<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Courier New, Courier, monospace">Sorry for late reply.
So I'm testing SIMPLE auth on RHDS LDAP. Setup was made manually
with modifying values in db:<br>
(</font><font face="Courier New, Courier, monospace">'DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId')<br>
<br>
When trying to search for a user in webadmin (with admin@internal
login), I noticed that engine tries to bind to user, defined in
db, but the username is modified with
("uid='usernameFromDB',ou=People,dc=domain,dc=tld"). Looks like
this is hardcoded. Am I missing some other settings in db? Can
this be modified? Otherwise this would require changes in ldap
structure which is in our case impossible. <br>
<br>
The ear didn't deploy when username in db included commas (when
trying to add username like 'cn=xx,ou=system,dc...').<br>
<br>
<br>
</font>
<div class="moz-cite-prefix">On 02/28/2013 01:32 PM, Roy Golan
wrote:<br>
</div>
<blockquote cite="mid:512F4E56.2060708@redhat.com" type="cite">On
02/28/2013 11:04 AM, Jure Kranjc wrote:
<br>
<blockquote type="cite">I was also testing simple auth without
success. Our ldap doesn't support kerberos so we're stuck.
Engine log doesn't report anything, and the server log shows:
<br>
<br>
2013-02-28 09:53:52,850 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment
"engine.ear" was rolled back with failure message {"JBAS014671:
Failed services" =>
{"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START"
=> "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START:
Failed to start service"}}
<br>
<br>
We're using 3.1 on CentOS, rpms from dev.centos.org repo.
<br>
<br>
</blockquote>
<br>
lets debug kerberos:
<br>
<br>
vi /var/lib/jboss/jboss-as/bin/run.conf
<br>
add this at the bottom
<br>
<br>
JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true"
<br>
<br>
restart jboss
<br>
<br>
Its weird that the ear didn't deploy. Please paste engine.log and
server.log
<br>
<br>
<blockquote type="cite">
<br>
On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
<br>
<blockquote type="cite">Hi Eduardo,
<br>
We mainly focus on supporting Kerberos authentication at the
moment
<br>
Can you switch to kerberos authentication?
<br>
<br>
<br>
<br>
----- Original Message -----
<br>
<blockquote type="cite">From: "Eduardo Ramos"
<a class="moz-txt-link-rfc2396E" href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a>
<br>
Sent: Wednesday, February 27, 2013 11:04:17 PM
<br>
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
<br>
<br>
Anyone has made success with that?
<br>
<br>
<br>
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
<br>
<blockquote type="cite">Hi dudes!
<br>
<br>
I was following the model below, but without success. That
is my
<br>
db:
<br>
<br>
<br>
engine=# select * from vdc_options where option_name in
<br>
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
<br>
option_id | option_name | option_value
<br>
| version
<br>
-----------+----------------------------+------------------------------------------------------------+---------
<br>
<br>
63 | DomainName | ovirt
<br>
|
general
<br>
8 | AdUserName |
<br>
ovirt:admin
|
<br>
general
<br>
113 | LDAPProviderTypes |
<br>
ovirt:ipa
|
<br>
general
<br>
112 | LdapServers |
<br>
ovirt:172.16.21.240
|
<br>
general
<br>
110 | LDAPSecurityAuthentication |
<br>
ovirt:SIMPLE
|
<br>
general
<br>
9 | AdUserPassword |
<br>
ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
|
<br>
general
<br>
(7 rows)
<br>
<br>
As you can see, my ldap server and domain are internal.
That's my
<br>
ldap
<br>
user object:
<br>
<br>
# admin, Users, Accounts, inpe.br
<br>
dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
<br>
givenName: Admin
<br>
sn: istrator
<br>
uid: admin
<br>
userPassword::
e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
<br>
uidNumber: 1001
<br>
gidNumber: 502
<br>
homeDirectory: /home/users/admin
<br>
loginShell: /bin/sh
<br>
objectClass: inetOrgPerson
<br>
objectClass: posixAccount
<br>
objectClass: top
<br>
cn: admin
<br>
<br>
But the log aways returns:
<br>
<br>
2012-12-10 10:07:00,317 ERROR
<br>
[org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
<br>
(ajp--0.0.0.0-8009-11) Ldap authentication failed. Please
check
<br>
that
<br>
the login name , password and path are correct.
