Bug 1134855
| Summary: | [AAA] search within another pool to complete group membership | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [oVirt] ovirt-engine-extension-aaa-ldap | Reporter: | Ondra Machacek <omachace> | ||||||
| Component: | Core | Assignee: | Alon Bar-Lev <alonbl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | master | CC: | alonbl, bazulay, bugs, ecohen, gklein, iheim, oourfali, rbalakri, yeylon, yzaslavs | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 1.0.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | infra | ||||||||
| Fixed In Version: | vt3.1 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-10-17 12:40:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1063095 | ||||||||
| Attachments: |
|
||||||||
|
Description
Ondra Machacek
2014-08-28 11:08:08 UTC
Hi, Please use more generic subject when opening bugs, please do not add trailing dots. Also, marking new features (not existed in previous stable versions) as severity high is kind of strange. Thanks, user should have memberOf while topLeveluser does not have this attribute. group is not important in this case. In this case you should query global catalog[1] $ ldapsearch -LLL -x -h 10.34.63.245 -p 3268 -D Administrator.lab.eng.brq.redhat.com -w Heslo123 -b 'DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "sn=topLeveluser" dn: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad-w2k12r2p,DC=rh ev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: topLeveluser topLeveluser sn: topLeveluser givenName: topLeveluser distinguishedName: CN=topLeveluser topLeveluser,CN=Users,DC=ad-w2k12r2pc,DC=ad -w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com instanceType: 0 whenCreated: 20140828101522.0Z whenChanged: 20140828103942.0Z displayName: topLeveluser topLeveluser uSNCreated: 231373 memberOf: CN=TopLevelGroup,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq ,DC=redhat,DC=com uSNChanged: 231470 name: topLeveluser topLeveluser objectGUID:: WUGCFnhhdkW9hPAbZ4fmdA== userAccountControl: 66048 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAHmtufYB1Jk9DP9w1XQQAAA== sAMAccountName: topLeveluser sAMAccountType: 805306368 userPrincipalName: topLeveluser.rhev.lab.eng.brq.redh at.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad-w2k12r2,DC=rhev,DC= lab,DC=eng,DC=brq,DC=redhat,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130536959670245415 [1] http://msdn.microsoft.com/en-us/library/ms677943.aspx#memberOf the plan was for these who needs cross domain queries, to set up the authz pool to gc: pool.default.serverset.srvrecord.service = gc however, unlike in documentation active directory's gc does not contain a full Configuration subtree, it also does not contain local domain group membership. since the above information is missing query against any single ldap is incomplete. in order to have cross domain group, I will add another set of pools to query, this will reduce performance as the implementation will need to query more than one ldap to obtain all information. user will require to set both "standard" ldap pool and one "additional" (gc) ldap pool in this case. README +Global catalog lookup can be enabled to support inter-forest group +resolution. Not enabled by default as it has performance costs. Add the +following to authz extension configuration: + + config.globals.000.ad_enable_gc = true I can't get it work. I have - config.globals.000.ad_enable_gc = true , in autz properties. I add group with permissions. Then I try to login as user from group, and engine is not quering gc. #tcpdump -l -s 65535 -A -vv port 3268 -w gc.cap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 0 packets captured Are there any other special configurations? you should first see that the gc pool is created. anyway, a log would be nice... Created attachment 936455 [details]
engine startup log
Created attachment 936456 [details]
login as user from group log
I am unsure you are using a version of the ldap provider with that fix, what hash do you use? [root@om-rh35 extensions.d]# rpm -qi ovirt-engine-extension-aaa-ldap Name : ovirt-engine-extension-aaa-ldap Relocations: (not relocatable) Version : 0.0.0 Vendor: Red Hat, Inc. Release : 0.0.2.master.el6_5 Build Date: Sun 24 Aug 2014 12:33:55 PM CEST It's not there, build date is Sun 24 Aug 2014 12:33:55. Fix is 31.8... this is not vt3 the current build was not included in vt3 due to engine dependency issue. I will rebuild and republish. sorry, I was not aware that it was not pulled. was included in vt3.1, great. Works fine in vt3.1 with line config.globals.000.ad_enable_gc = true in authz extension. oVirt 3.5 has been released and should include the fix for this issue. |