advanced users authentication, using kerberos, CAS SSO and Active Directory
by Fabrice Bacchella
--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I have a production were hard coded password are avoided. We prefer to =
use kerberos. We also provided a SSO for Web UI using CAS =
<http://jasig.github.io/cas/4.2.x/index.html>. We use ActiveDirectory =
for user backend.
So I wanted a oVirt installation that will use kerberos for API =
authentication. For the web ui, kerberos is not always the best =
…
[View More]solution, so I wanted to integrated it in our CAS.
The Apache part was easy to setup.
I will show only subpart of the whole Apache setup and only =
authentication related part
# The CAS modules
LoadModule authz_user_module =
/usr/lib64/httpd/modules/mod_authz_user.so
# Needed because auth_cas_module forget to link openssl
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
LoadModule auth_cas_module =
/usr/lib64/httpd/modules/mod_auth_cas.so
# For the kerberos authentication on the API
LoadModule auth_gssapi_module =
/usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module =
/usr/lib64/httpd/modules/mod_session_cookie.so
CASLoginURL https://sso/cas/login
CASValidateSAML On
CASValidateURL https://sso/cas/samlValidate
<VirtualHost *:443>
RequestHeader unset X-Remote-User early
<LocationMatch ^/api($|/)>
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$
RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:.../httpd.keytab
Require valid-user
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session =
path=3D/private;httponly;secure;
</LocationMatch>
<LocationMatch =
^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke=
y.txt$|rhevm.ssh.key.txt$)>
AuthType CAS
Require valid-user
CASAuthNHeader X-Remote-User
</LocationMatch>
</VirtualHost>
The authn file /etc/ovirt-engine/extensions.d/apachesso-authn.properties =
is :
ovirt.engine.extension.name =3D apachesso-authn
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name =3D apachesso
ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz
config.artifact.name =3D HEADER
config.artifact.arg =3D X-Remote-User
And the authz file =
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties is:
ovirt.engine.extension.name =3D DOMAIN-authz
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 =3D ../aaa/DOMAIN.properties
I had some difficulties with AD backend. A straightforward solution =
would have been :
include =3D <ad.properties>
vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D domain.com
pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}
pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
# Only TLSv1.2 is secure nowadays
pool.default.ssl.startTLSProtocol =3D TLSv1.2
# long time out should be avoided
pool.default.connection-options.connectTimeoutMillis =3D 500
But if fails. We have a special setup with about 100 domain controlers =
and only two of them can be reached from the ovirt engine. So my first =
try was so defined them directly in the configuration file:
pool.default.serverset.type =3D failover
pool.default.serverset.failover.1.server =3D dcX.domain.com
pool.default.serverset.failover.2.server =3D dcY.domain.com
But that fails. Server-engine was still using a lot of unreachable =
domain controler. After some digging I found that other part of the ldap =
extension use a different serverset, I don=E2=80=99t know why it don=E2=80=
=99t reuse the default pool. It=E2=80=99s called pool.default.dc-resolve =
(it should be called pool.dc-resolve, as it=E2=80=99s not the default =
but a custom one), so I added in my configuration:
pool.default.dc-resolve.default.serverset.type =3D failover
pool.default.dc-resolve.serverset.failover.1.server =3D dcX.domain.com
pool.default.dc-resolve.serverset.failover.2.server =3D dcY.domain.com
But there is a better solution. Ondra Machacek point it to me. In Active =
Directory, there is something called a =E2=80=9Csite=E2=80=9D, with a =
subset of all the domain controler in it. It can be found under =
CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...
To list them:
ldapsearch -H ldap://somedc -b CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN =
-s one -o ldif-wrap=3Dno cn
The information to write down is the cn returned
You get a list of all domain, just pick the right one, remove all the =
serverset configuration and add :
pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
The entry _sites.${domain} don=E2=80=99t exist in the DNS, so to check =
that your regex is good, try instead:
dig +short _ldap._tcp.GOOD_SITE._sites.${domain} srv
It should return only reachable domain controlers.