<br>
2012-12-10 10:07:00,321 ERROR
<br>
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
<br>
(ajp--0.0.0.0-8009-8) Failed ldap search server
<br>
<a class="moz-txt-link-freetext" href="ldap://172.16.21.240:389">ldap://172.16.21.240:389</a> due to
<br>
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
<br>
We
<br>
should not try the next server:
<br>
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
<br>
<br>
Am I doing the right way?
<br>
<br>
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
<br>
<blockquote type="cite">----- Original Message -----
<br>
<blockquote type="cite">From: "Thierry Kauffmann"
<a class="moz-txt-link-rfc2396E" href="mailto:thierry.kauffmann@univ-montp2.fr"><thierry.kauffmann@univ-montp2.fr></a>
<br>
To: "Oved Ourfalli" <a class="moz-txt-link-rfc2396E" href="mailto:ovedo@redhat.com"><ovedo@redhat.com></a>
<br>
Cc: "Itamar Heim" <a class="moz-txt-link-rfc2396E" href="mailto:iheim@redhat.com"><iheim@redhat.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a>
<br>
Sent: Tuesday, December 4, 2012 10:35:34 AM
<br>
Subject: Re: [Users] OpenLDAP Simple Authentication in
Ovirt
<br>
Engine
<br>
<br>
<br>
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
<br>
<br>
<br>
----- Original Message -----
<br>
<br>
From: "Itamar Heim" <a class="moz-txt-link-rfc2396E" href="mailto:iheim@redhat.com"><iheim@redhat.com></a> To: "Oved
Ourfalli"
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:ovedo@redhat.com"><ovedo@redhat.com></a> Cc: <a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a> ,
"Thierry Kauffmann"
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:thierry.kauffmann@univ-montp2.fr"><thierry.kauffmann@univ-montp2.fr></a> Sent:
Tuesday, December 4,
<br>
2012
<br>
1:47:52 AM
<br>
Subject: Re: [Users] OpenLDAP Simple Authentication in
Ovirt
<br>
Engine
<br>
<br>
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
<br>
<br>
----- Original Message -----
<br>
<br>
From: "Thierry Kauffmann"
<a class="moz-txt-link-rfc2396E" href="mailto:thierry.kauffmann@univ-montp2.fr"><thierry.kauffmann@univ-montp2.fr></a> To:
<br>
"cristi falcas" <a class="moz-txt-link-rfc2396E" href="mailto:cristi.falcas@gmail.com"><cristi.falcas@gmail.com></a> Cc:
<a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a>
<br>
Sent:
<br>
Saturday, December 1, 2012 5:56:14 PM
<br>
Subject: [Users] OpenLDAP Simple Authentication in
Ovirt Engine
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Hi,
<br>
<br>
I am currently testing Ovirt 3.1 standalone on Fedora
17.
<br>
<br>
Until now, I could only use the default user
admin@internal.
<br>
<br>
Our Directory at the University is OpenLDAP. We use it
for
<br>
authentication
<br>
WITHOUT Kerberos : Simple authentication.
<br>
<br>
I wonder how to use this backend to authenticate users
and manage
<br>
groups
<br>
in Ovirt.
<br>
<br>
Has anyone already set this up ?
<br>
How to configure Ovirt to use Simple Authentication
(No
<br>
Kerberos).
<br>
<br>
Cheers,
<br>
<br>
-- <br>
Thierry Kauffmann
<br>
Chef du Service Informatique // Facult? des Sciences
//
<br>
Universit?
