On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER <
alexis.hau...@telecom-bretagne.eu> wrote:

> >> Is their a way to search for attributes into the ovirt web interface,
> for
> >> example "memberof" ?
> >>
> >> I can't imagine adding hundreds or thousand of users one by one...What
> >> would be the solutions ?
> >>
> >You can assign specific permission to the group that relevant users are
> >member of (we support also nested groups if needed)​
> >and of course you can select multiple users/groups when you assign
> >permissions.
> >If the above is not option for you, could you try to describe what exactly
> >are you trying to achieve?
> >Thanks
> >Martin Perina
> As I explained, my groups are not in the same dn path than my users. As it
> is not possible to add multiple dn path, my only solution is to use users.

​Well, that's the 1st time I've heard​ about LDAP setup where users and
groups of one domain are not under same baseDN. Usually all LDAP setups
have some baseDN (for example 'dc=company,dc=com') and somewhere under this
baseDN (not necessarily directly under it) we could find users and groups.
The only exception to this is ActiveDirectory with multi-domain trust
inside single forrest (which we currently support and user of domainA can
be a member of a group from domainB) and multi-forrest trust (which we
don't support).

Those users have attributes like "member of" which still keep the
> information about what group they belong too. I didn't find any way using
> the interface to filter by attribute, for example to show all users member
> of group "foo".

​We don't support LDAP searches in the webadmin UI, because we don't
distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database
(ovirt-engine-extension-aaa-jdbc) providers​, both of them provides users
and groups for oVirt using same AAA interface.

I could do that with ldapsearch, but then how would I inject the result to
> ovirt configuration to add those users to specific ovirt roles ("ovirt
> permission groups") ?

​So the only way that comes to my mind is to use one of our SDKs (Python,​
Java, Ruby). You would need to implement LDAP query by yourself and them
add wanted permission to those users using our SDKs.

Martin Perina
Users mailing list

Reply via email to