Re: [ovirt-users] oVirt 3.5 and FreeIpa

This is a multi-part message in MIME format. ------------MIME-295668495-1198010832-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 01=3A13 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A09=3A18 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E =3E=3E On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A =3E=3E=3E ----- Original Message ----- =3E=3E=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40 netbulae=2Eeu= =3E =3E=3E=3E=3E To=3A users=40 ovirt=2Eorg =3E=3E=3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM =3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonb= l=40 redhat=2Ecom =3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is availab= le in =3E=3E=3E=3E ovirt-3=2E5-snapshots repository=2E =3E=3E=3E=3E =3E=3E=3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a= uthz=2E properties =3E=3E=3E=3E =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul= e =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule= =3D =3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20= =3D =3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension= =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin= e=2Eapi=2E =3E=3E=3E=3E extensions=2Eaaa=2EAuthz =3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i= ntranet=2Eproperties =3E=3E=3E=3E =3E=3E=3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a= uthn=2E properties =3E=3E=3E=3E =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul= e =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule= =3D =3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20= =3D =3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension= =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin= e=2Eapi=2E =3E=3E=3E=3E extensions=2Eaaa=2EAuthn =3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintran= et =3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intrane= t-authz =3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i= ntranet=2Eproperties =3E=3E=3E=3E =3E=3E=3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties= =3E=3E=3E=3E =3E=3E=3E=3E include =3D =3Cipa=2Eproperties=3E =3E=3E=3E=3E =3E=3E=3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc= =3Ddin=2Cdc=3Dintranet =3E=3E=3E=3E vars=2Epassword =3D 123456 =3E=3E=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet =3E=3E=3E=3E =3E=3E=3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal= =3Avars=2Eserver=7D =3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Ava= rs=2Euser=7D =3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3A= vars=2Epassword=7D =3E=3E=3E=3E =3E=3E=3E=3E 5=2E restart engine=2E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Thanks a lot Alon=2E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Thanks for this=2C saved me some time! =3E=3E=3E=3E =3E=3E=3E=3E Just a couple of addtions=2C please hash the password with SSH= A =28I really =3E=3E=3E=3E hate =3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Ep= assword =3D=22 =2C but it =3E=3E=3E=3E fails to authenticate while plain text works fine=2E =3E=3E=3E I am unsure I understand=2E =3E=3E=3E using hash to store password hint at server side makes sense=2E= =3E=3E=3E but using hash to store password at client side does not makes se= ns=2C this =3E=3E=3E means that if I get the server database I can authenticate to any= user =3E=3E=3E without knowing his password=2E =3E=3E=3E =3E=3E=3E Also=2C please note that the user you specify within configuratio= n should not =3E=3E=3E have any special privilege but to query public objects within lda= p=2E =3E=3E I don=27t like storing plain text in textfiles=2C so I try to avoid= it=2E Even =3E=3E if it is a read only user there are no =22public=22 objects that I l= ike to =3E=3E expose to anyone=2E I can query groups=2C group members=2C e-mail ad= dresses=2C =3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E= =3E=3E =3E=3E So that=27s why I try to have the bind user password hashed in the= =3E=3E properties file=2E =3E as I wrote above=2C storing hash instead of password does not enhance s= ecurity=2E =3E it is the same as if you just set the user=27s password to the hash=2E= Ah yes=2C silly me=2E You are absolutely right=2E It has been such a long= habit=2E=2E=2E But it does help when people intercept the traffic=2E Does t= he ldap plugin send it hashed to the ldap server=3F I think FreeIPA supports salted sha512 but I=27m not entirely sure=2E You=27ll probably say that I need to enable TLS=2C but there have been many= weaknesses in ssl and MITM issues=2E So more is always better in a security perspective=2E Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-295668495-1198010832-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 01:13 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 2:09:18 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote= : </font><br> <font color=3D"#000000">>>> ----- Original Message ----- </fon= t><br> <font color=3D"#000000">>>>> From: "Jorick Astrego" &= lt;j.astrego@ netbulae.eu > </font><br> <font color=3D"#000000">>>>> To: users@ ovirt.org </font><b= r> <font color=3D"#000000">>>>> Sent: Thursday, January 22, 2015 1= :41:40 PM </font><br> <font color=3D"#000000">>>>> Subject: Re: [ovirt-users] oVirt 3= .5 and FreeIpa </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> On 10/31/2014 02:47 PM, Marcelo Do= nato wrote: </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Below the solution. Resolved By &q= uot;Alon Bar-Lev" < alonbl@ redhat.com > </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 1. install ovirt-engine-extension-= aaa- ldap, it is available in </font><br> <font color=3D"#000000">>>>> ovirt-3.5-snapshots repository.
