Re: [Users] Testing LDAP support.

From: "Sharad Mishra" <snmishra(a)linux.vnet.ibm.com&gt; To: "Itamar Heim" <iheim(a)redhat.com&gt; Cc: "Oved Ourfalli" <ovedo(a)redhat.com&gt;, users(a)ovirt.org Sent: Thursday, April 12, 2012 9:37:46 PM Subject: Re: [Users] Testing LDAP support. On Thu, 2012-04-12 at 02:26 +0300, Itamar Heim wrote: > On 04/12/2012 01:09 AM, Sharad Mishra wrote: > > On Wed, 2012-04-11 at 10:18 -0400, Oved Ourfalli wrote: > >> > >> ----- Original Message ----- > >>> From: "Sharad Mishra&quot;&lt;snmishra(a)linux.vnet.ibm.com&gt; > >>> To: "Itamar Heim&quot;&lt;iheim(a)redhat.com&gt; > >>> Cc: "Oved Ourfalli&quot;&lt;ovedo(a)redhat.com&gt;, users(a)ovirt.org > >>> Sent: Wednesday, April 11, 2012 4:53:37 PM > >>> Subject: Re: [Users] Testing LDAP support. > >>> > >>> On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote: > >>>> On 04/10/2012 04:51 AM, Sharad Mishra wrote: > >>>>> On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: > >>>>>> On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: > >>>>>>>>> > >>>>>>>>> When a call is made to construct InitialDirContext > >>>>>>>>> with > >>>>>>>>> following > >>>>>>>>> settings - > >>>>>>>>> > >>>>>>>>> {java.naming.provider.url=ldap://ldapserver.ibm.com:389, > >>>>>>>>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, > >>>>>>>>> java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, > >>>>>>>>> java.naming.security.authentication=DIGEST-MD5 GSSAPI, > >>>>>>>>> java.naming.security.credentials=password, > >>>>>>>>> java.naming.referral=follow, > >>>>>>>>> java.naming.ldap.attributes.binary=objectGUID} > >>>>>>>>> > >>>>>>> > >>> > >>> How do I configure the ovirt test setup on my workstation to > >>> use LDAP > >>> for authentication? I looked around webadmin GUI but could not > >>> find > >>> it. > >>> > >>> -Sharad > >>> > >> If you are working with an installed oVirt environment, you can > >> use engine-manage-domains utility in order to add/remove/edit > >> domains. > >> It will create the krb5.conf file, update database entries, add > >> permissions for the user you use, and etc. > >> > > I was able to move around some jar files and config files to > > finally be > > able to run engine-manage-domains to add new domains. First I ran > > > > #./engine-manage-domains -action=list > > Manage Domains completed successfully > > > > I did not get any domain, which makes sense since I only have > > default > > setup. then I tried > > > > #./engine-manage-domains -action=add -domain=bluepages.ibm.com > > -user=snmishra(a)us.ibm.com -passwordFile=/tmp/.pwd > > > > where /tmp/.pwd has my ldap password. > > > > I got the following error - > > Error: Authentication Failed. Please verify the fully qualified > > domain > > name that is used for authentication is correct.. Problematic > > domain is: > > bluepages.ibm.com Failure while applying Kerberos configuration. > > Details: Authentication Failed. Please verify the fully qualified > > domain > > name that is used for authentication is correct. > > > > I also tried "-domain=bluepages.ibm.com:389" > > this is kerberos based auth. do I need any package/setup on client machine? > usual suspects are dns issues. doesn't look like its dns issue, I can run ldapsearch from the command line. > anything in the manage domains log? There is nothing in engine or server logs. Where are the manage domain logs?

-Sharad > > > > > -Sharad > > > > > >> If, however, you are in a development environment, then > >> currently it is not easy to run this utility, as it requires > >> some configuration files and jars that are there when you > >> install the engine, but not there in a development environment. > >> So, in that case you'll need to run the following (change the > >> domain name, user name and user guid): > >> update vdc_options set option_value = '<your domain>' where > >> option_name = 'DomainName'; > >> > >> update vdc_options set option_value = '<your domain>:<your > >> user>@<your domain>' where option_name= 'AdUserName'; > >> > >> update vdc_options set option_value = '<your domain>:<user > >> guid>' where option_name='AdUserId'; > >> > >> update vdc_options set option_value = '<your domain>:<your > >> password>' where option_name='AdUserPassword'; > >> > >> insert into permissions > >> (id,role_id,ad_element_id,object_id,object_type_id) values > >> ('<choose a random > >> guid>','00000000-0000-0000-0000-000000000001','<user > >> guid>','aaa00000-0000-0000-0000-123456789aaa',1); > >> > >> Also, you'll have to create a krb5.conf file, and place it in > >> $JBOSS_HOME/standalone/configuration > >> > >> An example for the contents of this file: > >> > >> [libdefaults] > >> > >> default_realm = EXAMPLE.COM > >> dns_lookup_realm = false > >> dns_lookup_kdc = false > >> ticket_lifetime = 24h > >> renew_lifetime = 7d > >> forwardable = no > >> default_tkt_enctypes = arcfour-hmac-md5 > >> udp_preference_limit = 1 > >> > >> [realms] > >> EXAMPLE.COM = { > >> kdc = my_host.example.com.:88 > >> } > >> > >> > >> [domain_realm] > >> example.com = EXAMPLE.COM > >> > >> Note that you need to have the following records for your LDAP > >> server, defined in the DNS: > >> * LDAP SRV record > >> * Kerberos SRV record > >> * PTR record > >> > >> (You can use "dnsmasq" if you wish to create those records by > >> yourself - if you need help with this let me know). > >> > >> Oved > >>>>>>> Can you also attach the jboss log and engine log? (assuming > >>>>>>> you > >>>>>>> are testing it in the ovirt-engine environment). > >>>>>>> They can be helpful, as it might be related to some class > >>>>>>> loading issue or something similar, and the log might shed > >>>>>>> light on that. > >>>>>>> > >>>>>> > >>>>> I think its my setup that is the issue here. I am unable to > >>>>> run > >>>>> ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to > >>>>> setup/use > >>>>> secret key with sasl. I am running my queries against a > >>>>> production ldap > >>>>> server on which I have user access. I tried to look around on > >>>>> internet > >>>>> but did not get a good hit. > >>>> > >>>> have you tried the kebreros based authentication with it? > >>>> I see it is supposed to have it: > >>>> http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%... > >>>> > >>> > >>> > >>> > >> > > > > >