Hide Forgot
Description of problem: In case of adding new domain, the user which is supposed to connect to the AD/IPA is not added as superuser. It would be nice to have it added as superuser too. Would it be possible to have new param (e.g. -role=superuser) ? Version-Release number of selected component (if applicable): ovirt-engine-3.0.0_0001-3.git4364f1b.fc16.x86_64 How reproducible: Steps to Reproduce: 1. try to add new domain 2. 3. Actual results: Expected results: Additional info:
Pavel, the user you write when adding a domain is an ldap entity with sufficient privileges for querying the ldap server. This does not need any special permission in the backend. Can you please explain why do you need superuser role for that query user?
(In reply to comment #1) > Pavel, > the user you write when adding a domain is an ldap entity with > sufficient privileges for querying the ldap server. This does > not need any special permission in the backend. Can you please > explain why do you need superuser role for that query user? I'd suspect the customer has more systems in the house than our solution. I'd suspect, that each system uses own permissions (backup, virt, etc.). I wouldn't suspect, I must have 2 accounts for each service in AD (or other DS). Based on above, I think it's good idea at least to offer this option. Can you please explain why not to have it there?
(In reply to comment #2) > (In reply to comment #1) > > Can you please explain why not to have it there? Pavel, I still do not see the use case, but in general the following will always be true; Permission are given on a need-to-have basis, since any extra permission may cause a security issue. No permission mechanism will allow extra permission on a nice-to-have basis. So in this case the specific customer may use the users dialog to add roles to his user.
It's been a while, with no response. This RFE has a potential of giving accessive permissions, so it's being closed.