Hi, In order to help and create a profile for this variant I need the full output of:
$ ldapsearch -E pr=100/noprompt -o ldif-wrap=no -H ldap://ids.sdju.edu.cn -x -D 'cn=directory manager' -w mypassword -b 'dc=sdju,dc=edu,dc=cn' Please do not paste but paste. You can send me privately. Regards, Alon ----- Original Message ----- > From: "lofyer" <lof...@gmail.com> > To: "Alon Bar-Lev" <alo...@redhat.com> > Cc: "Yair Zaslavsky" <yzasl...@redhat.com>, "users" <users@ovirt.org> > Sent: Tuesday, October 14, 2014 12:22:03 PM > Subject: Re: [ovirt-users] How to mapping LDAP users in AAA > > Yes, I do add authz and authn in /etc/ovirt-engine/extension.d/ like this > > ============================== > /etc/ovirt-engine/extensions.d/authn-sdju.edu.cn.properties: > > ovirt.engine.extension.name = authn-sdju.edu.cn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name = sdju.edu.cn > ovirt.engine.aaa.authn.authz.plugin = authz-sdju.edu.cn > config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties > ============================== > /etc/ovirt-engine/extensions.d/authz-sdju.edu.cn.properties: > > ovirt.engine.extension.name = authz-sdju.edu.cn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/sdju.edu.cn.properties > ============================== > > And here's my log: > > ldapsearch -H ldap://ids.sdju.edu.cn -b '' -D 'cn=directory manager' -w > mypassword -s BASE > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: ALL > # > > # > dn: > objectClass: top > namingContexts: dc=sdju,dc=edu,dc=cn > namingContexts: o=NetscapeRoot > supportedExtension: 2.16.840.1.113730.3.5.7 > supportedExtension: 2.16.840.1.113730.3.5.8 > supportedExtension: 2.16.840.1.113730.3.5.3 > supportedExtension: 2.16.840.1.113730.3.5.5 > supportedExtension: 2.16.840.1.113730.3.5.6 > supportedExtension: 2.16.840.1.113730.3.5.4 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21 > supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22 > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 2.16.840.1.113730.3.4.3 > supportedControl: 2.16.840.1.113730.3.4.4 > supportedControl: 2.16.840.1.113730.3.4.5 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 2.16.840.1.113730.3.4.9 > supportedControl: 2.16.840.1.113730.3.4.16 > supportedControl: 2.16.840.1.113730.3.4.15 > supportedControl: 2.16.840.1.113730.3.4.17 > supportedControl: 2.16.840.1.113730.3.4.19 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 > supportedControl: 2.16.840.1.113730.3.4.14 > supportedControl: 1.3.6.1.4.1.1466.29539.12 > supportedControl: 2.16.840.1.113730.3.4.12 > supportedControl: 2.16.840.1.113730.3.4.18 > supportedControl: 2.16.840.1.113730.3.4.13 > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: DIGEST-MD5 > supportedLDAPVersion: 2 > supportedLDAPVersion: 3 > vendorName: Sun Microsystems, Inc. > vendorVersion: Sun Java(TM) System Directory Server/5.2_Patch_4 > dataversion: 020121212071504020121212071504 > netscapemdsuffix: cn=ldap://dc=ids1,dc=sdju,dc=edu,dc=cn:389 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > ============================== > ldapsearch -E pr=100/noprompt -H ldap://ids.sdju.edu.cn -x -D > 'cn=directory manager' -w mypassword -b ou=JZG,dc=sdju,dc=edu,dc=cn > # extended LDIF > # > # LDAPv3 > # base <ou=JZG,dc=sdju,dc=edu,dc=cn> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # with pagedResults control: size=100 > # > > # JZG, sdju.edu.cn > dn: ou=JZG,dc=sdju,dc=edu,dc=cn > ou: JZG > objectClass: organizationalUnit > objectClass: iplanet-am-managed-people-container > objectClass: top > > # 30419, JZG, sdju.edu.cn > dn: uid=30419,ou=JZG,dc=sdju,dc=edu,dc=cn > eduPersonCardID: XXXXX219631030057X > uid: 30419 > ... > ... > ... > userPassword:: > e1NTSEF9OUNWcXMxbnA0YjFsU0NzZDNqODRIOTVBQ1VQTlR1cEI0UmNnSEE9PQ= > = > > # search result > search: 2 > result: 0 Success > > # numResponses: 1251 > # numEntries: 1250 > > > 在 14-10-14 下午3:18, Alon Bar-Lev 写道: > > > > ----- Original Message ----- > >> From: "lofyer" <lof...@gmail.com> > >> To: "Yair Zaslavsky" <yzasl...@redhat.com> > >> Cc: "users" <users@ovirt.org> > >> Sent: Tuesday, October 14, 2014 9:29:57 AM > >> Subject: Re: [ovirt-users] How to mapping LDAP users in AAA > >> > >> Sun Java Access System Manager > > this is not openldap... why do you use openldap profile? > > > > please attach full export of this ldap server, output of: > > > > rootdse: > > $ ldapsearch -H ldap://example.com -b '' -x -D 'cn=directory manager' -w > > mypassword -s BASE > > > > entities: > > $ ldapsearch -o ldif-wrap=no -E pr=100/noprompt -H ldap://example.com -x -D > > 'cn=directory manager' -w mypassword -b <NAMING_CONTEXT> > > > >> > >> 在 14-10-14 下午1:52, Yair Zaslavsky 写道: > >>> ----- Original Message ----- > >>>> From: "lofyer" <lof...@gmail.com> > >>>> To: "users" <users@ovirt.org> > >>>> Sent: Tuesday, October 14, 2014 5:10:56 AM > >>>> Subject: [ovirt-users] How to mapping LDAP users in AAA > >>>> > >>>> I've got a LDAP server without kerberos and I am trying to intergrate > >>>> its users to oVirt-3.5 with AAA. > >>>> ========================== > >>> Which ldap server is that, what vendor? > >>> > >>>> /etc/ovirt-engine/aaa/example.properties: > >>>> > >>>> include = <openldap.properties> > >>>> > >>>> vars.user = cn=directory manager > >>>> vars.password = mypassword > >>>> vars.server = example.com > >>>> > >>>> #pool.default.ssl.startTLS = false > >>>> #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem > >>>> #pool.default.ssl.truststore.password = admin > >>>> > >>>> pool.default.serverset.single.server = ${global:vars.server} > >>>> pool.default.auth.simple.bindDN = ${global:vars.user} > >>>> pool.default.auth.simple.password = ${global:vars.password} > >>>> ========================== > >>>> > >>>> This is my basic ldap infomation: > >>>> > >>>> ou=Groups > >>>> | > >>>> +---- cn=UserGroup1 > >>>> | > >>>> +---- cn=UserGroup2 > >>>> > >>>> ou=UserGroup1 > >>>> | > >>>> +---- cn=user1 > >>>> | > >>>> +---- cn=user2 > >>>> > >>>> > >>>> ou=UserGroup2 > >>>> | > >>>> +---- cn=user3 > >>>> | > >>>> +---- cn=user4 > >>>> > >>>> ========================== > >>>> > >>>> Now I can see example.com in web portal but I cannot list users in UG1 > >>>> or UG2. > >>>> > >>>> I find that I could map DN, ID NAME, DISPLAY in the config file. What > >>>> should I add in the config file then? > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >> _______________________________________________ > >> Users mailing list > >> Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users