[Ovirt-devel] LDAP fallback

Hugh O. Brock hbrock at redhat.com
Tue May 20 13:32:41 UTC 2008


On Tue, May 20, 2008 at 09:05:02AM -0400, Scott Seago wrote:
> Hugh O. Brock wrote:
>>
>>
>> Hey Scott.
>>
>> I have committed this on the basis that it built and
>> installed. However there is now a problem with the
>> "grant_admin_privileges" script in that it requires an ldap server
>> (this is from Darryl's patch, not yours), so I wasn't able to test it
>> fully.
>>
>> On that topic, do we want to make "grant_admin_privileges" fall back
>> gracefully if auth is turned off (as it is in my case at the moment)?
>>
>> Take care,
>> --Hugh
>>   
> This is a good question. At one point we'd planned a "turn auth off" flag 
> (for development use only), but ultimately decided to abandon that effort. 
> But when we were only using kerberos (and not LDAP yet), turning off auth 
> turned out to be a two-line change to ovirt-wui.conf. Now that we get the 
> user list from ldap, turning auth _and_ ldap off would be a larger effort, 
> since we'd need some alternate means of generating a user list. Is this 
> something we want to do, or are we now at the point that _all_ running 
> ovirt instances, even dev ones, must point to a freeipa server?

To my mind the freeipa setup is now pretty smooth, although I suppose
folks might still trip over the DNS setup... but in that case they can
use the developer install I suppose. So I suppose we should leave it
as it is unless there is a lot of demand for it.

Darryl, I'm not sure, but there may be a bug in grant_admin_privileges
anyway. When I ran it it failed on "require 'app/models/account'",
which seems odd. I do have the latest activeldap package installed and
so on.

Take care,
--Hugh




More information about the ovirt-devel mailing list