----- Original Message ----- > From: "lofyer" <lof...@gmail.com> > To: "users" <users@ovirt.org> > Sent: Tuesday, October 14, 2014 5:10:56 AM > Subject: [ovirt-users] How to mapping LDAP users in AAA > > I've got a LDAP server without kerberos and I am trying to intergrate > its users to oVirt-3.5 with AAA. > ========================== > /etc/ovirt-engine/aaa/example.properties:
You need to create two extensions, one for authentication and another for authorization at /etc/ovirt-engine/extensions.d/ see[1], both should refer to your example.properties. But I see you created these based on bellow. [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l17 > > include = <openldap.properties> > > vars.user = cn=directory manager are you sure this ^ is the full dn of the user? > vars.password = mypassword > vars.server = example.com > > #pool.default.ssl.startTLS = false > #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem > #pool.default.ssl.truststore.password = admin > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > ========================== > > This is my basic ldap infomation: > > ou=Groups > | > +---- cn=UserGroup1 > | > +---- cn=UserGroup2 > > ou=UserGroup1 > | > +---- cn=user1 > | > +---- cn=user2 > > > ou=UserGroup2 > | > +---- cn=user3 > | > +---- cn=user4 > > ========================== > > Now I can see example.com in web portal but I cannot list users in UG1 > or UG2. in admin portal? > > I find that I could map DN, ID NAME, DISPLAY in the config file. What > should I add in the config file then? you do not need to touch these... 1. which version of ovirt-engine do you use? 2. which version of ovirt-engine-extension-aaa-ldap do you use? what is your root dse? $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w mypassword -s BASE seek namingContexts it should contain first entry a suffix for all objects. if you try to search users within "Users" add tab within webadmin and find nothing and rootdse is ok please modify /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in and set: <file-handler name="SERVER"> <--- find this <level name="FINEST"/> <--- modify this <logger category="org.ovirt.engineextensions.aaa.ldap"> <--- add this <level name="FINEST"/> <--- add this </logger> <--- add this <logger category="com.arjuna"> <--- find this stop engine remove /var/log/ovirt-engine/engine.log start engine try to search send me engine.log Regards, Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users