Bug 1306436
Summary: | OpenLDAP proxy to 3 different domains | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Jared Deubel <jdeubel> | ||||
Component: | Appliance | Assignee: | abellott | ||||
Status: | CLOSED WORKSFORME | QA Contact: | Matt Pusateri <mpusater> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 5.5.0 | CC: | abellott, bascar, brjohnso, cpelland, gblomqui, jdeubel, jhardy, jvlcek, obarenbo | ||||
Target Milestone: | GA | ||||||
Target Release: | 5.7.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | ldap | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-03-17 14:22:38 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jared Deubel
2016-02-10 21:04:18 UTC
Initially attempted to resolve with MiqLdap, but we could not even bind to the OpenLdap proxy with just the samaccountname (no \). This authentication scenario was resolved by leveraging the External Authentication (httpd/apache) mechanism supported by CloudForms. In the environment, the OpenLdap proxy was removed from the CloudForms solution and the Linux/SSSD was configured to authenticate directly with the Active Directory domains. Since a service account with entitlements to join a domain was not an option, we could not base the configuration process based on https://github.com/ManageIQ/manageiq_docs/blob/master/auth/active_directory.adoc with realm discover/join. We needed to leverage the more involved https://github.com/ManageIQ/manageiq_docs/blob/master/auth/ldap.adoc but manually configuring the sssd domains against AD using the ldap directives. With the approach taken, one could login to CloudForms with the fully qualified userid@domain reflecting the specific AD domain, we could also query the groups of users within CloudForms using the same userid@domain syntax for username. So, no code change was needed to get this to work. We need to add a configuration scenario in https://github.com/ManageIQ/manageiq_docs/blob/master/auth/ for LDAP external auth to one or more AD domains for documenting the above. Created attachment 1127962 [details]
multi-ldap/active direcotry SSSD
Closing per Brandon Johnson's comment indicating this can be closed. If it is felt this should not be closed please reopen and provide more details. Thank you, JoeV |