Dear Ondra, all,
Managed to solve this once i got my head around the properties file.
Conceptually the problem is that users are typically not a member of their
primary group in a POSIX scenario, and their primary group is set by the
gidNumber of the user's record, with additional group memberships specified by
memberUid entries against a posixGroup entry.
search.rfc2307-resolve-groups-memberUid.search-request.filter =
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))
search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber
sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record
sequence.bmrc-resolve-groups.020.fetch-record.search =
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
sequence.bmrc-resolve-groups.030.description = resolve gid
sequence.bmrc-resolve-groups.030.type = fetch-record
sequence.bmrc-resolve-groups.030.fetch-record.search =
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name = _rfc2307_gid
sequence.bmrc-resolve-groups.040.description = query groups
sequence.bmrc-resolve-groups.040.type = search-open
sequence.bmrc-resolve-groups.040.search-open.search =
rfc2307-resolve-groups-memberUid
sequence.bmrc-resolve-groups.040.search-open.variable = queryRFC2307ByMemberUid
sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. [email protected]<mailto:[email protected]>
On 4 Jun 2018, at 15:07, Callum Smith
<[email protected]<mailto:[email protected]>> wrote:
Dear Ondra,
I went for openldap-rfc2307 as that best describes our ldap setup. The issue
seems to be that the gidNumber is set, but users are not a member of their
primary group within the LDAP. So, user's gidNumber represents primary group
and posixGroup membership (memberUid) represents their secondary groups. What's
the best way to approach this (fix the filters on oVirt end or change the LDAP?
This is a question of what is most compliant with standards really).
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. [email protected]<mailto:[email protected]>
On 29 May 2018, at 11:29, Ondra Machacek
<[email protected]<mailto:[email protected]>> wrote:
What's you LDAP and what profile did you choose? This looks like you have
chosen incorect profile during setup. Are you sure you arent using posix group
and using non-posix aaa profile? Sharing a debug log of
ovirt-engine-extensions-tool would be helpfull.
On Fri, May 25, 2018, 10:04 AM Callum Smith
<[email protected]<mailto:[email protected]>> wrote:
Dear All,
I'm having problems getting LDAP running, login works, but I'm getting "user is
not authorised to perform login" - this is even if i specify the UserRole
specifically to the LDAP group the user is in.
2018-05-25 08:56:16,212+01 INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) [] User
callum@Biomedical Research Computing successfully logged in with scopes:
ovirt-app-admin ovirt-app-api ovirt-app-portal
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search
ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-25 08:56:16,391+01 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25)
[63e60fe9] Running command: CreateUserSessionCommand internal: false.
2018-05-25 08:56:16,430+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default
task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User
callum@Biomedical Research Computing connecting from '192.168.65.254' failed to
log in<UNKNOWN>.
2018-05-25 08:56:16,430+01 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-25) []
The user callum@Biomedical Research Computing is not authorized to perform login
on a side note: is it possible to assign permissions to all members of an LDAP
tree where they dont have a common group membership?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. [email protected]<mailto:[email protected]>
_______________________________________________
Users mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
_______________________________________________
Users mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/
