blank suggests that there is initialization error. please attach (do not paste) the ldap profile, extension properties and engine.log.
I may need debug log as well, but lets start with this. ----- Original Message ----- > From: "David Smith" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: "users" <[email protected]> > Sent: Wednesday, May 6, 2015 12:49:09 AM > Subject: Re: [ovirt-users] AAA LDAP Authentication > > I added that to the end, since there wasn't any reference on it as to where > to put it; > I restarted the engine and didn't notice any changes, the namespace still > reads the same as before, and no users show up > Note that in the field to the right of namespace it's blank, whereby with > "internal" or our other pre-aaa ldap config it shows "*" and can be changed > to a username as a filter, in this case it doesn't allow me to enter > anything > > On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <[email protected]> wrote: > > > > > I beginning to understand... although I cannot figure out how login works > > while search not. > > > > Anyway, try to add this to your profile: > > > > sequence-init.init.900-local-init-vars = local-init-vars > > sequence.local-init-vars.010.description = override name space > > sequence.local-init-vars.010.type = var-set > > sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault > > sequence.local-init-vars.010.var-set.value = > > cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > sequence.local-init-vars.020.description = apply filter to users > > sequence.local-init-vars.020.type = var-set > > sequence.local-init-vars.020.var-set.variable = simple_filterUserObject > > sequence.local-init-vars.020.var-set.value = > > ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) > > sequence.local-init-vars.030.description = apply filter to groups > > sequence.local-init-vars.030.type = var-set > > sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject > > sequence.local-init-vars.030.var-set.value = > > ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) > > > > > > ----- Original Message ----- > > > From: "David Smith" <[email protected]> > > > To: "Alon Bar-Lev" <[email protected]> > > > Cc: "users" <[email protected]> > > > Sent: Wednesday, May 6, 2015 12:17:59 AM > > > Subject: Re: [ovirt-users] AAA LDAP Authentication > > > > > > I can log into ovirt, I can see the profile, it doesn't throw any errors. > > > However, it doesn't display any users. This is because the automatic > > rootDN > > > is wrong. > > > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search > > base > > > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com > > > Hence my desire to configure rootDN > > > > > > Then, I also want to filter based on the above (sorry the traffic part > > was > > > a comment from testlink, the line should be) > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; > > > That filter is was makes sure the results only show users in the specific > > > group I want to give access to. > > > > > > Thanks, > > > David > > > > > > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <[email protected]> wrote: > > > > > > > Hi, > > > > > > > > So your configuration is working, just you want to filter users? > > > > > > > > I do not follow what organization filter is. > > > > > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // > > e.g. > > > > > '(organizationname=*Traffic)' > > > > > > > > It looks to me that you want to narrow the results based on specific > > > > attribute value. > > > > > > > > But first you should confirm that all is working for you, only then we > > can > > > > start customize the provider to meet your special needs. > > > > > > > > Thanks, > > > > Alon. > > > > > > > > ----- Original Message ----- > > > > > From: "David Smith" <[email protected]> > > > > > To: "Alon Bar-Lev" <[email protected]> > > > > > Cc: "users" <[email protected]> > > > > > Sent: Wednesday, May 6, 2015 12:01:28 AM > > > > > Subject: Re: [ovirt-users] AAA LDAP Authentication > > > > > > > > > > Hi Alon, > > > > > > > > > > Thanks for the quick reply. > > > > > openldap works fine; I use it with testlink (as shown in the example > > > > > config). We're not using active directory; Just LDAP. The example > > config > > > > I > > > > > provided is fully inclusive of all configuration required for > > "testlink" > > > > to > > > > > use LDAP, I also have jenkins and mantis configured using the same > > > > > parameters (although their terminology on where to enter the > > parameters > > > > is > > > > > varied, they use all the same information) > > > > > > > > > > The rootDSE is being determined automatically; however for my use > > it's > > > > > wrong and needs to be provided manually. Again, I have no control > > over > > > > > this. It's a company-wide configuration that won't be changed just > > for > > > > me. > > > > > > > > > > How would I be able to specify the organization filter line if I > > added > > > > some > > > > > other include directive of whatever driver? I don't even understand > > what > > > > > you're saying, exactly. Not all ovirt users/managers are programming > > > > > experts. > > > > > > > > > > I use LDAPS because thats what my company supports. StartTLS is NOT > > > > > supported (as I stated). Silly on their part, right? > > > > > > > > > > Thanks, > > > > > David > > > > > > > > > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <[email protected]> > > wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > Resources includes sysadmin documentation[1], integrator > > > > documentation[2], > > > > > > overview[3], examples[4]. > > > > > > > > > > > > You did not specify what LDAP vendor it is. > > > > > > > > > > > > I can guess your directory is Active Directory, hence all you need > > to > > > > do > > > > > > is follow the "QUICK START"[5]. > > > > > > > > > > > > The rootDSE is determined automatically, all you need is to > > provide a > > > > > > valid user and password. > > > > > > > > > > > > What you are missing in your configuration is the include > > directive of > > > > the > > > > > > proper driver. > > > > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is > > more > > > > > > flexible and should be used unless there is an issue. > > > > > > > > > > > > Alon > > > > > > > > > > > > [1] > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > > > > > > [2] > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD > > > > > > [3] http://www.ovirt.org/Features/AAA > > > > > > [4] > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD > > > > > > [5] > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "David Smith" <[email protected]> > > > > > > > To: "users" <[email protected]> > > > > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM > > > > > > > Subject: [ovirt-users] AAA LDAP Authentication > > > > > > > > > > > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking > > some > > > > > > serious > > > > > > > detail in documentation, the rest is java-programmer-oriented > > docs > > > > only > > > > > > that > > > > > > > I can find; > > > > > > > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git > > > > > > > > > > > > > > Here's a sample config (sanitized) that I need to adapt to > > ovirt; *I > > > > > > HAVE NO > > > > > > > control over the LDAP server. > > > > > > > > > > > > > > So far I've managed to figure out through search after search to > > use > > > > > > LDAPS > > > > > > > (TLS isn't an option, thanks!) > > > > > > > Two parts I can't figure out; setting rootDN and setting the > > > > organization > > > > > > > filter-- members of that particular organization should have > > access > > > > to > > > > > > > ovirt, and none others. > > > > > > > > > > > > > > vars.server = directory.ft.com > > > > > > > > > > > > > > # > > > > > > > # Search user and its password. > > > > > > > # > > > > > > > vars.user = > > > > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > > > vars.password = Ft###### > > > > > > > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > > > > pool.default.serverset.single.port = 636 > > > > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn} > > > > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > > > > > > > # enable SSL > > > > > > > pool.default.ssl.enable = true > > > > > > > #pool.default.ssl.insecure = false > > > > > > > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > > > > # if using ssl/tls. > > > > > > > #pool.default.ssl.startTLS = true > > > > > > > pool.default.ssl.truststore.file = > > > > > > > ${local:_basedir}/${global:vars.server}.jks > > > > > > > pool.default.ssl.truststore.password = changeit > > > > > > > > > > > > > > > > > > > > > example config from testlink > > > > > > > $tlCfg->authentication['method'] = 'LDAP'; > > > > > > > > > > > > > > /** LDAP authentication credentials */ > > > > > > > $tlCfg->authentication['ldap_server'] = 'ldaps:// > > directory.ft.com > > > > '; > > > > > > > $tlCfg->authentication['ldap_port'] = '636'; > > > > > > > $tlCfg->authentication['ldap_version'] = '3'; > > > > > > > $tlCfg->authentication['ldap_root_dn'] = > > > > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > > > $tlCfg->authentication['ldap_bind_dn'] = > > > > > > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > > > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######'; > > > > > > > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls > > > > > > > $tlCfg->authentication['ldap_organization'] = > > > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; > > // > > > > e.g. > > > > > > > '(organizationname=*Traffic)' > > > > > > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use > > > > > > 'sAMAccountName' for > > > > > > > Active Directory > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Users mailing list > > > > > > > [email protected] > > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