So the final /etc/ovirt-engine/aaa/DOMAIN.properties was :
include =3D <ad.properties>
vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D domain.com
pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}
pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
pool.default.ssl.startTLSProtocol =3D TLSv1.2
pool.default.connection-options.connectTimeoutMillis =3D 500
pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
With this setup, my python client =
<https://github.com/fbacchella/ovirtcmd> can connect to ovirt-engine =
using kerberos ticket, web users are authenticated using CAS. And there =
is no need to duplicate user base.
--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: auto; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I have a production were hard coded password are avoided. We =
prefer to use kerberos. We also provided a SSO for Web UI using <a =
href=3D"http://jasig.github.io/cas/4.2.x/index.html" style=3D"color: =
rgb(104, 0, 148); text-decoration: none; margin-top: auto;" =
class=3D"">CAS</a>. We use ActiveDirectory for user backend.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">So I wanted a oVirt installation that will use kerberos for =
API authentication. For the web ui, kerberos is not always the best =
solution, so I wanted to integrated it in our CAS.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The Apache part was easy to setup.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I will show only subpart of the whole Apache setup and only =
authentication related part</p><pre style=3D"font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D""># The CAS modules
LoadModule authz_user_module =
/usr/lib64/httpd/modules/mod_authz_user.so
# Needed because auth_cas_module forget to link openssl
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
LoadModule auth_cas_module =
/usr/lib64/httpd/modules/mod_auth_cas.so
# For the kerberos authentication on the API
LoadModule auth_gssapi_module =
/usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module =
/usr/lib64/httpd/modules/mod_session_cookie.so
CASLoginURL <a href=3D"https://sso/cas/login" =
class=3D"">https://sso/cas/login</a>
CASValidateSAML On
CASValidateURL <a href=3D"https://sso/cas/samlValidate" =
class=3D"">https://sso/cas/samlValidate</a>
<VirtualHost *:443>
RequestHeader unset X-Remote-User early
<LocationMatch ^/api($|/)>
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$
RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:.../httpd.keytab
Require valid-user
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session =
path=3D/private;httponly;secure;
</LocationMatch>
<LocationMatch =
^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke=
y.txt$|rhevm.ssh.key.txt$)>
AuthType CAS
Require valid-user
CASAuthNHeader X-Remote-User
</LocationMatch>
</VirtualHost>
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The authn file <code style=3D"font-size: 12px; =
font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: =
break-word; white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">/etc/ovirt-engine/extensions.d/apachesso-authn.properties</code=
> is :</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">ovirt.engine.extension.name =3D apachesso-authn
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name =3D apachesso
ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz
config.artifact.name =3D HEADER
config.artifact.arg =3D X-Remote-User
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">And the authz file <code style=3D"font-size: 12px; =
font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: =
break-word; white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties</code>&n=
bsp;is:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">ovirt.engine.extension.name =3D DOMAIN-authz
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 =3D ../aaa/DOMAIN.properties
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I had some difficulties with AD backend. A straightforward =
solution would have been :</p><pre style=3D"font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">include =3D =
<ad.properties>
vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a>
pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}
pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
# Only TLSv1.2 is secure nowadays
pool.default.ssl.startTLSProtocol =3D TLSv1.2
# long time out should be avoided
pool.default.connection-options.connectTimeoutMillis =3D 500
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But if fails. We have a special setup with about 100 domain =
controlers and only two of them can be reached from the ovirt engine. So =
my first try was so defined them directly in the configuration =
file:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.serverset.type =3D failover
pool.default.serverset.failover.1.server =3D <a =
href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a>
pool.default.serverset.failover.2.server =3D <a =
href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a>
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But that fails. Server-engine was still using a lot of =
unreachable domain controler. After some digging I found that other part =
of the ldap extension use a different serverset, I don=E2=80=99t know =
why it don=E2=80=99t reuse the default pool. It=E2=80=99s =
called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">pool.default.dc-resolve</code> (it should be =