= 3;</font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 2. create /etc/ovirt-engine/extens= ions. d/din.intranet-authz. properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension.name =3D di= n-intranet-authz </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. bindings.m= ethod =3D jbossmodule </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.module =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engine-extensions. aaa.l= dap </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.class =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engineextensions. aaa.ld= ap.AuthzExtension </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. provides = =3D org.ovirt.engine.api. </font><br> <font color=3D"#000000">>>>> extensions.aaa.Authz </font><b= r> <font color=3D"#000000">>>>> config.profile.file.1 =3D /etc/ovi= rt-engine/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 3. create /etc/ovirt-engine/extens= ions. d/din.intranet-authn. properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension.name =3D di= n-intranet-authn </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. bindings.m= ethod =3D jbossmodule </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.module =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engine-extensions. aaa.l= dap </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.class =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engineextensions. aaa.ld= ap.AuthnExtension </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. provides = =3D org.ovirt.engine.api. </font><br> <font color=3D"#000000">>>>> extensions.aaa.Authn </font><b= r> <font color=3D"#000000">>>>> ovirt.engine.aaa.authn.profile.nam= e =3D din.intranet </font><br> <font color=3D"#000000">>>>> ovirt.engine.aaa.authn.authz. plug= in =3D din-intranet-authz </font><br> <font color=3D"#000000">>>>> config.profile.file.1 =3D /etc/ovi= rt-engine/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 4. create /etc/ovirt-engine/aaa/di= n. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> include =3D <ipa.properties>= </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> vars.user =3D uid=3Dadmin,cn=3Duse= rs,cn=3D accounts,dc=3Ddin,dc=3Dintranet </font><br> <font color=3D"#000000">>>>> vars.password =3D 123456 </fon= t><br> <font color=3D"#000000">>>>> vars.server =3D ipa1.din.intranet&= #13;</font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> pool.default.serverset.single. ser= ver =3D ${global:vars.server} </font><br> <font color=3D"#000000">>>>> pool.default.auth.simple. bindDN = =3D ${global:vars.user} </font><br> <font color=3D"#000000">>>>> pool.default.auth.simple. password= =3D ${global:vars.password} </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 5. restart engine. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Thanks a lot Alon. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Thanks for this, saved me some tim= e! </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Just a couple of addtions, please = hash the password with SSHA (I really </font><br> <font color=3D"#000000">>>>> hate </font><br> <font color=3D"#000000">>>>> plain text admin passwords...) = ;</font><br> <font color=3D"#000000">>>>> I tried putting an {SSHA} encoded = password in " vars.password =3D" , but it </font><br> <font color=3D"#000000">>>>> fails to authenticate while plain = text works fine. </font><br> <font color=3D"#000000">>>> I am unsure I understand. </font><= br> <font color=3D"#000000">>>> using hash to store password hint at s= erver side makes sense. </font><br> <font color=3D"#000000">>>> but using hash to store password at cl= ient side does not makes sens, this </font><br> <font color=3D"#000000">>>> means that if I get the server databas= e I can authenticate to any user </font><br> <font color=3D"#000000">>>> without knowing his password. </fo= nt><br> <font color=3D"#000000">>>> </font><br> <font color=3D"#000000">>>> Also, please note that the user you sp= ecify within configuration should not </font><br> <font color=3D"#000000">>>> have any special privilege but to quer= y public objects within ldap. </font><br> <font color=3D"#000000">>> I don't like storing plain text in textfil= es, so I try to avoid it. Even </font><br> <font color=3D"#000000">>> if it is a read only user there are no &qu= ot;public" objects that I like to </font><br> <font color=3D"#000000">>> expose to anyone. I can query groups, grou= p members, e-mail addresses, </font><br> <font color=3D"#000000">>> krbPasswordExpiration, krbLastPwdChange et= c. with this user. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> So that's why I try to have the bind user = password hashed in the </font><br> <font color=3D"#000000">>> properties file. </font><br> <font color=3D"#000000">> as I wrote above, storing hash instead of pass= word does not enhance security. </font><br> <font color=3D"#000000">> it is the same as if you just set the user's p= assword to the hash. </font><br> <br> Ah yes, silly me. You are absolutely <br> right. It has been such a long <br> habit... But it does help when people intercept the traffic. Does the <= br> ldap plugin send it hashed to the ldap server? <br> <br> I think FreeIPA supports salted sha512 but I'm not entirely sure. <br> <br> You'll probably say that I need to enable TLS, but there have been many = ;<br> weaknesses in ssl and MITM issues. So more is always better in a <br> security perspective. <br> <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-295668495-1198010832-delim--