<br>
de
<br>
Montpellier 2
<br>
<br>
[image: SIF - Service Informatique de la Facult?
des
<br>
Sciences]
<br>
<a class="moz-txt-link-rfc2396E" href="http://sif.info-ufr.univ-montp2.fr/"><http://sif.info-ufr.univ-montp2.fr/></a>
[image:
<br>
UM2 - Universit? de Montpellier 2]
<a class="moz-txt-link-rfc2396E" href="http://www.univ-montp2.fr/"><http://www.univ-montp2.fr/></a>
<br>
Service
<br>
informatique de la Facult? des Sciences (SIF)
<br>
Universit? de Montpellier 2
<br>
CC437 // Place Eug?ne Bataillon // 34095
Montpellier Cedex 5
<br>
<br>
T?l : 04 67 14 31 58
<br>
email : <a class="moz-txt-link-abbreviated" href="mailto:thierry.kauffmann@univ-montp2.fr">thierry.kauffmann@univ-montp2.fr</a> web :
<br>
<a class="moz-txt-link-freetext" href="http://sif.info-ufr.univ-montp2.fr/">http://sif.info-ufr.univ-montp2.fr/</a>
<br>
<a class="moz-txt-link-freetext" href="http://www.fdsweb.univ-montp2.fr/">http://www.fdsweb.univ-montp2.fr/</a>
<br>
_______________________________________________
<br>
Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> Hi,
<br>
<br>
This is a response from an older thread from Yair
Zaslavsky:
<br>
<br>
" there is no code allowing to add
simple-authentication domains
<br>
to
<br>
Manage-Domains.
<br>
In the past we did have the ability to do that, but
there are
<br>
several
<br>
problematic issues."
<br>
<br>
Best regards, Hi,
<br>
<br>
correct-me if I am wrong but this wiki page (
<br>
<a class="moz-txt-link-freetext" href="http://www.ovirt.org/DomainInfrastructure">http://www.ovirt.org/DomainInfrastructure</a> ) states
clearly :
<br>
<br>
<br>
<br>
<br>
<br>
1. Authenticating Active Directory, IPA and
RHDS using
<br>
either
<br>
simple or gssapi authentication
<br>
2. Querying the directory using the LDAP
protocol
<br>
3. Auto deducing the LDAP provider type
<br>
4. Easily adding new LDAP provider types
<br>
5. Easily adding new query types
<br>
<br>
So what ? We supported simple authentication in the
past, but it
<br>
is
<br>
no longer
<br>
supported, that's why you can't set that using the
manage domains
<br>
utility.
<br>
It may work well in some providers (in the past we
supported that
<br>
for active directory, so I guess it would work there).
I don't
<br>
think
<br>
we removed SIMPLE from the engine, we just don't
<br>
recommend
<br>
using it, since it doesn't encrypt user/password on
the network
<br>
(it
<br>
is
<br>
sometime useful for debugging). We indeed didn't
remove the
<br>
engine
<br>
code. We just blocked it from the utility.
<br>
Once you have a configured oVirt domain, you can set
the
<br>
LDAPSecurityAuthentication configuration parameter (in
the
<br>
vdc_options table), to use simple, by putting a value
of:
<br>
domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and
etc....
<br>
<br>
but, if you want to add a new domain with it then you
would need
<br>
to
<br>
add it manually (can give a detailed explanation on
how, if
<br>
relevant). Yes, I would like to know how to add
directly a domain
<br>
which is not GSSAPI controlled.
<br>
<br>
</blockquote>
The vdc_options table is a table containing the
configuration
<br>
values
<br>
of the engine. Among those, there are directory-related
<br>
configuration
<br>
values:
<br>
<br>
engine=# select * from vdc_options where option_name in
<br>
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
<br>
option_id | option_name |
<br>
option_value | version
<br>
-----------+----------------------------+-------------------------------------------------+---------
<br>
<br>
9 | AdUserName |
<br>
domain1:user1,domain2:user2 |
general
<br>
10 | AdUserPassword |
<br>
domain1:password1,domain2:password2 |
general
<br>
114 | LdapServers |
<br>
deomain1:ldap_server_address1,domain2:ldap_server_address2
|
<br>
general
<br>
64 | DomainName |
<br>
domain1,domain2 |
general
<br>
112 | LDAPSecurityAuthentication |
<br>
domain1:GSSAPI,domain2:SIMPLE |
general
<br>
115 | LDAPProviderTypes |
<br>
domain1:activeDirectory,domain2:ipa |
general
<br>
<br>
AdUserName is the user that will be used to query the
directory.
<br>
AdUserPassword is the password that will be used to
query the
<br>
directory.
<br>
LdapServers - the LDAP server that will be used (only
one is
<br>
allowed
<br>
in this configuration. This configuration is optional.
