1409827 – [RFE] Add documentation how to remove LDAP provider configuration

Bug 1409827 - [RFE] Add documentation how to remove LDAP provider configuration

Summary: [RFE] Add documentation how to remove LDAP provider configuration

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine-extension-aaa-ldap
Classification:	oVirt
Component:	Documentation
Sub Component:
Version:	master
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.1.1
Target Release:	1.3.1
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1485700
TreeView+	depends on / blocked

Reported:	2017-01-03 14:39 UTC by Csiga
Modified:	2017-08-27 10:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-extension-aaa-ldap-1.3.1
Doc Type:	Bug Fix
Doc Text:	If you want to remove a configured LDAP provider, you need to do following (assuming here the default name 'profile1', please rename according to your setup): 1. Remove provider configuration files rm /etc/ovirt-engine/extensions.d/profile1-authn.properties rm /etc/ovirt-engine/extensions.d/profile1-authz.properties rm /etc/ovirt-engine/aaa/profile1.properties 2. Restart ovirt-engine systemctl restart ovirt-engine The above will remove provider configuration, so users from this provider will no longer be able to login into engine. But those users still have permissions defined in engine, so if you want to remove those permissions you need to do following: 1. Login into webadmin and switch to Users tab 2. Remove all users from the provider you have removed above (they should have their Authorization provider set to 'profile1-authz'
Clone Of:
Environment:
Last Closed:	2017-04-21 09:42:09 UTC
oVirt Team:	Infra
Flags:	mperina: ovirt-4.1? grafuls: testing_plan_complete- rule-engine: planning_ack? mperina: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	72660	0	None	None	None	2017-02-20 09:19:13 UTC

Description Csiga 2017-01-03 14:39:54 UTC

Description of problem:
I could not find any documentation with remove a domain from ovirt-engine.

Version-Release number of selected component (if applicable):

4.X

How reproducible:

Delete a domain from ovirt-engine

Steps to Reproduce:
1. Login an Window Domain with ovirt-engine-extension-aaa-ldap-setup
2. Login a FreeIPA domain ovirt-engine-extension-aaa-ldap-setup
3. Log out the Windows Domain

Actual results:
I have no documantation.

Expected results:
I would like read an answer.

Additional info:
Happy new year to you.

Thank you.

Comment 1 Yaniv Lavi 2017-01-10 12:30:58 UTC

Can you update the oVirt site on this?

Comment 2 Martin Perina 2017-01-10 21:30:48 UTC

I haven't understand the issue nor reproducing steps. What do you mean by removing a domain? You want to remove configured aaa-ldap profile so users from this profile are not able to login? What exactly is your use case for LDAP integrations as you have mentioned both AD and IPA servers?

Comment 3 Csiga 2017-01-12 10:00:01 UTC

Dear Martin,

I have a Windows AD in my oVirt cluster.
But I would like to change the MS windows server to FreeIPA on the cluster.

Best Regards,
Sandor

Comment 4 Martin Perina 2017-01-13 08:08:24 UTC

If you want to remove a configured LDAP provider, you need to do following (assuming here the default name 'profile1', please rename according to your setup):

  1. Remove provider configuration files

      rm /etc/ovirt-engine/extensions.d/profile1-authn.properties
      rm /etc/ovirt-engine/extensions.d/profile1-authz.properties
      rm /etc/ovirt-engine/aaa/profile1.properties

  2. Restart ovirt-engine

      systemctl restart ovirt-engine


The above will remove provider configuration, so users from this provider will no longer be able to login into engine.

But those users still have permissions defined in engine, so if you want to remove those permissions you need to do following:

  1. Login into webadmin and switch to Users tab
  2. Remove all users from the provider you have removed above (they should have their Authorization provider set to 'profile1-authz'


For now I'm targeting this to ovirt-future, but I'm going to include fix for that into next aaa-ldap release.

Comment 5 Csiga 2017-01-25 21:32:27 UTC

Thank you for your help.

I changed my ldap provider.

Thank you.

Comment 6 Martin Perina 2017-02-20 09:55:32 UTC

Fix is contained in ovirt-engine-extension-aaa-ldap-1.3.1

Comment 7 Gonza 2017-04-03 12:55:40 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch

Note You need to log in before you can comment on or make changes to this bug.