[ovirt-users] LDAP auth and group members

Fri, 21 Oct 2022 01:04:52 -0700 

Hi,
I have configured oVirt authentication against our MicroFocus/Novell eDirectory (edir) ldap. It is working fine on per user base. Now I am tried to set permissions per group but it seems does not work. 

My CRO.properties

---
include = <rfc2307-edir.properties>

vars.server = ldap.********
vars.port = 389
vars.user = cn=*******************
vars.password = *******************

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.socketfactory.resolver.supportIPv6 = false

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

search.default.search-request.derefPolicy = ALWAYS
---


I am able search groups in manager but users with permissions per group 
are unable to login with "The user *********** with profile [CRO] is not 
authorized to perform login".


When I try debug it with


ovirt-engine-extensions-tool aaa login-user --profile=CRO 
--user-name=*******



I can see common attributes (name, email,...) in PrincipalRecord but not 
any record mentioned group membership.



Group which holds this user has posixGroup objectClass and member 
attributes which points to dn of users.



There were also similar post in this list in 2019 which unfortunately 
was not much specific with solution


https://lists.ovirt.org/archives/list/[email protected]/thread/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/


Could any suggest how to better debug this or how to modify group search 
filter in my profile to work with member attribute?


Thanks in advance,

Jiri



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/[email protected]/message/RPHPO4J42ZYX377KBSBC6QMKVJ26ZA66/














    











					Reply via email to