Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this
==============================
/etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties:
ovirt.engine.extension.name = authn-sdju.edu.cn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = sdju.edu.cn
ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn
config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
==============================
/etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties:
ovirt.engine.extension.name = authz-sdju.edu.cn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties
==============================
And here's my log:
ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w
mypassword -s BASE
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: dc=sdju,dc=edu,dc=cn
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4
dataversion: 020121212071504020121212071504
netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
==============================
ldapsearch -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D
'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn
# extended LDIF
#
# LDAPv3
# base <ou=JZG,dc=sdju,dc=edu,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults control: size=100
#
# JZG, sdju.edu.cn
dn: ou=JZG,dc=sdju,dc=edu,dc=cn
ou: JZG
objectClass: organizationalUnit
objectClass: iplanet-am-managed-people-container
objectClass: top
# 30419, JZG, sdju.edu.cn
dn: uid=30419,ou=JZG,dc=sdju,dc=edu,dc=cn
eduPersonCardID: XXXXX219631030057X
uid: 30419
...
...
...
userPassword::
e1NTSEF9OUNWcXMxbnA0YjFsU0NzZDNqODRIOTVBQ1VQTlR1cEI0UmNnSEE9PQ=
=
# search result
search: 2
result: 0 Success
# numResponses: 1251
# numEntries: 1250
在 14-10-14 下午3:18, Alon Bar-Lev 写道:
----- Original Message -----
From: "lofyer" <lof...@gmail.com>
To: "Yair Zaslavsky" <yzasl...@redhat.com>
Cc: "users" <users@ovirt.org>
Sent: Tuesday, October 14, 2014 9:29:57 AM
Subject: Re: [ovirt-users] How to mapping LDAP users in AAA
Sun Java Access System Manager
this is not openldap... why do you use openldap profile?
please attach full export of this ldap server, output of:
rootdse:
$ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w
mypassword -s BASE
entities:
$ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D
'cn=directory manager' -w mypassword -b <NAMING_CONTEXT>
在 14-10-14 下午1:52, Yair Zaslavsky 写道:
----- Original Message -----
From: "lofyer" <lof...@gmail.com>
To: "users" <users@ovirt.org>
Sent: Tuesday, October 14, 2014 5:10:56 AM
Subject: [ovirt-users] How to mapping LDAP users in AAA
I've got a LDAP server without kerberos and I am trying to intergrate
its users to oVirt-3.5 with AAA.
==========================
Which ldap server is that, what vendor?
/etc/ovirt-engine/aaa/example.properties:
include = <openldap.properties>
vars.user = cn=directory manager
vars.password = mypassword
vars.server = example.com
#pool.default.ssl.startTLS = false
#pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
#pool.default.ssl.truststore.password = admin
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
==========================
This is my basic ldap infomation:
ou=Groups
|
+---- cn=UserGroup1
|
+---- cn=UserGroup2
ou=UserGroup1
|
+---- cn=user1
|
+---- cn=user2
ou=UserGroup2
|
+---- cn=user3
|
+---- cn=user4
==========================
Now I can see example.com in web portal but I cannot list users in UG1
or UG2.
I find that I could map DN, ID NAME, DISPLAY in the config file. What
should I add in the config file then?
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users