<html>
<body>
<br>
On 01/22/2015 01:13 PM, Alon Bar-Lev wrote: <br>
<font color="#000000">> </font><br>
<font color="#000000">> ----- Original Message ----- </font><br>
<font color="#000000">>> From: "Jorick Astrego" <j.astrego@<a href="mailto:netbulae.eu">netbulae.eu</a>> </font><br>
<font color="#000000">>> To: users@<a href="mailto:ovirt.org">ovirt.org</a> </font><br>
<font color="#000000">>> Sent: Thursday, January 22, 2015 2:09:18 PM </font><br>
<font color="#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote: </font><br>
<font color="#000000">>>> ----- Original Message ----- </font><br>
<font color="#000000">>>>> From: "Jorick Astrego" <j.astrego@ netbulae.eu > </font><br>
<font color="#000000">>>>> To: users@ ovirt.org </font><br>
<font color="#000000">>>>> Sent: Thursday, January 22, 2015 1:41:40 PM </font><br>
<font color="#000000">>>>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> On 10/31/2014 02:47 PM, Marcelo Donato wrote: </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> Below the solution. Resolved By "Alon Bar-Lev" < alonbl@ redhat.com > </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> 1. install ovirt-engine-extension-aaa- ldap, it is available in </font><br>
<font color="#000000">>>>> ovirt-3.5-snapshots repository. </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> 2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> ovirt.engine.extension.name = din-intranet-authz </font><br>
<font color="#000000">>>>> ovirt.engine.extension. bindings.method = jbossmodule </font><br>
<font color="#000000">>>>> ovirt.engine.extension. binding.jbossmodule.module = </font><br>
<font color="#000000">>>>> org.ovirt.engine-extensions. aaa.ldap </font><br>
<font color="#000000">>>>> ovirt.engine.extension. binding.jbossmodule.class = </font><br>
<font color="#000000">>>>> org.ovirt.engineextensions. aaa.ldap.AuthzExtension </font><br>
<font color="#000000">>>>> ovirt.engine.extension. provides = org.ovirt.engine.api. </font><br>
<font color="#000000">>>>> extensions.aaa.Authz </font><br>
<font color="#000000">>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> 3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> ovirt.engine.extension.name = din-intranet-authn </font><br>
<font color="#000000">>>>> ovirt.engine.extension. bindings.method = jbossmodule </font><br>
<font color="#000000">>>>> ovirt.engine.extension. binding.jbossmodule.module = </font><br>
<font color="#000000">>>>> org.ovirt.engine-extensions. aaa.ldap </font><br>
<font color="#000000">>>>> ovirt.engine.extension. binding.jbossmodule.class = </font><br>
<font color="#000000">>>>> org.ovirt.engineextensions. aaa.ldap.AuthnExtension </font><br>
<font color="#000000">>>>> ovirt.engine.extension. provides = org.ovirt.engine.api. </font><br>
<font color="#000000">>>>> extensions.aaa.Authn </font><br>
<font color="#000000">>>>> ovirt.engine.aaa.authn.profile.name = din.intranet </font><br>
<font color="#000000">>>>> ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz </font><br>
<font color="#000000">>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> 4. create /etc/ovirt-engine/aaa/din. intranet.properties </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> include = <ipa.properties> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet </font><br>
<font color="#000000">>>>> vars.password = 123456 </font><br>
<font color="#000000">>>>> vars.server = ipa1.din.intranet </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> pool.default.serverset.single. server = ${global:vars.server} </font><br>
<font color="#000000">>>>> pool.default.auth.simple. bindDN = ${global:vars.user} </font><br>
<font color="#000000">>>>> pool.default.auth.simple. password = ${global:vars.password} </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> 5. restart engine. </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> Thanks a lot Alon. </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> Thanks for this, saved me some time! </font><br>
<font color="#000000">>>>> </font><br>
<font color="#000000">>>>> Just a couple of addtions, please hash the password with SSHA (I really </font><br>
<font color="#000000">>>>> hate </font><br>
<font color="#000000">>>>> plain text admin passwords...) </font><br>
<font color="#000000">>>>> I tried putting an {SSHA} encoded password in " vars.password =" , but it </font><br>
<font color="#000000">>>>> fails to authenticate while plain text works fine. </font><br>
<font color="#000000">>>> I am unsure I understand. </font><br>
<font color="#000000">>>> using hash to store password hint at server side makes sense. </font><br>
<font color="#000000">>>> but using hash to store password at client side does not makes sens, this </font><br>
<font color="#000000">>>> means that if I get the server database I can authenticate to any user </font><br>
<font color="#000000">>>> without knowing his password. </font><br>
<font color="#000000">>>> </font><br>
<font color="#000000">>>> Also, please note that the user you specify within configuration should not </font><br>
<font color="#000000">>>> have any special privilege but to query public objects within ldap. </font><br>
<font color="#000000">>> I don't like storing plain text in textfiles, so I try to avoid it. Even </font><br>
<font color="#000000">>> if it is a read only user there are no "public" objects that I like to </font><br>
<font color="#000000">>> expose to anyone. I can query groups, group members, e-mail addresses, </font><br>
<font color="#000000">>> krbPasswordExpiration, krbLastPwdChange etc. with this user. </font><br>
<font color="#000000">>> </font><br>
<font color="#000000">>> So that's why I try to have the bind user password hashed in the </font><br>
<font color="#000000">>> properties file. </font><br>
<font color="#000000">> as I wrote above, storing hash instead of password does not enhance security. </font><br>
<font color="#000000">> it is the same as if you just set the user's password to the hash. </font><br>
<br>
Ah yes, silly me. You are absolutely <br>
right. It has been such a long <br>
habit... But it does help when people intercept the traffic. Does the <br>
ldap plugin send it hashed to the ldap server? <br>
<br>
I think FreeIPA supports salted sha512 but I'm not entirely sure. <br>
<br>
You'll probably say that I need to enable TLS, but there have been many <br>
weaknesses in ssl and MITM issues. So more is always better in a <br>
security perspective. <br>
<br>
<br>
<br>
<BR />
<BR />
<b style="color:#604c78"></b><br><span style="color:#604c78;"><font color="000000"><span style="mso-fareast-language:en-gb;" lang="NL">Met vriendelijke groet, With kind regards,<br><br></span>Jorick Astrego</font></span><b style="color:#604c78"><br><br>Netbulae Virtualization Experts </b><br><hr style="border:none;border-top:1px solid #ccc;"><table style="width: 522px"><tbody><tr><td style="width: 130px;font-size: 10px">Tel: 053 20 30 270</td> <td style="width: 130px;font-size: 10px">info@netbulae.eu</td> <td style="width: 130px;font-size: 10px">Staalsteden 4-3A</td> <td style="width: 130px;font-size: 10px">KvK 08198180</td></tr><tr> <td style="width: 130px;font-size: 10px">Fax: 053 20 30 271</td> <td style="width: 130px;font-size: 10px">www.netbulae.eu</td> <td style="width: 130px;font-size: 10px">7547 TA Enschede</td> <td style="width: 130px;font-size: 10px">BTW NL821234584B01</td></tr></tbody></table><br><hr style="border:none;border-top:1px solid #ccc;"><BR />
</body>
</html>