I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only. Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair ----- Original Message ----- > From: "Itamar Heim" <ih...@redhat.com> > To: "Alon Bar-Lev" <alo...@redhat.com>, "Paul Robert Marino" > <prmari...@gmail.com> > Cc: users@ovirt.org > Sent: Sunday, August 10, 2014 11:54:05 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > > > > ----- Original Message ----- > >> From: "Paul Robert Marino" <prmari...@gmail.com> > >> To: "Alon Bar-Lev" <alo...@redhat.com> > >> Cc: "Maurice James" <mja...@media-node.com>, users@ovirt.org > >> Sent: Sunday, August 10, 2014 10:43:14 PM > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >> Sorry for my delayed response to this > >> > >> I am using ovirt 3.3. > >> I am using Kerberos 5, and all of the DNS requirements are in place. > >> Finally 389 server is the upstream project for RHDS and one of the > >> upstream projects for IPA. > >> So I chose to set it as RHDS because its an identical match. > >> > >> User authentication works just fine my problem is adding roles to groups. > >> I can assign a role to a group but the group always shows an inactive > >> status; however if I assign a role directly to to a user it works > >> fine. > >> In addition if I drill down into a user it knows what groups in the > >> 389 server the user is a member of. > >> > >> finally I can't see any error in the logs when adding a role to a group > >> > > > > Please open a bug, I am unsure that it will be addressed before 3.5, as we > > have done major rework for the authentication and authorization to make it > > much more versatile. Even if there will be a fix it will be provided to > > 3.4.z. > > > > It will be best if you want to test this scenario in 3.5 release candidate > > and the new ldap provider, so we can address the issue before 3.5 release > > if exists. > > > > could also be one of these fixed in 3.4: > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it > does not inherit the group permissions > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to > a group indirectly, it does not inherit the group permissions > > >> > >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alo...@redhat.com> wrote: > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Maurice James" <mja...@media-node.com> > >>>> To: "Alon Bar-Lev" <alo...@redhat.com> > >>>> Cc: "Itamar Heim" <ih...@redhat.com>, users@ovirt.org > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >>>> > >>>> Does this still require the use of kerberos? Will 389-ds work on its > >>>> own? > >>> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap > >>> mix. > >>> > >>> It will be great to receive feedback[2]. > >>> > >>> 389ds is not supported directly, I think it is similar to IPA as it uses > >>> 389. Maybe I should rename the profile of ipa to 389 if it works > >>> properly. > >>> > >>> Regards, > >>> Alon > >>> > >>> [1] > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master > >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >>> > >>>> > >>>> ----- Original Message ----- > >>>> From: "Alon Bar-Lev" <alo...@redhat.com> > >>>> To: "Itamar Heim" <ih...@redhat.com> > >>>> Cc: users@ovirt.org > >>>> Sent: Friday, August 8, 2014 3:45:07 PM > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >>>> > >>>> > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Itamar Heim" <ih...@redhat.com> > >>>>> To: "Paul Robert Marino" <prmari...@gmail.com>, users@ovirt.org > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >>>>> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > >>>>>> I have ovirt engine running and connected to a 389 server with the > >>>>>> memberof plugin enabled and working properly. > >>>>>> > >>>>>> I can add users and assign them to roles without any issues. > >>>>>> > >>>>>> when I look at a user I can see all the LDAP groups they are a member > >>>>>> of. > >>>>>> > >>>>>> when I run engine-manage-domains -action=validate it tells me the > >>>>>> domain is valid. > >>>>>> > >>>>>> here is my problem when I try to assign a role to an LDAP group it > >>>>>> looks like it works but in the general tab when under the group it > >>>>>> tells me the status is Inactive. > >>>>>> > >>>>>> dose any one know how to enable the group? > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> Users@ovirt.org > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>>> > >>>>> > >>>>> 3.4 or new 3.5 Generic LDAP provider? > >>>> > >>>> > >>>> On case this is 3.5 it is known issue, all groups will be seen as > >>>> inactive, > >>>> this field will probably be removed from UI, as groups are no longer > >>>> fetched > >>>> periodically. > >>>> This field is totally ignored. > >>>> > >>>> Alon > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@ovirt.org > >>> http://lists.ovirt.org/mailman/listinfo/users > >> > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
