Re: [Users] ldap simple
Hi. Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action="" returns "Invalid credentials" even though binding is ok and ldap is replying with data. Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management? engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (((objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the "defaultNamingContext" attribute. If does not exist - we try to obtain ""NamingContexts" We store the result at a "domainDn" (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. From: "Andrej Bagon" andrej.ba...@arnes.si To: "Itamar Heim" ih...@redhat.com Cc: users@ovirt.org, "Yair Zaslavsky" yzasl...@redhat.com, "Oved Ourfalli" oourf...@redhat.com Sent: Monday, March 18, 2013 9:07:06 AM Subject: Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b "dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to?
Re: [Users] ldap simple
Why openldap server? We do not support openldap at the moment. - Original Message - From: Jure Kranjc jure.kra...@arnes.si To: users@ovirt.org Sent: Tuesday, March 19, 2013 3:50:49 PM Subject: Re: [Users] ldap simple Hi. Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns Invalid credentials even though binding is ok and ldap is replying with data. Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management? engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (((objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the defaultNamingContext attribute. If does not exist - we try to obtain NamingContexts We store the result at a domainDn (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. - Original Message - From: Andrej Bagon andrej.ba...@arnes.si To: Itamar Heim ih...@redhat.com Cc: users@ovirt.org , Yair Zaslavsky yzasl...@redhat.com , Oved Ourfalli oourf...@redhat.com Sent: Monday, March 18, 2013 9:07:06 AM Subject: Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si ,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
On 03/19/2013 05:26 PM, Yair Zaslavsky wrote: Why openldap server? We do not support openldap at the moment. hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there. *From: *Jure Kranjc jure.kra...@arnes.si *To: *users@ovirt.org *Sent: *Tuesday, March 19, 2013 3:50:49 PM *Subject: *Re: [Users] ldap simple Hi. Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns Invalid credentials even though binding is ok and ldap is replying with data. Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management? engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (((objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the defaultNamingContext attribute. If does not exist - we try to obtain NamingContexts We store the result at a domainDn (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. *From: *Andrej Bagon andrej.ba...@arnes.si *To: *Itamar Heim ih...@redhat.com *Cc: *users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Oved Ourfalli oourf...@redhat.com *Sent: *Monday, March 18, 2013 9:07:06 AM *Subject: *Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id |option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers| users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds| general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn
Re: [Users] ldap simple
389 DS is so far working as expected. Thank you for your clarification, somehow missed that out. On 19.3.2013 21:56, Itamar Heim wrote: On 03/19/2013 05:26 PM, Yair Zaslavsky wrote: Why openldap server? We do not support openldap at the moment. hopefully, the changes to auth part will make it for 3.3 to cover that, but depends on progress there. *From: *Jure Kranjc jure.kra...@arnes.si *To: *users@ovirt.org *Sent: *Tuesday, March 19, 2013 3:50:49 PM *Subject: *Re: [Users] ldap simple Hi. Further testing... - Setup: one ldap server with added user to match ovirt searches (while adding user in webadmin), - Fedora 18, engine 3.2.1, openldap-server, simple authentication, no firewalls, - with packet inspection we can see ldap responding with requested attributes - still, there are errors in logs, see below, and no users are listed in webadmin, engine fails to parse given attributes - engine-manage-domains -action=validate returns Invalid credentials even though binding is ok and ldap is replying with data. Can anyone point us to some documentation on this topic? Is really AD the only good solution for user management? engine.log 2013-03-19 15:16:53,042 ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (((objectClass=person)) (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message is: null 2013-03-19 15:16:53,043 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://ldaphost.domain.si:389 due to null. We should try the next server server.log 2013-03-19 15:17:24,113 ERROR [org.springframework.ldap.control.AbstractRequestControlDirContextProcessor] (ajp--127.0.0.1-8702-6) No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl On 03/18/2013 09:09 AM, Yair Zaslavsky wrote: Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the defaultNamingContext attribute. If does not exist - we try to obtain NamingContexts We store the result at a domainDn (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. *From: *Andrej Bagon andrej.ba...@arnes.si *To: *Itamar Heim ih...@redhat.com *Cc: *users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Oved Ourfalli oourf...@redhat.com *Sent: *Monday, March 18, 2013 9:07:06 AM *Subject: *Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id |option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers| users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds| general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent
Re: [Users] ldap simple
Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si mailto:edupersonprincipalname=aba...@guest.arnes.si,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id |option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers| users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds| general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
Hi, We're issuing a RootDSE query (once per LDAP domain configured). We try to obtain from it the defaultNamingContext attribute. If does not exist - we try to obtain NamingContexts We store the result at a domainDn (we have a data structure which maps domains to information objects, one of the fields at the information object is the DN of the domain) field, and we use it to compose the full ldap URL we send the queries to. - Original Message - From: Andrej Bagon andrej.ba...@arnes.si To: Itamar Heim ih...@redhat.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Oved Ourfalli oourf...@redhat.com Sent: Monday, March 18, 2013 9:07:06 AM Subject: Re: [Users] ldap simple Hi, the system is trying to bind to ldap as: bind request: uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si I dont know how it knows dc=ourdomain,dc=si It should be bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si -b dc=arnes,dc=si The same with the search: we have users in form as: edupersonprincipalname=usern...@users.ourdomain.si ,dc=users,dc=ourdomain,dc=si values in database: select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword') order by option_id; option_id | option_name | option_value | version ---+++- 10 | AdUserName | users.ourdomain.si:ovirt | general 11 | AdUserPassword |users.ourdomain.si:adminpassword | general 69 | DomainName | users.ourdomain.si | general 130 | LDAPSecurityAuthentication| users.ourdomain.si:SIMPLE | general 132 | LdapServers | users.ourdomain.si:server.ourdomain.si | general 133 | LDAPProviderTypes | users.ourdomain.si:rhds | general (6 rows) Best Regards, Andrej Bagon On 03/15/2013 12:09 PM, Itamar Heim wrote: On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ldap simple
On 03/14/2013 01:58 PM, Andrej Bagon wrote: Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. can you please explain why / what you would like to change it to? (not sure possible now, but there is work to make it more configurable/pluggable) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] ldap simple
Hi, is it possible to change the bind request that is sent to the ldap server? The default uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is not suitable. Thank you. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users