On Tue, May 31, 2016 at 4:24 PM, Alexis HAUSER <
alexis.hau...@telecom-bretagne.eu> wrote:
> >> Thank you, this actually works. Yes, I'll remove it as soon as possible.
> >> Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it
> finds most of the groups a user belongs to. RHEV + LDAP is only able to
> find one group a user belongs to >>(which is not the same group found when
> I search the same user with ldapsearch...Still not able to solve that
> mystery....)
>
> >That's very strange, we test it and it works for us. But you said you
> >use more namingContexts
> >than one, right? It could be the problem as we support only one.
>
>
> Which attribute is used by RHEV/ovirt to guess which user a group belong
> (or the controry), in the case of LDAP and in the case of AD ?
> I can see that not all attributes are filled in the AD/LDAP database here.
>
It depends on what profile do you include in
/etc/ovirt-engine/aaa/<PROFILE_NAME>.properties:
1) Included ad.properties are defined in
/usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties
and here are attribute mappings:
attrmap.map-principal-record.attr.PrincipalRecord_DN.map =
_dn
attrmap.map-principal-record.attr.PrincipalRecord_ID.map =
objectGUID
attrmap.map-principal-record.attr.PrincipalRecord_ID.conversion =
BASE64
attrmap.map-principal-record.attr.PrincipalRecord_NAME.map =
name
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map =
userPrincipalName
attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
displayName
attrmap.map-principal-record.attr.PrincipalRecord_DEPARTMENT.map =
department
attrmap.map-principal-record.attr.PrincipalRecord_FIRST_NAME.map =
givenName
attrmap.map-principal-record.attr.PrincipalRecord_LAST_NAME.map =
sn
attrmap.map-principal-record.attr.PrincipalRecord_TITLE.map =
title
attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map =
mail
attrmap.map-group-record.attr.GroupRecord_DN.map =
_dn
attrmap.map-group-record.attr.GroupRecord_ID.map =
objectGUID
attrmap.map-group-record.attr.GroupRecord_ID.conversion =
BASE64
attrmap.map-group-record.attr.GroupRecord_NAME.map =
name
attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map =
description
2) In case of LDAP, please take a look at include=<XYZ.properties> to find
out what profile are you using
>
> >Run this command:
> >$ keytool -storepasswd -keystore /path/to/jks/x.jks
> >It will ask you for old and new password.
>
>
> Thank you, I'll ask rhev-docs to add this to the documentation, as they
> make you generate a new certificate even when using the automatic setup,
> which makes the automatically generated certificate useless.
>
>
> By the way, is there a list of all the possible options/values of
> .properties file ?
>
No tool for that, you need to investigate properties files. Please start
reading README.profile in aaa-ldap package, which contains doc about the
structure of each file.
>
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