If empty,
<br>
we
<br>
will check the DNS for LDAP SRV records for the relevant
domain).
<br>
DomainName - the names of the domains
<br>
LDAPSecurityAuthentication - SIMPLE/GSSAPI
<br>
LDAPProviderTypes - the provider type
<br>
(activeDirectory/ipa/rhds/itds)
<br>
<br>
All the entries above are per-domain, in the format
<br>
domain1:value1,
<br>
domain2:value2 and etc....
<br>
<br>
If manually adding a GSSAPI domain, you also need to
supply a
<br>
krb5.conf file, and put it in the ENGINE_ETC path. If
adding a
<br>
SIMPLE
<br>
domain that isn't neccesary.
<br>
<br>
We haven't worked with simple domain for a while now, so
hopefully
<br>
it
<br>
will work for you as expected.
<br>
<br>
Let me know if you have further questions.
<br>
<br>
Oved
<br>
<blockquote type="cite">
<br>
By default we work GSSAPI (I think the config option
is empty by
<br>
default which is equivalent to working GSSAPI).
<br>
If/When we would need to support that again it
shouldn't be a
<br>
major
<br>
effort to add the code... the testing with the
different
<br>
providers
<br>
will be the hard part.
<br>
<br>
Oved
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
We also don't auto deduce the LDAP provider type
anymore, as
<br>
changes in the providers caused some issues with it.
<br>
<br>
I'll edit the wiki accordingly (btw, I remember
removing it from
<br>
the wiki... so it is weird that it is still there...).
<br>
<br>
Oved
<br>
<br>
-- <br>
signature-TK Thierry Kauffmann
<br>
Chef du Service Informatique // Faculté des Sciences
//
<br>
Université
<br>
de
<br>
Montpellier 2
<br>
<br>
<br>
SIF - Service Informatique de la Faculté
<br>
des Sciences UM2 -
<br>
Université de Montpellier 2
Service
<br>
informatique de
<br>
la Faculté des Sciences (SIF)
<br>
Université de Montpellier 2
<br>
CC437 // Place Eugène Bataillon // 34095 Montpellier
Cedex 5
<br>
<br>
Tél : 04 67 14 31 58
<br>
email : <a class="moz-txt-link-abbreviated" href="mailto:thierry.kauffmann@univ-montp2.fr">thierry.kauffmann@univ-montp2.fr</a> web :
<br>
<a class="moz-txt-link-freetext" href="http://sif.info-ufr.univ-montp2.fr/">http://sif.info-ufr.univ-montp2.fr/</a>
<br>
<a class="moz-txt-link-freetext" href="http://www.fdsweb.univ-montp2.fr/">http://www.fdsweb.univ-montp2.fr/</a>
<br>
_______________________________________________
<br>
Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
_______________________________________________
<br>
Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
_______________________________________________
<br>
Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
<br>
<br>
-- <br>
signature-TK Thierry Kauffmann
<br>
Chef du Service Informatique // Faculté des Sciences
//
<br>
Université de
<br>
Montpellier 2
<br>
<br>
<br>
SIF - Service Informatique de la Faculté
<br>
des Sciences UM2 -
<br>
Université de Montpellier 2
Service
<br>
informatique de
<br>
la Faculté des Sciences (SIF)
<br>
Université de Montpellier 2
<br>
CC437 // Place Eugène Bataillon // 34095 Montpellier
Cedex 5
<br>
<br>
Tél : 04 67 14 31 58
<br>
email : <a class="moz-txt-link-abbreviated" href="mailto:thierry.kauffmann@univ-montp2.fr">thierry.kauffmann@univ-montp2.fr</a>
<br>
web : <a class="moz-txt-link-freetext" href="http://sif.info-ufr.univ-montp2.fr/">http://sif.info-ufr.univ-montp2.fr/</a>
<br>
<a class="moz-txt-link-freetext" href="http://www.fdsweb.univ-montp2.fr/">http://www.fdsweb.univ-montp2.fr/</a>
<br>
<br>
</blockquote>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
</blockquote>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
</blockquote>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
<br>
</blockquote>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
</blockquote>
<br>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
<br>
</blockquote>
<br>
</body>
</html>