Bug 1472957 - Documentation update for AD include file changes
Documentation update for AD include file changes
Status: NEW
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Martin Perina
Depends On:
  Show dependency treegraph
Reported: 2017-07-19 12:38 EDT by Anitha Udgiri
Modified: 2017-10-02 10:40 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Docs
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Anitha Udgiri 2017-07-19 12:38:27 EDT
Description of problem:
With this version of RHV, ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it doesn't  fetch domain local groups from different domains.

So, for multi domain AD environments, Customers need to change 
the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.

Please provide appropriate documentation in Customer facing docs for this change.
Comment 2 Martin Perina 2017-07-20 06:27:17 EDT
Anitha, this is strange because we have not supported using domain local groups in multi-domain forrest at all before BZ1336707, and BZ1336707 was fixed in aaa-ldap contained in RHV 4.1.0. So:

1. If customers used domain local groups in managed-domains and they've only moved to aaa-ldap with no AD changes (especially manage-domains didn't support forrest only single domain, so they have configured aaa-ldap only to correct single domain servers), they should not face the issue

2. Customers used only single domain setup and after upgrade to 4.1 now they have changed their AD to multi-domain forrest. If so then they faced that issue.

Anyway it needs to mentioned that using domain local groups for group membership inside multi-domains forrest in not recommended by Microsoft.

Ondro, could you please provide correct steps to alter configuration and also please update DocText also in BZ1336707.
Comment 3 Lucy Bopf 2017-08-07 20:49:25 EDT
Ondra, can you please provide the steps as requested by Martin in comment 2?
Comment 4 Ondra Machacek 2017-08-08 03:59:10 EDT
The difference is described in profile itself here:


If you need any more information, please let me know.
Comment 5 Lucy Bopf 2017-08-28 20:36:03 EDT
Anitha, can you take a look at the link Ondra provided in comment 4, and let us know whether that information resolves your questions. If not, what else is required?
Comment 6 Anitha Udgiri 2017-10-02 10:40:07 EDT
(In reply to Lucy Bopf from comment #5)
> Anitha, can you take a look at the link Ondra provided in comment 4, and let
> us know whether that information resolves your questions. If not, what else
> is required?

    Apologies for the delay in responding here. The information in the link is what exactly customers need to know. I doubt if customers ever open this file to peek inside to read this information. 
The best thing would be to either direct customers to read this info or get this info into the published documentation.

Note You need to log in before you can comment on or make changes to this bug.