called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px;" =
class=3D"">pool.dc-resolve</code>, as it=E2=80=99s not the default but a =
custom one), so I added in my configuration:</p><pre style=3D"font-family:=
Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; =
white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.dc-resolve.default.serverset.type =3D failover
pool.default.dc-resolve.serverset.failover.1.server =3D <a =
href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a>
pool.default.dc-resolve.serverset.failover.2.server =3D <a =
href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a>
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But there is a better solution. Ondra Machacek point it to =
me. In Active Directory, there is something called a =E2=80=9Csite=E2=80=9D=
, with a subset of all the domain controler in it. It can be found =
under <code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...</code></p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">To list them:</p><pre style=3D"font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">ldapsearch -H <a =
href=3D"ldap://somedc" class=3D"">ldap://somedc</a> -b =
CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN -s one -o ldif-wrap=3Dno cn
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The information to write down is the cn returned</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">You get a list of all domain, just pick the right one, remove =
all the serverset configuration and add :</p><pre style=3D"font-family: =
Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: =
pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: =
collapse; -webkit-margin-after-collapse: collapse; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.serverset.srvrecord.domain-conversion.type =3D =
regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The entry <code style=3D"font-size: 12px; font-family: =
Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; =
white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">_sites.${domain}</code> don=E2=80=99t exist in the DNS, =
so to check that your regex is good, try instead:</p><pre =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">dig +short =
_ldap._tcp.GOOD_SITE._sites.${domain} srv
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">It should return only reachable domain controlers.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">So the final /etc/ovirt-engine/aaa/DOMAIN.properties was =
:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">include =3D =
<ad.properties>
vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a>
pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}
pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
pool.default.ssl.startTLSProtocol =3D TLSv1.2
pool.default.connection-options.connectTimeoutMillis =3D 500
pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">With this setup, my <a =
href=3D"https://github.com/fbacchella/ovirtcmd" style=3D"color: rgb(104, =
0, 148); text-decoration: none; margin-top: auto;" class=3D"">python =
client</a> can connect to ovirt-engine using kerberos ticket, web =
users are authenticated using CAS. And there is no need to duplicate =
user base.</p><div class=3D""><br class=3D""></div></body></html>=
--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205--
[View Less]
9 years
Re: [ovirt-users] Unable to install CentOS 6.7 on ovirt 3.5/.6
by Yaniv Kaul
The checksum looks correct. From a bit of Googling around, might be a
(known?) issue - can you try the workaround mentioned @
https://bugzilla.redhat.com/show_bug.cgi?id=632811 ?
Y.
On Fri, Apr 22, 2016 at 6:37 AM, Gene Fontanilla <ginofontanilla(a)gmail.com>
wrote:
> follow up attachment.
>
> everything freezes here.
>
> regards,
> Gene
>
> On Fri, Apr 22, 2016 at 10:57 AM, Gene Fontanilla <
> ginofontanilla(a)gmail.com> wrote:
>
>> Hi,
>…
[View More]>
>> md5sum: 9381a24b8bee2fed0c26896141a64b69
>>
>> please see attached screenshots, i didn't find any error logs on
>> engine.log.
>>
>> weird thing is that windows installations work like a charm.
>>
>> regards,
>> Gene
>>
>>
>>
>> On Thu, Apr 21, 2016 at 8:12 PM, Yaniv Kaul <ykaul(a)redhat.com> wrote:
>>
>>>
>>>
>>> On Thu, Apr 21, 2016 at 5:18 AM, Gene Fontanilla <
>>> ginofontanilla(a)gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Anyone having issues on using CentOS 6.6 iso on oVirt 3.5 and 3.6?
>>>>
>>>> I have two environments for testing (oVirt 3.5 and 3.6) and I can't
>>>> install centos 6.6 iso on the vms.
>>>>
>>>> it after anaconda installer starts.
>>>>
>>>
>>> Can you provide a bit more information? Can you ensure the ISO is not
>>> corrupted (check its MD5/SHA sum) ?
>>> Y.
>>>
>>>
>>>>
>>>> regards.
>>>> Gene
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>>>
>>>
>>
>
[View Less]
9 years
Procedure to upgrade single-host datacenter from el6 to el7
by Rik Theys
Hi,
I'm looking for the best procedure to upgrade a host from CentOS 6 to
CentOS 7. The host is the only host in the oVirt data center (the engine
is running on another machine and manages multiple data centers).
For datacenters with multiple hosts I followed the following steps:
- Add new cluster
- Put host in maintenance
- Remove host from old cluster
- Reinstall host
- Add host to new cluster
- repeat for all hosts until old cluster is empty
This worked OK and the data center …
[View More]was never "non operational".
Is the procedure identical for a data center with only one host?
