I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can
successfully authenticate as an LDAP user. I can also login as admin@internal
and search for, find, and select LDAP users but I cannot add permissions for
them. Each time I get the error "User admin@internal-authz failed to grant
permission for Role UserRole on System to User/Group <UNKNOWN>."
I have no control over the LDAP server, which uses custom objectClasses and
uses groupOfNames instead of PosixGroups. I assume I need to set sequence
variables to accommodate our group configuration but I'm at a loss as to where
to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
sequence.my-objectclass-init-vars.020.description = set objectClass
sequence.my-objectclass-init-vars.020.type = var-set
sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject
sequence.my-objectclass-init-vars.020.var-set.value =
(objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = *
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/OFTGDHHMO755ODWHZ6V5GGT4OSNPLCLO/
