On 10/06/2016 01:47 PM, Michael Burch wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can
successfully authenticate as an LDAP user. I can also login as
admin@internal and search for, find, and select LDAP users but I cannot
add permissions for them. Each time I get the error "User
admin@internal-authz failed to grant permission for Role UserRole on
System to User/Group <UNKNOWN>."
This error usually means bad unique attribute used.
I have no control over the LDAP server, which uses custom objectClasses
and uses groupOfNames instead of PosixGroups. I assume I need to set
sequence variables to accommodate our group configuration but I'm at a
loss as to where to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
sequence.my-objectclass-init-vars.020.description = set objectClass
sequence.my-objectclass-init-vars.020.type = var-set
sequence.my-objectclass-init-vars.020.var-set.variable =
simple_filterUserObject
sequence.my-objectclass-init-vars.020.var-set.value =
(objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = *
What's this^ for? I think it's unusable.
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
(objectClass=groupOfUniqueNames)
This looks as hard to maintain file. I would suggest you to insert into
this file just following:
include = <rfc2307-mycustom.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
# Set custom base DN
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
And then create in directory
'/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
'rfc2307-mycustom.properties' with content:
include = <rfc2307.properties>
sequence-init.init.100-rfc2307-mycustom-init-vars =
rfc2307-mycustom-init-vars
sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
sequence.rfc2307-mycustom-init-vars.010.type = var-set
sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
rfc2307_attrsUniqueId
sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
sequence.rfc2307-mycustom-init-vars.020.type = var-set
sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
simple_filterUserObject
sequence.rfc2307-mycustom-init-vars.020.var-set.value =
(objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
guess). It can be extended attribute(+,++).
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=labPerson'
maybe (or even with two +):
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=labPerson' +
The question is if even your implementation has unique attribute, does
it?
Also may you share what's your LDAP provider? And maybe if you share
content of some user it would help as well.
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/P3GLUUCCVBTYSHGTT33YKKPJX5BFNQKU/