Should I also remove the host from the (only) cluster in the data
center, or should I reinstall it and select the "reinstall" option in
the oVirt web interface? Since there is only one host in the cluster
there's no need to create a new cluster?
Is there any state on the host that I should keep when performing the
reinstall with CentOS 7?
The host is using FC storage (local disks configured as FC through
multipath).
Regards,
Rik
--
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
[View Less]
9 years
ovirt 3.6 hosted engine vm not displaying in vms tab
by Dobó László
Hi,
I just upgraded from 3.6.3 to 3.6.5, but the hosted engine vm still not
visible in vms list.
Its running on iscsi storage domain. The hosted_storage status is
"Inactive", cross data center status is "Locked".
I didn't find anything interesting in engine or vdsm log file.
Is there any workaround or idea for this problem?
engine os: CentOS Linux release 7.2.1511 (Core)
pkg list:
ebay-cors-filter.noarch 1.0.1-3.el7 @centos-ovirt36
jasperreports-server.noarch 6.0.1-1.…
[View More]el7 @ovirt-3.6
novnc.noarch 0.5.1-2.el7 @ovirt-3.6-epel
otopi.noarch 1.4.1-1.el7.centos @ovirt-3.6
otopi-java.noarch 1.4.1-1.el7.centos @ovirt-3.6
ovirt-engine.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-backend.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-cli.noarch 3.6.2.0-1.el7.centos @ovirt-3.6
ovirt-engine-dbscripts.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-extension-aaa-jdbc.noarch 1.0.6-1.el7 @ovirt-3.6
ovirt-engine-extensions-api-impl.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-jboss-as.x86_64 7.1.1-1.el7.centos @ovirt-3.6
ovirt-engine-lib.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-restapi.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-sdk-java.noarch 3.6.5.0-1.el7 @ovirt-3.6
ovirt-engine-sdk-python.noarch 3.6.5.0-1.el7.centos @ovirt-3.6
ovirt-engine-setup.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-setup-base.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-setup-plugin-ovirt-engine.noarch
3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-setup-plugin-ovirt-engine-common.noarch
3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-setup-plugin-vmconsole-proxy-helper.noarch
3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-setup-plugin-websocket-proxy.noarch
3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-tools.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-tools-backup.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-userportal.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-vmconsole-proxy-helper.noarch 3.6.5.3-1.el7.centos
@ovirt-3.6
ovirt-engine-webadmin-portal.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-websocket-proxy.noarch 3.6.5.3-1.el7.centos @ovirt-3.6
ovirt-engine-wildfly.x86_64 8.2.1-1.el7 @ovirt-3.6
ovirt-engine-wildfly-overlay.noarch 8.0.5-1.el7 @ovirt-3.6
ovirt-host-deploy.noarch 1.4.1-1.el7.centos @ovirt-3.6
ovirt-host-deploy-java.noarch 1.4.1-1.el7.centos @ovirt-3.6
ovirt-image-uploader.noarch 3.6.0-1.el7.centos @ovirt-3.6
ovirt-iso-uploader.noarch 3.6.0-1.el7.centos @ovirt-3.6
ovirt-optimizer.noarch 0.9.1-2.el7.centos @ovirt-3.6
ovirt-optimizer-ui.noarch 0.9.1-2.el7.centos @ovirt-3.6
ovirt-release36.noarch 007-1 @ovirt-3.6
ovirt-setup-lib.noarch 1.0.1-1.el7.centos @ovirt-3.6
ovirt-vmconsole.noarch 1.0.0-1.el7.centos @ovirt-3.6
ovirt-vmconsole-proxy.noarch 1.0.0-1.el7.centos @ovirt-3.6
patternfly1.noarch 1.3.0-1.el7.centos
@ovirt-3.6-patternfly1-noarch-epel
python-daemon.noarch 1.6-4.el7 @ovirt-3.6-epel
python-paramiko.noarch 1.15.1-1.el7 @ovirt-3.6-epel
python-websockify.noarch 0.6.0-2.el7 @ovirt-3.6-epel
spice-html5.noarch 0.1.6-1.el7 @ovirt-3.6-epel
vdsm-jsonrpc-java.noarch 1.1.9-1.el7.centos @ovirt-3.6
nodes : oVirt Node Hypervisor release 3.6 (0.999.201603090756.el7.centos)
vdsm.noarch 4.17.24-0.el7.centos
vdsm-cli.noarch 4.17.24-0.el7.centos
vdsm-hook-ethtool-options.noarch 4.17.24-0.el7.centos
vdsm-hook-vmfex-dev.noarch 4.17.24-0.el7.centos
vdsm-infra.noarch 4.17.24-0.el7.centos
vdsm-jsonrpc.noarch 4.17.24-0.el7.centos
vdsm-python.noarch 4.17.24-0.el7.centos
vdsm-xmlrpc.noarch 4.17.24-0.el7.centos
vdsm-yajsonrpc.noarch 4.17.24-0.el7.centos
greetings,
enax
[View Less]
9 years
Second DataCenter isn't available to attach Export Storage Domain
by Joshua Adkisson
I have put the export domain into maintenance, detach from Datacenter 1, and when I try to attach it to Datacenter 2, attached to the same engine, when the Attach to Data Center dialog pops up, it only shows Datacenter 1.
