Re: [ovirt-users] AAA LDAP Authentication

From: "David Smith" <dsmith(a)mypchelp.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: "users" <users(a)ovirt.org&gt; Sent: Wednesday, May 6, 2015 12:49:09 AM Subject: Re: [ovirt-users] AAA LDAP Authentication I added that to the end, since there wasn't any reference on it as to where to put it; I restarted the engine and didn't notice any changes, the namespace still reads the same as before, and no users show up Note that in the field to the right of namespace it's blank, whereby with "internal" or our other pre-aaa ldap config it shows "*" and can be changed to a username as a filter, in this case it doesn't allow me to enter anything On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > I beginning to understand... although I cannot figure out how login works > while search not. > > Anyway, try to add this to your profile: > > sequence-init.init.900-local-init-vars = local-init-vars > sequence.local-init-vars.010.description = override name space > sequence.local-init-vars.010.type = var-set > sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault > sequence.local-init-vars.010.var-set.value = > cn=users,cn=accounts,dc=corp,dc=ft,dc=com > sequence.local-init-vars.020.description = apply filter to users > sequence.local-init-vars.020.type = var-set > sequence.local-init-vars.020.var-set.variable = simple_filterUserObject > sequence.local-init-vars.020.var-set.value = > ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) > sequence.local-init-vars.030.description = apply filter to groups > sequence.local-init-vars.030.type = var-set > sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject > sequence.local-init-vars.030.var-set.value = > ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com) > > > ----- Original Message ----- > > From: "David Smith" <dsmith(a)mypchelp.com&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > Cc: "users" <users(a)ovirt.org&gt; > > Sent: Wednesday, May 6, 2015 12:17:59 AM > > Subject: Re: [ovirt-users] AAA LDAP Authentication > > > > I can log into ovirt, I can see the profile, it doesn't throw any errors. > > However, it doesn't display any users. This is because the automatic > rootDN > > is wrong. > > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search > base > > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com > > Hence my desire to configure rootDN > > > > Then, I also want to filter based on the above (sorry the traffic part > was > > a comment from testlink, the line should be) > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; > > That filter is was makes sure the results only show users in the specific > > group I want to give access to. > > > > Thanks, > > David > > > > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > > > Hi, > > > > > > So your configuration is working, just you want to filter users? > > > > > > I do not follow what organization filter is. > > > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // > e.g. > > > > '(organizationname=*Traffic)' > > > > > > It looks to me that you want to narrow the results based on specific > > > attribute value. > > > > > > But first you should confirm that all is working for you, only then we > can > > > start customize the provider to meet your special needs. > > > > > > Thanks, > > > Alon. > > > > > > ----- Original Message ----- > > > > From: "David Smith" <dsmith(a)mypchelp.com&gt; > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > > > Cc: "users" <users(a)ovirt.org&gt; > > > > Sent: Wednesday, May 6, 2015 12:01:28 AM > > > > Subject: Re: [ovirt-users] AAA LDAP Authentication > > > > > > > > Hi Alon, > > > > > > > > Thanks for the quick reply. > > > > openldap works fine; I use it with testlink (as shown in the example > > > > config). We're not using active directory; Just LDAP. The example > config > > > I > > > > provided is fully inclusive of all configuration required for > "testlink" > > > to > > > > use LDAP, I also have jenkins and mantis configured using the same > > > > parameters (although their terminology on where to enter the > parameters > > > is > > > > varied, they use all the same information) > > > > > > > > The rootDSE is being determined automatically; however for my use > it's > > > > wrong and needs to be provided manually. Again, I have no control > over > > > > this. It's a company-wide configuration that won't be changed just > for > > > me. > > > > > > > > How would I be able to specify the organization filter line if I > added > > > some > > > > other include directive of whatever driver? I don't even understand > what > > > > you're saying, exactly. Not all ovirt users/managers are programming > > > > experts. > > > > > > > > I use LDAPS because thats what my company supports. StartTLS is NOT > > > > supported (as I stated). Silly on their part, right? > > > > > > > > Thanks, > > > > David > > > > > > > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; > wrote: > > > > > > > > > Hello, > > > > > > > > > > Resources includes sysadmin documentation[1], integrator > > > documentation[2], > > > > > overview[3], examples[4]. > > > > > > > > > > You did not specify what LDAP vendor it is. > > > > > > > > > > I can guess your directory is Active Directory, hence all you need > to > > > do > > > > > is follow the "QUICK START"[5]. > > > > > > > > > > The rootDSE is determined automatically, all you need is to > provide a > > > > > valid user and password. > > > > > > > > > > What you are missing in your configuration is the include > directive of > > > the > > > > > proper driver. > > > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is > more > > > > > flexible and should be used unless there is an issue. > > > > > > > > > > Alon > > > > > > > > > > [1] > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > > [2] > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > > [3] http://www.ovirt.org/Features/AAA > > > > > [4] > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=t... > > > > > [5] > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b... > > > > > > > > > > ----- Original Message ----- > > > > > > From: "David Smith" <dsmith(a)mypchelp.com&gt; > > > > > > To: "users" <users(a)ovirt.org&gt; > > > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM > > > > > > Subject: [ovirt-users] AAA LDAP Authentication > > > > > > > > > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking > some > > > > > serious > > > > > > detail in documentation, the rest is java-programmer-oriented > docs > > > only > > > > > that > > > > > > I can find; > > > > > > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git > > > > > > > > > > > > Here's a sample config (sanitized) that I need to adapt to > ovirt; *I > > > > > HAVE NO > > > > > > control over the LDAP server. > > > > > > > > > > > > So far I've managed to figure out through search after search to > use > > > > > LDAPS > > > > > > (TLS isn't an option, thanks!) > > > > > > Two parts I can't figure out; setting rootDN and setting the > > > organization > > > > > > filter-- members of that particular organization should have > access > > > to > > > > > > ovirt, and none others. > > > > > > > > > > > > vars.server = directory.ft.com > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = > > > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com > > > > > > vars.password = Ft###### > > > > > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > > > pool.default.serverset.single.port = 636 > > > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn} > > > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > > > > > # enable SSL > > > > > > pool.default.ssl.enable = true > > > > > > #pool.default.ssl.insecure = false > > > > > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > > > # if using ssl/tls. > > > > > > #pool.default.ssl.startTLS = true > > > > > > pool.default.ssl.truststore.file = > > > > > > ${local:_basedir}/${global:vars.server}.jks > > > > > > pool.default.ssl.truststore.password = changeit > > > > > > > > > > > > > > > > > > example config from testlink > > > > > > $tlCfg->authentication['method'] = 'LDAP'; > > > > > > > > > > > > /** LDAP authentication credentials */ > > > > > > $tlCfg->authentication['ldap_server'] = 'ldaps:// > directory.ft.com > > > '; > > > > > > $tlCfg->authentication['ldap_port'] = '636'; > > > > > > $tlCfg->authentication['ldap_version'] = '3'; > > > > > > $tlCfg->authentication['ldap_root_dn'] = > > > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > > $tlCfg->authentication['ldap_bind_dn'] = > > > > > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com'; > > > > > > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######'; > > > > > > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls > > > > > > $tlCfg->authentication['ldap_organization'] = > > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; > // > > > e.g. > > > > > > '(organizationname=*Traffic)' > > > > > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use > > > > > 'sAMAccountName' for > > > > > > Active Directory > > > > > > > > > > > > _______________________________________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > >