----- Original Message ----- > From: jdel...@web.de > To: "Alon Bar-Lev" <alo...@redhat.com> > Cc: users@ovirt.org > Sent: Friday, January 9, 2015 1:20:44 PM > Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication > > Hello Alon, > > > > I'm trying to configure LDAP authentication with oVirt 3.5 and > > > ovirt-engine-extension-aaa-ldap. I chose the simple bind transport > > > example. > > > But the given examples are missing the explicit specification of a base > > > dn. > > > Could you please advise me how this can be done? > > > > > > My curent configuration: > > > > > > [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties > > > include = <openldap.properties> > > > > > > vars.server = ldap.company.de > > > > > > vars.user = cn=system,dc=company,dc=de > > > vars.password = password > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties > > > ovirt.engine.extension.name = company-ldap-authn > > > ovirt.engine.extension.bindings.method = jbossmodule > > > ovirt.engine.extension.binding.jbossmodule.module = > > > org.ovirt.engine-extensions.aaa.ldap > > > ovirt.engine.extension.binding.jbossmodule.class = > > > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > > > ovirt.engine.extension.provides = > > > org.ovirt.engine.api.extensions.aaa.Authn > > > ovirt.engine.aaa.authn.profile.name = company-ldap > > > ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz > > > config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties > > > > > > [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties > > > ovirt.engine.extension.name = company-ldap-authz > > > ovirt.engine.extension.bindings.method = jbossmodule > > > ovirt.engine.extension.binding.jbossmodule.module = > > > org.ovirt.engine-extensions.aaa.ldap > > > ovirt.engine.extension.binding.jbossmodule.class = > > > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > > > ovirt.engine.extension.provides = > > > org.ovirt.engine.api.extensions.aaa.Authz > > > config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties > > > > > > [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D > > > cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro > > > # extended LDIF > > > # > > > # LDAPv3 > > > # base <dc=company,dc=de> with scope subtree > > > # filter: cn=jdeloro > > > # requesting: ALL > > > # > > > > > > # jdeloro, users, admins, company.de > > > dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de > > > [... and many more lines ...] > > > > > > I could not use namingContexts from RootDSE cause this results in base dn > > > dc=de instead of dc=company,dc=de. > > > > Can you explain why the namingContexts is not sufficient? just for me to > > know and maybe enable easier override? > > It should contain a valid base DN for you to use. > > [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D > cn=system,dc=company,dc=de -W -s base namingContexts -LLL > dn: > namingContexts: dc=de > > This isn't the correct base dn. I need dc=company,dc=de to find any users. I > don't know, why LDAP is configured like this. But I need to work with it. > > [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D > cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro > # extended LDIF > # > # LDAPv3 > # base <dc=de> with scope subtree > # filter: cn=jdeloro > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D > cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro > # extended LDIF > # > # LDAPv3 > # base <dc=company,dc=de> with scope subtree > # filter: cn=jdeloro > # requesting: ALL > # > > # jdeloro, users, admins, company.de > dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de > [... and many more lines ...] > > > You have two options to fix this: > > > > 1. add another attribute to openldap let's say myNamingContext with valid > > value and add the following to profile (company-ldap.properties): > > > > sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars > > sequence.my-openldap-init-vars.010.description = set base dn > > sequence.my-openldap-init-vars.010.type = var-set > > sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN > > sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts > > I can't use this options, because I'm not allowed to make LDAP changes. > > > 2. another option is to enforce baseDN (company-ldap.properties): > > > > sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars > > sequence.my-openldap-init-vars.010.description = set base dn > > sequence.my-openldap-init-vars.010.type = var-set > > sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN > > sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de > > I have added the lines and restarted ovirt-engine, but the Namespace in 'Add > Users and Groups' is still 'dc=de' and I can't find any users.
Yes, the namespace will still present dc=de, this is expected. Can you please send me debug log? Edit: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in Before <root-logger>, add: <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger> And in 3.5.0 you also need to modify INFO to ALL at <leve name= of ENGINE: <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/> Thanks! _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users