[ovirt-devel] [TEST-REQUEST] New LDAP implementation for ovirt-engine

Hello All, If you are brave enough to test ovirt-engine betas, and you are using or like to use LDAP integration - you can assist us. Within the 3.4/3.5 cycle we have done major rework on the entire authentication, authorization and accounting or in short AAA, the 3.5.0_rc1 is ready to be tested. I will appreciate any feedback and help perfecting the solution. The implementation is the first pluggable implementation of the backend, this means that we can extend the functionality without rebuilding the engine, even implementations that are not LDAP based can be added. The new LDAP implementation is a backend extension that is called ovirt-engine-extension-aaa-ldap[1], documentation is available[2][3][4], there is no upgrade path between the legacy implementation and the new implementation, users of legacy implementation can continue to use it as-is without enjoying the new features. Unlike the legacy implementation, the new implementation is pure LDAP implementation, no kerberos and special DNS settings are required. It also supports customization to enable support complex/foreign LDAP sources. It also supports multi domain forest of Active Directory, performance improvements, fallback policy, security and more. Configuration is file based, the engine-manage-domains utility is obsolete. Examples are available at [2]. First install the extension[5]: # yum install ovirt-engine-extension-aaa-ldap A simple active directory configuration is per the following, make sure you define seaerchuser with valid password within the ldap to be used to search for user information during interaction. Other directories that are supported are: OpenLDAP, IPA, RHDS please refer to documentation. --- Authorization settings - used post authentication to fetch user's attributes and groups. /etc/ovirt-enigne/extensions.d/authz-company.properties --- ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company.properties --- --- Authentication settings - user is resolved using search then LDAP bind is used to validate password. /etc/ovirt-enigne/extensions.d/authn-company.properties --- ovirt.engine.extension.name = authn-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company.com ovirt.engine.aaa.authn.authz.plugin = authz-company config.profile.file.1 = /etc/ovirt-engine/aaa/company.properties --- --- Common profile customization for company.com domain /etc/ovirt-engine/aaa/company.properties --- include = <ad.properties> pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = company.com pool.default.auth.simple.bindDN = searchuser pool.default.auth.simple.password = 123456 --- Regards, Alon Bar-Lev [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl... [3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl... [4] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl... [5] http://resources.ovirt.org/pub/ovirt-3.5-pre/rpm/