Hello Alon,
On 04.08.2015 09:56, Alon Bar-Lev wrote:
Hello LDAP Users,
If you migrated from 3.4 or if you used engine-managed-domains to add LDAP support into
engine - this message is for you.
In 3.5 we introduced a new LDAP provider[1][2], it is superset of the previous
implementation, highlights includes:
* Better response times.
* Simplicity, Use of LDAP protocol only - kerberos is no longer needed.
* More LDAP implementations are supported.
* Flexible configuration, can be customized on site to support special setups.
* Supportability, better logs and feedbacks to enable remote support.
* Variety of fallback policies, examples: srvrecord, failover, round-robin and more.
* Active Directory: supports multiple domain in forest.
In 3.5 the previous LDAP provider is marked as legacy, users' issues will be resolved
by migration to the new provider.
Upgrade to 4.0 will not be possible if legacy provider is being used.
The new provider is working without any issue for quite some time, we would like to
eliminate the remaining usage of the legacy provider as soon as possible.
A tool was created[3] to automate the process, it should perform everything in safe and
automatic process, while enables customization if such required. The one prerequisite that
we could not automate easily is obtaining the CA certificate used by the LDAP server to
communicate using SSL/TLS, you should acquire this manually and provide it as parameter.
We (Ondra CCed and I) will help anyone that is experiencing issues with the process,
please do not delay migration to the point it becomes emergency.
Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere.
Regards,
Alon Bar-Lev.
[1]
http://www.ovirt.org/Features/AAA
[2]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
Sorry for the ignorance on my part,
but I tried one more and could not find any qualified docs/howtos on the
new AAA feature.
This readme is the only thing witch comes close so far, but running
Engine 3.5.3 at least my installation is missing
/usr/share/ovirt-engine-extension-aaa-ldap*/examples
Does the tool run without them?
As for my part, I only need engine authentication domains; I used:
engine-manage-domains add --domain ...
Should I migrate to the new provider?
Thanks;
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767