Sorry for my delayed response to this I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of. finally I can't see any error in the logs when adding a role to a group On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alo...@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Maurice James" <mja...@media-node.com> >> To: "Alon Bar-Lev" <alo...@redhat.com> >> Cc: "Itamar Heim" <ih...@redhat.com>, users@ovirt.org >> Sent: Saturday, August 9, 2014 3:47:04 AM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Does this still require the use of kerberos? Will 389-ds work on its own? > > In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix. > > It will be great to receive feedback[2]. > > 389ds is not supported directly, I think it is similar to IPA as it uses 389. > Maybe I should rename the profile of ipa to 389 if it works properly. > > Regards, > Alon > > [1] > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master > [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >> >> ----- Original Message ----- >> From: "Alon Bar-Lev" <alo...@redhat.com> >> To: "Itamar Heim" <ih...@redhat.com> >> Cc: users@ovirt.org >> Sent: Friday, August 8, 2014 3:45:07 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> ----- Original Message ----- >> > From: "Itamar Heim" <ih...@redhat.com> >> > To: "Paul Robert Marino" <prmari...@gmail.com>, users@ovirt.org >> > Sent: Friday, August 8, 2014 10:37:11 PM >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> > >> > On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> > > I have ovirt engine running and connected to a 389 server with the >> > > memberof plugin enabled and working properly. >> > > >> > > I can add users and assign them to roles without any issues. >> > > >> > > when I look at a user I can see all the LDAP groups they are a member of. >> > > >> > > when I run engine-manage-domains -action=validate it tells me the >> > > domain is valid. >> > > >> > > here is my problem when I try to assign a role to an LDAP group it >> > > looks like it works but in the general tab when under the group it >> > > tells me the status is Inactive. >> > > >> > > dose any one know how to enable the group? >> > > _______________________________________________ >> > > Users mailing list >> > > Users@ovirt.org >> > > http://lists.ovirt.org/mailman/listinfo/users >> > > >> > >> > 3.4 or new 3.5 Generic LDAP provider? >> >> >> On case this is 3.5 it is known issue, all groups will be seen as inactive, >> this field will probably be removed from UI, as groups are no longer fetched >> periodically. >> This field is totally ignored. >> >> Alon >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users