<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Le 10/12/2012 23:11, Alon Bar-Lev a
écrit :<br>
</div>
<blockquote
cite="mid:1784521991.4294776.1355177461752.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Yaniv Kaul" <a class="moz-txt-link-rfc2396E" href="mailto:ykaul@redhat.com"><ykaul@redhat.com></a>
To: "Thierry Kauffmann" <a class="moz-txt-link-rfc2396E" href="mailto:thierry.kauffmann@univ-montp2.fr"><thierry.kauffmann@univ-montp2.fr></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Monday, December 10, 2012 11:58:30 PM
Subject: Re: [Users] Adding Authentication mechanism to oVirt
Wasn't it going to be deprecated?
<a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/rfc6331">http://tools.ietf.org/html/rfc6331</a>
</pre>
</blockquote>
<pre wrap="">
Every IETF can be depreciated using better implementation... :)
For now we need to support this for AD and maybe others.
It is much lighter than using SSL.
</pre>
<blockquote type="cite">
<pre wrap="">I do think the right way is SSL (LDAPS) support. Most LDAP servers
(but Active Directory out of the box) support it.
Y.
</pre>
</blockquote>
<pre wrap="">
We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS, and maybe keep SASL(GSSAPI).
I already wrote a sample to use all, I will share this soon with a quick design of what needed to be implemented in this regard.
Alon.
</pre>
</blockquote>
<br>
Doesn't oVirt already support SIMPLE over SSL (that is LDAPS and
StartTLS) ?<br>
<br>
<blockquote
cite="mid:1784521991.4294776.1355177461752.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
Hi,
Ovirt presently supports only GSSAPI and SIMPLE authentication
against an LDAP server. The latter is far to weak to be used in a
production environment. The first is only offered as an external
authentication mechanism in many LDAP servers.
I suggest adding DIGEST-MD5 support to oVirt which is a secured way
of authenticating to an LDAP server and which is a required
authentication mechanism in LDAPv3 specification. (see
<a class="moz-txt-link-freetext" href="http://www.ietf.org/rfc/rfc2829.txt">http://www.ietf.org/rfc/rfc2829.txt</a> paragraph 4.2).
This would make it possible to access every LDAP servers securely
without the need to implement the GSSAPI mechanism.
I also actively suggest to add support for the OpenLDAP Directory
server. It is a widely used LDAP server (and the one we use at our
University by the way...).
Are there developers wishing to implement such support (DIGEST-MD5
and OpenLDAP) ?
Or please tell me what I should do to start implementing it ?
Cheers,
Thierry
--
signature-TK Thierry Kauffmann
Chef du Service Informatique // Faculté des Sciences // Université de
Montpellier 2
        SIF - Service Informatique de la Faculté
des Sciences        UM2 -
Université de Montpellier 2        Service informatique de
la Faculté des Sciences (SIF)
Université de Montpellier 2
CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58
email : <a class="moz-txt-link-abbreviated" href="mailto:thierry.kauffmann@univ-montp2.fr">thierry.kauffmann@univ-montp2.fr</a>
web : <a class="moz-txt-link-freetext" href="http://sif.info-ufr.univ-montp2.fr/">http://sif.info-ufr.univ-montp2.fr/</a>
<a class="moz-txt-link-freetext" href="http://www.fdsweb.univ-montp2.fr/">http://www.fdsweb.univ-montp2.fr/</a>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<meta content="text/html; charset=UTF-8" http-equiv="content-type">
<title>signature-TK</title>
<small><span style="color: rgb(15, 67, 106); font-weight: bold;">Thierry
Kauffmann</span><br>
<span style="color: rgb(15, 67, 106);">Chef du Service
Informatique // </span><span style="color: rgb(15, 67, 106);">Faculté
des Sciences // </span><span style="color: rgb(15, 67, 106);">Université
de Montpellier 2</span></small><br>
<br>
<table style="text-align: left; height: 111px; width: 924px;"
border="0" cellpadding="10" cellspacing="0">
<tbody>
<tr>
<td style="vertical-align: middle; text-align: center;"><a
href="http://sif.info-ufr.univ-montp2.fr/"><img
style="border: 0px solid ; width: 100px; height:
106px;" alt="SIF - Service Informatique de la Faculté
des Sciences"
src="cid:part1.02050202.00080803@univ-montp2.fr"></a></td>
<td style="border-right: 2px solid rgb(15, 67, 106);
vertical-align: middle; color: rgb(180, 202, 0);
text-align: center; width: 211px;"><a
href="http://www.univ-montp2.fr/"><img style="border:
0px solid ; width: 194px; height: 106px;" alt="UM2 -
Université de Montpellier 2"
src="cid:part3.06020304.01050706@univ-montp2.fr"></a></td>
<td style="vertical-align: top; color: rgb(180, 202, 0);
width: 547px; line-height: 13px;"><small><span
style="color: rgb(15, 67, 106); font-weight: bold;"></span><span
style="color: rgb(15, 67, 106);"></span>Service
informatique de la Faculté des Sciences (SIF)<br>
Université de Montpellier 2<br>
<span style="color: rgb(71, 189, 205);">
CC437 // </span><span style="color: rgb(71, 189,
205);">Place Eugène Bataillon // </span><span
style="color: rgb(71, 189, 205);">34095 Montpellier
Cedex 5</span><br>
<span style="color: rgb(71, 189, 205);"><br>
Tél : 04 67 14 31 58</span><br>
<span style="color: rgb(71, 189, 205);">email : </span><a
style="color: rgb(15, 67, 106);"
href="mailto:thierry.kauffmann@univ-montp2.fr">thierry.kauffmann@univ-montp2.fr</a><br>
<span style="color: rgb(71, 189, 205);">web : </span><a
style="color: rgb(15, 67, 106);"
href="http://sif.info-ufr.univ-montp2.fr/">http://sif.info-ufr.univ-montp2.fr/</a>
<a style="color: rgb(15, 67, 106);"
href="http://www.fdsweb.univ-montp2.fr/">http://www.fdsweb.univ-montp2.fr/</a></small>
</td>
</tr>
</tbody>
</table>
<br>
</div>
</body>
</html>