----- Original Message -----
From: "Jorick Astrego" <j.astrego@netbulae.eu> To: users@ovirt.org Sent: Thursday, January 22, 2015 2:09:18 PM Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jorick Astrego" <j.astrego@ netbulae.eu > To: users@ ovirt.org Sent: Thursday, January 22, 2015 1:41:40 PM Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By "Alon Bar-Lev" < alonbl@ redhat.com >
1. install ovirt-engine-extension-aaa- ldap, it is available in ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthzExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthnExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = din.intranet ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = <ipa.properties>
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet vars.password = 123456 vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate plain text admin passwords...) I tried putting an {SSHA} encoded password in " vars.password =" , but it fails to authenticate while plain text works fine. I am unsure I understand. using hash to store password hint at server side makes sense. but using hash to store password at client side does not makes sens, this means that if I get the server database I can authenticate to any user without knowing his password.
Also, please note that the user you specify within configuration should not have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even if it is a read only user there are no "public" objects that I like to expose to anyone. I can query groups, group members, e-mail addresses, krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the properties file.
as I wrote above, storing hash instead of password does not enhance security. it is the same as if you just set the user's password to the hash.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet vars.server2 = ipa2.din.intranet pool.default.serverset.type = round-robin pool.default.serverset.round-robin.1.server = ${global:vars.server1} pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server = ${global:vars.server} But I still have to test that as our second replica is down at the moment. Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal authenticationt without problems? As we have ipa we don't want local login enabled, but in emergency situations we might need to turn it on quickly. Yes, you can disable the internal by creating /etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false ---
Hmmm.... we have a bug in this case... will fix, so let's just disable the authz for now. --- ENGINE_EXTENSION_ENABLED_internal = false ---
Regards, Alon thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users