the DN of the domain) field, and we use it to
compose the full ldap URL we send the queries to.
- Original Message -
From: Andrej Bagon andrej.ba...@arnes.si
To: Itamar Heim ih...@redhat.com
Cc: users@ovirt.org , Yair Zaslavsky yzasl...@redhat.com ,
Oved
Ourfalli oourf...@redhat.com
Sent: Monday, March 18, 2013 9:07:06 AM
Subject: Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b
dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id | option_name | option_value | version
---+++-
10 | AdUserName | users.ourdomain.si:ovirt | general
11 | AdUserPassword |users.ourdomain.si:adminpassword | general
69 | DomainName | users.ourdomain.si | general
130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE |
general
132 | LdapServers | users.ourdomain.si:server.ourdomain.si |
general
133 | LDAPProviderTypes | users.ourdomain.si:rhds | general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the
ldap
server? The default
uid=user,cn=Users,cn=Accounts,cn=our,cn=domain
is
not suitable.
can you please explain why / what you would like to change it
to?
(not sure possible now, but there is work to make it more
configurable/pluggable)
___
Users mailing list Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
Why openldap server?
We do not support openldap at the moment.
hopefully, the changes to auth part will make it for 3.3 to cover that,
but depends on progress there.
*From: *Jure Kranjc jure.kra...@arnes.si
*To: *users@ovirt.org
*Sent: *Tuesday, March 19, 2013 3:50:49 PM
*Subject: *Re: [Users] ldap simple
Hi.
Further testing...
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),
- Fedora 18, engine 3.2.1, openldap-server, simple authentication,
no firewalls,
- with packet inspection we can see ldap responding with requested
attributes
- still, there are errors in logs, see below, and no users are
listed in webadmin, engine fails to parse given attributes
- engine-manage-domains -action=validate returns Invalid
credentials even though binding is ok and ldap is replying with data.
Can anyone point us to some documentation on this topic?
Is really AD the only good solution for user management?
engine.log
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (((objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://ldaphost.domain.si:389 due to null. We should try the next server
server.log
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the defaultNamingContext attribute.
If does not exist - we try to obtain NamingContexts
We store the result at a domainDn (we have a data structure
which maps domains to information objects, one of the fields at
the information object is the DN of the domain) field, and we
use it to compose the full ldap URL we send the queries to.
*From: *Andrej Bagon andrej.ba...@arnes.si
*To: *Itamar Heim ih...@redhat.com
*Cc: *users@ovirt.org, Yair Zaslavsky
yzasl...@redhat.com, Oved Ourfalli oourf...@redhat.com
*Sent: *Monday, March 18, 2013 9:07:06 AM
*Subject: *Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b
dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id |option_name |
option_value | version
---+++-
10 | AdUserName |
users.ourdomain.si:ovirt | general
11 | AdUserPassword
|users.ourdomain.si:adminpassword | general
69 | DomainName |
users.ourdomain.si | general
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE | general
132 | LdapServers|
users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes |
users.ourdomain.si:rhds| general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is
sent to the ldap
server? The default
uid=user,cn=Users,cn
Re: [Users] ldap simple
389 DS is so far working as expected. Thank you for your clarification,
somehow missed that out.
On 19.3.2013 21:56, Itamar Heim wrote:
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:
Why openldap server?
We do not support openldap at the moment.
hopefully, the changes to auth part will make it for 3.3 to cover
that, but depends on progress there.
*From: *Jure Kranjc jure.kra...@arnes.si
*To: *users@ovirt.org
*Sent: *Tuesday, March 19, 2013 3:50:49 PM
*Subject: *Re: [Users] ldap simple
Hi.
Further testing...
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),
- Fedora 18, engine 3.2.1, openldap-server, simple authentication,
no firewalls,
- with packet inspection we can see ldap responding with requested
attributes
- still, there are errors in logs, see below, and no users are
listed in webadmin, engine fails to parse given attributes
- engine-manage-domains -action=validate returns Invalid
credentials even though binding is ok and ldap is replying with
data.
Can anyone point us to some documentation on this topic?
Is really AD the only good solution for user management?
engine.log
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (((objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://ldaphost.domain.si:389 due to null. We should try the next
server
server.log
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl
On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:
Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the defaultNamingContext attribute.
If does not exist - we try to obtain NamingContexts
We store the result at a domainDn (we have a data structure
which maps domains to information objects, one of the fields at
the information object is the DN of the domain) field, and we
use it to compose the full ldap URL we send the queries to.
*From: *Andrej Bagon andrej.ba...@arnes.si
*To: *Itamar Heim ih...@redhat.com
*Cc: *users@ovirt.org, Yair Zaslavsky
yzasl...@redhat.com, Oved Ourfalli oourf...@redhat.com
*Sent: *Monday, March 18, 2013 9:07:06 AM
*Subject: *Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b
dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id |option_name |
option_value | version
---+++-
10 | AdUserName |
users.ourdomain.si:ovirt | general
11 | AdUserPassword
|users.ourdomain.si:adminpassword | general
69 | DomainName |
users.ourdomain.si | general
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE | general
132 | LdapServers|
users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes |
users.ourdomain.si:rhds| general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is
sent
Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id |option_name | option_value
| version
---+++-
10 | AdUserName |
users.ourdomain.si:ovirt | general
11 | AdUserPassword
|users.ourdomain.si:adminpassword | general
69 | DomainName | users.ourdomain.si
| general
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE | general
132 | LdapServers|
users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes |
users.ourdomain.si:rhds| general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the ldap
server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
not suitable.
can you please explain why / what you would like to change it to?
(not sure possible now, but there is work to make it more
configurable/pluggable)
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the defaultNamingContext attribute.
If does not exist - we try to obtain NamingContexts
We store the result at a domainDn (we have a data structure which maps
domains to information objects, one of the fields at the information object is
the DN of the domain) field, and we use it to compose the full ldap URL we send
the queries to.
- Original Message -
From: Andrej Bagon andrej.ba...@arnes.si
To: Itamar Heim ih...@redhat.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Oved
Ourfalli oourf...@redhat.com
Sent: Monday, March 18, 2013 9:07:06 AM
Subject: Re: [Users] ldap simple
Hi,
the system is trying to bind to ldap as:
bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si
I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b
dc=arnes,dc=si
The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
,dc=users,dc=ourdomain,dc=si
values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
option_id | option_name | option_value | version
---+++-
10 | AdUserName | users.ourdomain.si:ovirt | general
11 | AdUserPassword |users.ourdomain.si:adminpassword | general
69 | DomainName | users.ourdomain.si | general
130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general
132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes | users.ourdomain.si:rhds | general
(6 rows)
Best Regards,
Andrej Bagon
On 03/15/2013 12:09 PM, Itamar Heim wrote:
On 03/14/2013 01:58 PM, Andrej Bagon wrote:
Hi,
is it possible to change the bind request that is sent to the
ldap
server? The default
uid=user,cn=Users,cn=Accounts,cn=our,cn=domain
is
not suitable.
can you please explain why / what you would like to change it to?
(not sure possible now, but there is work to make it more
configurable/pluggable)
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] ldap simple
Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. Thank you. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