What am I missing here?
Please be kind, I’m very new to oVirt…
Version 3.6
CONFIDENTIALITY NOTICE: This email, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, …
[View More]disclosure, or distribution is prohibited. If you received this email and are not the intended recipient, please inform the sender by email reply and destroy all copies of the original message.
[View Less]
9 years
Re: [ovirt-users] Unable to add hosts in ovirt-engine 3.6
by Oved Ourfali
You should be able to add new hosts to 3.5 cluster assuming proper 3.5
repos are used on these hosts.
Can you attach complete logs?
(engine ones and host deploy).
Regards,
Oved
On Apr 22, 2016 8:45 AM, "Sandvik Agustin" <agustinsandvik(a)gmail.com> wrote:
does that mean that i have to downgrade my ovirt-engine from 3.6 to 3.5? Or
is there anyway to install host which running CentOS 6.7 O.S on
ovirt-engine 3.6?
TIA
Sandvik
On Thu, Apr 21, 2016 at 2:04 PM, Yedidyah Bar David <didi(a)…
[View More]redhat.com> wrote:
> On Thu, Apr 21, 2016 at 4:57 AM, Sandvik Agustin
> <agustinsandvik(a)gmail.com> wrote:
> > Hi,
> >
> > Thanks for the quick reply, my ovirt-engine is running on CentOS 6.7 and
> my
> > hypervisor is also CentOS 6.7.
>
> As I wrote before, el6 hosts are not supported in 3.6.
>
> Best,
> --
> Didi
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
[View Less]
9 years
ssh -t serial connection on Widows
by Nathanaël Blanchet
Concerning ovirt-serial connection :
ssh -t -p 2222ovirt-vmconsole@engine
Waiting for the closed officiel bash implementation on W10, does it
exist a way to do the same with putty or other ssh client?
As the spice/vnc console, could it be a good idea to get the same on the
UI so as to be OS independant?
Thank you.
--
Nathanaël Blanchet
Supervision réseau
Pôle Infrastrutures Informatiques
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (…
[View More]0)4 67 54 84 14
blanchet(a)abes.fr
[View Less]
9 years
CentOS Virtualization SIG is not aligned with latest oVirt release
by Stefano Stagnaro
Hi,
today oVirt 3.6.5 has been released and I tried to perform a fresh installation through the CentOS Virtualization SIG:
# yum install centos-release-ovirt36
which has installed, for dependencies, also
- centos-release-gluster37
- centos-release-virt-common
- centos-release-qemu-ev
- centos-release-storage-common
I immediately noticed that oVirt is still at version 3.6.3 (instead of 3.6.5). This makes it difficult to move to CentOS Virtualization SIG.
Besides that, glusterfs is still at …
[View More]version 3.7.8 (instead of 3.7.11). I understand this is a different SIG but oVirt is affected in some way.
Thank you,
--
Stefano Stagnaro
Prisma Telecom Testing S.r.l.
Via Petrocchi, 4
20127 Milano – Italy
Tel. 02 26113507 int 339
e-mail: stefanos(a)prismatelecomtesting.com
skype: stefano.stagnaro
[View Less]
9 years
