<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/31/2014 02:47 PM, Marcelo Donato
wrote:<br>
</div>
<blockquote
cite="mid:CAPaMScju+7ALzdujfyrAeEBj4xeFcj9K3nGDxeuJQiQJRMgFVQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">
<div class="gmail_default">Below the solution. Resolved By
"Alon Bar-Lev" <<a moz-do-not-send="true"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>></div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default"><span
style="font-family:arial,sans-serif;font-size:13px">1.
install ovirt-engine-extension-aaa-</span><span
style="font-family:arial,sans-serif;font-size:13px">ldap,
it is available in ovirt-3.5-snapshots repository.</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">2.
create /etc/ovirt-engine/extensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">d/din.intranet-authz.</span><span
style="font-family:arial,sans-serif;font-size:13px">properties</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<a moz-do-not-send="true"
href="http://ovirt.engine.extension.name/" target="_blank"
style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.name</a><span
style="font-family:arial,sans-serif;font-size:13px"> =
din-intranet-authz</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">bindings.method
= jbossmodule</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">binding.jbossmodule.module
= org.ovirt.engine-extensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">aaa.ldap</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">binding.jbossmodule.class
= org.ovirt.engineextensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">aaa.ldap.AuthzExtension</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">provides
= org.ovirt.engine.api.</span><span
style="font-family:arial,sans-serif;font-size:13px">extensions.aaa.Authz</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">config.profile.file.1
= /etc/ovirt-engine/aaa/din.</span><span
style="font-family:arial,sans-serif;font-size:13px">intranet.properties</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">3.
create /etc/ovirt-engine/extensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">d/din.intranet-authn.</span><span
style="font-family:arial,sans-serif;font-size:13px">properties</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<a moz-do-not-send="true"
href="http://ovirt.engine.extension.name/" target="_blank"
style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.name</a><span
style="font-family:arial,sans-serif;font-size:13px"> =
din-intranet-authn</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">bindings.method
= jbossmodule</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">binding.jbossmodule.module
= org.ovirt.engine-extensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">aaa.ldap</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">binding.jbossmodule.class
= org.ovirt.engineextensions.</span><span
style="font-family:arial,sans-serif;font-size:13px">aaa.ldap.AuthnExtension</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.extension.</span><span
style="font-family:arial,sans-serif;font-size:13px">provides
= org.ovirt.engine.api.</span><span
style="font-family:arial,sans-serif;font-size:13px">extensions.aaa.Authn</span><br
style="font-family:arial,sans-serif;font-size:13px">
<a moz-do-not-send="true"
href="http://ovirt.engine.aaa.authn.profile.name/"
target="_blank"
style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.aaa.authn.profile.name</a><span
style="font-family:arial,sans-serif;font-size:13px"> =
din.intranet</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ovirt.engine.aaa.authn.authz.</span><span
style="font-family:arial,sans-serif;font-size:13px">plugin
= din-intranet-authz</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">config.profile.file.1
= /etc/ovirt-engine/aaa/din.</span><span
style="font-family:arial,sans-serif;font-size:13px">intranet.properties</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">4.
create /etc/ovirt-engine/aaa/din.</span><span
style="font-family:arial,sans-serif;font-size:13px">intranet.properties</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">include
= <ipa.properties></span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">vars.user
= uid=admin,cn=users,cn=</span><span
style="font-family:arial,sans-serif;font-size:13px">accounts,dc=din,dc=intranet</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">vars.password
= 123456</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">vars.server
= ipa1.din.intranet</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">pool.default.serverset.single.</span><span
style="font-family:arial,sans-serif;font-size:13px">server
= ${global:vars.server}</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">pool.default.auth.simple.</span><span
style="font-family:arial,sans-serif;font-size:13px">bindDN
= ${global:vars.user}</span><br
style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">pool.default.auth.simple.</span><span
style="font-family:arial,sans-serif;font-size:13px">password
= ${global:vars.password}</span><br
style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">5.
restart engine.</span></div>
<div class="gmail_default"><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div class="gmail_default"><span
style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div class="gmail_default"><span
style="font-family:arial,sans-serif;font-size:13px">Thanks
a lot Alon.</span></div>
</div>
</div>
</blockquote>
<br>
<br>
<br>
Thanks for this, saved me some time! <br>
<br>
Just a couple of addtions, please hash the password with SSHA (I
really hate plain text admin passwords...) <br>
I tried putting an {SSHA} encoded password in "<span
style="font-family:arial,sans-serif;font-size:13px">vars.password
="</span>, but it fails to authenticate while plain text works
fine.<br>
<br>
For people with multiple ipa replica's I you guess you need to use:<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<pre style="box-sizing: border-box; overflow: auto; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; margin-top: 0px; margin-bottom: 0px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; white-space: pre-wrap; color: rgb(51, 51, 51); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Round robin configuration:
<span style="font-family:arial,sans-serif;font-size:13px">vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet
</span> pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
</pre>
<br class="Apple-interchange-newline">
instead of<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<blockquote>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<pre style="box-sizing: border-box; overflow: auto; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 15px; margin-top: 0px; margin-bottom: 0px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; white-space: pre-wrap; color: rgb(51, 51, 51); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span style="font-family:arial,sans-serif;font-size:13px">vars.server = ipa1.din.intranet</span>
pool.default.serverset.single.server = ${global:vars.server}
</pre>
</blockquote>
But I still have to test that as our second replica is down at the
moment.<br>
<br>
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems? As we have ipa we don't
want local login enabled, but in emergency situations we might need
to turn it on quickly.<br>
<br>
<br>
<br>
<br>
Kind regards,<br>
<BR />
<BR />
<b style="color:#604c78"></b><br><span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br><br></span>Jorick Astrego</font></span><b style="color:#604c78"><br><br>Netbulae Virtualization Experts </b><br><hr style="border:none;border-top:1px solid #ccc;"><table style="width: 522px"><tbody><tr><td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px">info@netbulae.eu</td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td></tr><tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px">www.netbulae.eu</td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td></tr></tbody></table><br><hr style="border:none;border-top:1px solid #ccc;"><BR />
</body>
</html>