Hide Forgot
Description of problem: We've oVirt 4.0.1 with LDAP (RFC-2307) as authentication backend configured in our infrastructures. Currently, the filter that is built when a user search is made from the engine (for example, to grant a role to a user) is like this: &(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username)) When the LDAP directory is big enough (in our case we handle > 230K objects), the OR (|) clause causes the query to fail due to "ERR: 11, admin limit exceeded". That happens due to the huge amount of results that are returned (it's not a time exceeded error). I'm aware this is a LDAP server issue, but to avoid it, instead of changing limits on the LDAP side, it would be nice if users could define the LDAP filter to apply. As this RFC enforces the object to be a posixAccount, I think it would be enough to allow users to define the (|(...)) part. In our case, we'll never search by givenName, sn, displayName, but just by uid, so this would simplify the query and we'd eliminate the need of using an "admin" account, as we do currently.
You can overcome this with little aaa-ldap hack. Add following lines into your '/etc/ovirt-engine/aaa/profile.properties' file: sequence.simple-query-principals.005.description = modify filter to search only by uid sequence.simple-query-principals.005.type = regex sequence.simple-query-principals.005.regex.value = ${seq:filter} sequence.simple-query-principals.005.regex.flags = a sequence.simple-query-principals.005.regex.pattern = \\(givenName=[^)]*\\)|\\(sn=[^)]*\\)|\\(displayName=[^)]*\\) sequence.simple-query-principals.005.regex.replacement.filter = It will replaces occurances of givenName, sn and displayName and it's values by empty string. So only uid persist in filter.
I am setting low prio/severity as we have workaround for aaa-ldap, and I don't see any reason to have it for aaa-jdbc. Also changing component accordingly.
Confirmed the workaround works, by now it's enough for us. Thanks.
If this is properly documented, we can close this RFE. Please verify it is.
Ondro, could you please add workaround from Comment 1 into http://www.ovirt.org/develop/release-management/features/infra/aaa_faq/
Created - https://github.com/oVirt/ovirt-site/pull/1131.
We didn't get to this bug for more than 2 years, and it's not being considered for the upcoming 4.4. It's unlikely that it will ever be addressed so I'm suggesting to close it. If you feel this needs to be addressed and want to work on it please remove cond nack and target accordingly.
ok, closing. Please reopen if still relevant/you want to work on it.