Hello LDAP Users,
If you migrated from 3.4 or if you used engine-managed-domains to add LDAP support into
engine - this message is for you.
In 3.5 we introduced a new LDAP provider[1][2], it is superset of the previous
implementation, highlights includes:
* Better response times.
* Simplicity, Use of LDAP protocol only - kerberos is no longer needed.
* More LDAP implementations are supported.
* Flexible configuration, can be customized on site to support special setups.
* Supportability, better logs and feedbacks to enable remote support.
* Variety of fallback policies, examples: srvrecord, failover, round-robin and more.
* Active Directory: supports multiple domain in forest.
In 3.5 the previous LDAP provider is marked as legacy, users' issues will be resolved
by migration to the new provider.
Upgrade to 4.0 will not be possible if legacy provider is being used.
The new provider is working without any issue for quite some time, we would like to
eliminate the remaining usage of the legacy provider as soon as possible.
A tool was created[3] to automate the process, it should perform everything in safe and
automatic process, while enables customization if such required. The one prerequisite that
we could not automate easily is obtaining the CA certificate used by the LDAP server to
communicate using SSL/TLS, you should acquire this manually and provide it as parameter.
We (Ondra CCed and I) will help anyone that is experiencing issues with the process,
please do not delay migration to the point it becomes emergency.
Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere.
Regards,
Alon Bar-Lev.
[1]
http://www.ovirt.org/Features/AAA
[2]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
[3]
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases