Re: [Users] ldap simple

Tue, 19 Mar 2013 15:19:04 -0700

389 DS is so far working as expected. Thank you for your clarification, somehow missed that out. 

On 19.3.2013 21:56, Itamar Heim wrote:

On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:

Why openldap server?
We do not support openldap at the moment.



hopefully, the changes to auth part will make it for 3.3 to cover 
that, but depends on progress there.





------------------------------------------------------------------------

    *From: *"Jure Kranjc" <jure.kra...@arnes.si>
    *To: *users@ovirt.org
    *Sent: *Tuesday, March 19, 2013 3:50:49 PM
    *Subject: *Re: [Users] ldap simple

    Hi.

    Further testing...
    - Setup: one ldap server with added user to match ovirt searches
    (while adding user in webadmin),
    - Fedora 18, engine 3.2.1, openldap-server, simple authentication,
    no firewalls,
    - with packet inspection we can see ldap responding with requested
    attributes
    - still, there are errors in logs, see below, and no users are
    listed in webadmin, engine fails to parse given attributes
    - engine-manage-domains -action=validate returns "Invalid

    credentials" even though binding is ok and ldap is replying with 
data.


    Can anyone point us to some documentation on this topic?
    Is really AD the only good solution for user management?

    engine.log
    2013-03-19 15:16:53,042 ERROR
    [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
    (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
    filter is (&(&(objectClass=person))
    (|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
    is: null
    2013-03-19 15:16:53,043 ERROR
    [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
    (ajp--127.0.0.1-8702-3) Failed ldap search server

    ldap://ldaphost.domain.si:389 due to null. We should try the next 
server


    server.log
    2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
    (ajp--127.0.0.1-8702-6) No matching response control found for paged
    results - looking for 'class
    javax.naming.ldap.PagedResultsResponseControl



    On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:

        Hi,
        We're issuing a RootDSE query (once per LDAP domain configured).
        We try to obtain from it the "defaultNamingContext" attribute.
        If does not exist - we try to obtain ""NamingContexts"
        We store the result at a "domainDn" (we have a data structure
        which maps domains to information objects, one of the fields at
        the information object is the DN of the domain)  field, and we
        use it to compose the full ldap URL we send the queries to.


------------------------------------------------------------------------

            *From: *"Andrej Bagon" <andrej.ba...@arnes.si>
            *To: *"Itamar Heim" <ih...@redhat.com>
            *Cc: *users@ovirt.org, "Yair Zaslavsky"
            <yzasl...@redhat.com>, "Oved Ourfalli" <oourf...@redhat.com>
            *Sent: *Monday, March 18, 2013 9:07:06 AM
            *Subject: *Re: [Users] ldap simple

            Hi,

            the system is trying to bind to ldap as:
            bind request:
            uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si

            I dont know how it knows dc=ourdomain,dc=si
            It should be
            bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
            "dc=arnes,dc=si

            The same with the search: we have users in form as:
            edupersonprincipalname=usern...@users.ourdomain.si
<mailto:edupersonprincipalname=aba...@guest.arnes.si>,dc=users,dc=ourdomain,dc=si

            values in database:
            select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
            order by option_id;
              option_id |        option_name         |
            option_value          | version
-----------+----------------------------+--------------------------------+---------
                     10 | AdUserName                 |
            users.ourdomain.si:ovirt           | general
                     11 | AdUserPassword
            |users.ourdomain.si:adminpassword       | general
                     69 | DomainName                 |
            users.ourdomain.si                 | general
                    130 | LDAPSecurityAuthentication|
            users.ourdomain.si:SIMPLE          | general
                    132 | LdapServers                |
            users.ourdomain.si:server.ourdomain.si | general
                    133 | LDAPProviderTypes          |
            users.ourdomain.si:rhds            | general
            (6 rows)

            Best Regards,
            Andrej Bagon


            On 03/15/2013 12:09 PM, Itamar Heim wrote:

                On 03/14/2013 01:58 PM, Andrej Bagon wrote:

                    Hi,

                    is it possible to change the bind request that is
                    sent to the ldap
                    server? The default
uid=user,cn=Users,cn=Accounts,cn=our,cn=domain is
                    not suitable.


                can you please explain why / what you would like to
                change it to?
                (not sure possible now, but there is work to make it
                more configurable/pluggable)





        _______________________________________________
        Users mailing list
        Users@ovirt.org
        http://lists.ovirt.org/mailman/listinfo/users



    _______________________________________________
    Users mailing list
    Users@ovirt.org
    http://lists.ovirt.org/mailman/listinfo/users




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






















					Reply via email to