Re: [ovirt-users] [ATN] LDAP Users please read

From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "users" <users(a)ovirt.org&gt; Sent: Thursday, August 6, 2015 1:24:23 PM Subject: Re: [ovirt-users] [ATN] LDAP Users please read Hello Alon, On 04.08.2015 09:56, Alon Bar-Lev wrote: > Hello LDAP Users, > > If you migrated from 3.4 or if you used engine-managed-domains to add LDAP > support into engine - this message is for you. > > In 3.5 we introduced a new LDAP provider[1][2], it is superset of the > previous implementation, highlights includes: > * Better response times. > * Simplicity, Use of LDAP protocol only - kerberos is no longer needed. > * More LDAP implementations are supported. > * Flexible configuration, can be customized on site to support special > setups. > * Supportability, better logs and feedbacks to enable remote support. > * Variety of fallback policies, examples: srvrecord, failover, > round-robin and more. > * Active Directory: supports multiple domain in forest. > > In 3.5 the previous LDAP provider is marked as legacy, users' issues will > be resolved by migration to the new provider. > > Upgrade to 4.0 will not be possible if legacy provider is being used. > > The new provider is working without any issue for quite some time, we would > like to eliminate the remaining usage of the legacy provider as soon as > possible. > > A tool was created[3] to automate the process, it should perform everything > in safe and automatic process, while enables customization if such > required. The one prerequisite that we could not automate easily is > obtaining the CA certificate used by the LDAP server to communicate using > SSL/TLS, you should acquire this manually and provide it as parameter. > > We (Ondra CCed and I) will help anyone that is experiencing issues with the > process, please do not delay migration to the point it becomes emergency. > > Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere. > > Regards, > Alon Bar-Lev. > > [1] http://www.ovirt.org/Features/AAA > [2] > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... Sorry for the ignorance on my part, but I tried one more and could not find any qualified docs/howtos on the new AAA feature. This readme is the only thing witch comes close so far, but running Engine 3.5.3 at least my installation is missing /usr/share/ovirt-engine-extension-aaa-ldap*/examples Does the tool run without them?

As for my part, I only need engine authentication domains; I used: engine-manage-domains add --domain ... Should I migrate to the new provider?

Thanks; > [3] > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767