Bug 1409827 - [RFE] Add documentation how to remove LDAP provider configuration
Summary: [RFE] Add documentation how to remove LDAP provider configuration
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Documentation
Version: master
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ovirt-4.1.1
: 1.3.1
Assignee: Martin Perina
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks: 1485700
TreeView+ depends on / blocked
 
Reported: 2017-01-03 14:39 UTC by Csiga
Modified: 2017-08-27 10:14 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.1
Clone Of:
Environment:
Last Closed: 2017-04-21 09:42:09 UTC
oVirt Team: Infra
Embargoed:
mperina: ovirt-4.1?
grafuls: testing_plan_complete-
rule-engine: planning_ack?
mperina: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 72660 0 None None None 2017-02-20 09:19:13 UTC

Description Csiga 2017-01-03 14:39:54 UTC
Description of problem:
I could not find any documentation with remove a domain from ovirt-engine.

Version-Release number of selected component (if applicable):

4.X

How reproducible:

Delete a domain from ovirt-engine

Steps to Reproduce:
1. Login an Window Domain with ovirt-engine-extension-aaa-ldap-setup
2. Login a FreeIPA domain ovirt-engine-extension-aaa-ldap-setup
3. Log out the Windows Domain

Actual results:
I have no documantation.

Expected results:
I would like read an answer.

Additional info:
Happy new year to you.

Thank you.

Comment 1 Yaniv Lavi 2017-01-10 12:30:58 UTC
Can you update the oVirt site on this?

Comment 2 Martin Perina 2017-01-10 21:30:48 UTC
I haven't understand the issue nor reproducing steps. What do you mean by removing a domain? You want to remove configured aaa-ldap profile so users from this profile are not able to login? What exactly is your use case for LDAP integrations as you have mentioned both AD and IPA servers?

Comment 3 Csiga 2017-01-12 10:00:01 UTC
Dear Martin,

I have a Windows AD in my oVirt cluster.
But I would like to change the MS windows server to FreeIPA on the cluster.

Best Regards,
Sandor

Comment 4 Martin Perina 2017-01-13 08:08:24 UTC
If you want to remove a configured LDAP provider, you need to do following (assuming here the default name 'profile1', please rename according to your setup):

  1. Remove provider configuration files

      rm /etc/ovirt-engine/extensions.d/profile1-authn.properties
      rm /etc/ovirt-engine/extensions.d/profile1-authz.properties
      rm /etc/ovirt-engine/aaa/profile1.properties

  2. Restart ovirt-engine

      systemctl restart ovirt-engine


The above will remove provider configuration, so users from this provider will no longer be able to login into engine.

But those users still have permissions defined in engine, so if you want to remove those permissions you need to do following:

  1. Login into webadmin and switch to Users tab
  2. Remove all users from the provider you have removed above (they should have their Authorization provider set to 'profile1-authz'


For now I'm targeting this to ovirt-future, but I'm going to include fix for that into next aaa-ldap release.

Comment 5 Csiga 2017-01-25 21:32:27 UTC
Thank you for your help.

I changed my ldap provider.

Thank you.

Comment 6 Martin Perina 2017-02-20 09:55:32 UTC
Fix is contained in ovirt-engine-extension-aaa-ldap-1.3.1

Comment 7 Gonza 2017-04-03 12:55:40 UTC
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch


Note You need to log in before you can comment on or make changes to this bug.