I have configured oVirt authentication against our MicroFocus/Novell eDirectory (edir) ldap. It is working fine on per user base. Now I am tried to set permissions per group but it seems does not work.

My CRO.properties

include = <rfc2307-edir.properties>

vars.server = ldap.********
vars.port = 389
vars.user = cn=*******************
vars.password = *******************

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.socketfactory.resolver.supportIPv6 = false

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

search.default.search-request.derefPolicy = ALWAYS

I am able search groups in manager but users with permissions per group are unable to login with "The user *********** with profile [CRO] is not authorized to perform login".

When I try debug it with

ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=*******

I can see common attributes (name, email,...) in PrincipalRecord but not any record mentioned group membership.

Group which holds this user has posixGroup objectClass and member attributes which points to dn of users.

There were also similar post in this list in 2019 which unfortunately was not much specific with solution


Could any suggest how to better debug this or how to modify group search filter in my profile to work with member attribute?

Thanks in advance,


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
List Archives: 

Reply via email to