12:04 a.m.
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my db:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id | option_name | option_value
| version
-----------+----------------------------+------------------------------------------------------------+---------
63 | DomainName | ovirt
| general
8 | AdUserName |
ovirt:admin | general
113 | LDAPProviderTypes |
ovirt:ipa | general
112 | LdapServers |
ovirt:172.16.21.240 | general
110 | LDAPSecurityAuthentication |
ovirt:SIMPLE | general
9 | AdUserPassword |
ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general
(7 rows)
As you can see, my ldap server and domain are internal. That's my ldap
user object:
# admin, Users, Accounts, inpe.br
dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
givenName: Admin
sn: istrator
uid: admin
userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
uidNumber: 1001
gidNumber: 502
homeDirectory: /home/users/admin
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
(ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that
the login name , password and path are correct.
2012-12-10 10:07:00,321 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-8) Failed ldap search server
ldap://172.16.21.240:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
>
> ----- Original Message -----
>> From: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr>
>> To: "Oved Ourfalli" <ovedo(a)redhat.com>
>> Cc: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
>> Sent: Tuesday, December 4, 2012 10:35:34 AM
>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>
>>
>> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
>>
>>
>> ----- Original Message -----
>>
>> From: "Itamar Heim" <iheim(a)redhat.com> To: "Oved
Ourfalli"
>> <ovedo(a)redhat.com> Cc: users(a)ovirt.org , "Thierry Kauffmann"
>> <thierry.kauffmann(a)univ-montp2.fr> Sent: Tuesday, December 4, 2012
>> 1:47:52 AM
>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>
>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
>>
>> ----- Original Message -----
>>
>> From: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr> To:
>> "cristi falcas" <cristi.falcas(a)gmail.com> Cc: users(a)ovirt.org
Sent:
>> Saturday, December 1, 2012 5:56:14 PM
>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>
>>
>>
>>
>>
>>
>> Hi,
>>
>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
>>
>> Until now, I could only use the default user admin@internal.
>>
>> Our Directory at the University is OpenLDAP. We use it for
>> authentication
>> WITHOUT Kerberos : Simple authentication.
>>
>> I wonder how to use this backend to authenticate users and manage
>> groups
>> in Ovirt.
>>
>> Has anyone already set this up ?
>> How to configure Ovirt to use Simple Authentication (No Kerberos).
>>
>> Cheers,
>>
>> --
>> Thierry Kauffmann
>> Chef du Service Informatique // Facult? des Sciences // Universit?
>> de
>> Montpellier 2
>>
>> [image: SIF - Service Informatique de la Facult? des Sciences]
>> <http://sif.info-ufr.univ-montp2.fr/> [image:
>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
>> Service
>> informatique de la Facult? des Sciences (SIF)
>> Universit? de Montpellier 2
>> CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
>>
>> T?l : 04 67 14 31 58
>> email : thierry.kauffmann(a)univ-montp2.fr web :
>> http://sif.info-ufr.univ-montp2.fr/
>> http://www.fdsweb.univ-montp2.fr/
>> _______________________________________________
>> Users mailing list Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users Hi,
>>
>> This is a response from an older thread from Yair Zaslavsky:
>>
>> " there is no code allowing to add simple-authentication domains
>> to
>> Manage-Domains.
>> In the past we did have the ability to do that, but there are
>> several
>> problematic issues."
>>
>> Best regards, Hi,
>>
>> correct-me if I am wrong but this wiki page (
>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
>>
>>
>>
>>
>>
>> 1. Authenticating Active Directory, IPA and RHDS using either
>> simple or gssapi authentication
>> 2. Querying the directory using the LDAP protocol
>> 3. Auto deducing the LDAP provider type
>> 4. Easily adding new LDAP provider types
>> 5. Easily adding new query types
>>
>> So what ? We supported simple authentication in the past, but it is
>> no longer
>> supported, that's why you can't set that using the manage domains
>> utility.
>> It may work well in some providers (in the past we supported that
>> for active directory, so I guess it would work there). I don't think
>> we removed SIMPLE from the engine, we just don't
>> recommend
>> using it, since it doesn't encrypt user/password on the network (it
>> is
>> sometime useful for debugging). We indeed didn't remove the engine
>> code. We just blocked it from the utility.
>> Once you have a configured oVirt domain, you can set the
>> LDAPSecurityAuthentication configuration parameter (in the
>> vdc_options table), to use simple, by putting a value of:
>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
>>
>> but, if you want to add a new domain with it then you would need to
>> add it manually (can give a detailed explanation on how, if
>> relevant). Yes, I would like to know how to add directly a domain
>> which is not GSSAPI controlled.
>>
> The vdc_options table is a table containing the configuration values
> of the engine. Among those, there are directory-related configuration
> values:
>
> engine=# select * from vdc_options where option_name in
>
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
> option_id | option_name |
> option_value | version
>
-----------+----------------------------+-------------------------------------------------+---------
>
> 9 | AdUserName |
> domain1:user1,domain2:user2 | general
> 10 | AdUserPassword |
> domain1:password1,domain2:password2 | general
> 114 | LdapServers |
> deomain1:ldap_server_address1,domain2:ldap_server_address2 | general
> 64 | DomainName |
> domain1,domain2 | general
> 112 | LDAPSecurityAuthentication |
> domain1:GSSAPI,domain2:SIMPLE | general
> 115 | LDAPProviderTypes |
> domain1:activeDirectory,domain2:ipa | general
>
> AdUserName is the user that will be used to query the directory.
> AdUserPassword is the password that will be used to query the directory.
> LdapServers - the LDAP server that will be used (only one is allowed
> in this configuration. This configuration is optional. If empty, we
> will check the DNS for LDAP SRV records for the relevant domain).
> DomainName - the names of the domains
> LDAPSecurityAuthentication - SIMPLE/GSSAPI
> LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
>
> All the entries above are per-domain, in the format domain1:value1,
> domain2:value2 and etc....
>
> If manually adding a GSSAPI domain, you also need to supply a
> krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE
> domain that isn't neccesary.
>
> We haven't worked with simple domain for a while now, so hopefully it
> will work for you as expected.
>
> Let me know if you have further questions.
>
> Oved
>>
>>
>> By default we work GSSAPI (I think the config option is empty by
>> default which is equivalent to working GSSAPI).
>> If/When we would need to support that again it shouldn't be a major
>> effort to add the code... the testing with the different providers
>> will be the hard part.
>>
>> Oved
>>
>>
>>
>>
>>
>>
>>
>> We also don't auto deduce the LDAP provider type anymore, as
>> changes in the providers caused some issues with it.
>>
>> I'll edit the wiki accordingly (btw, I remember removing it from
>> the wiki... so it is weird that it is still there...).
>>
>> Oved
>>
>> --
>> signature-TK Thierry Kauffmann
>> Chef du Service Informatique // Faculté des Sciences // Université
>> de
>> Montpellier 2
>>
>>
>> SIF - Service Informatique de la Faculté
>> des Sciences UM2 -
>> Université de Montpellier 2 Service
>> informatique de
>> la Faculté des Sciences (SIF)
>> Université de Montpellier 2
>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>
>> Tél : 04 67 14 31 58
>> email : thierry.kauffmann(a)univ-montp2.fr web :
>> http://sif.info-ufr.univ-montp2.fr/
>> http://www.fdsweb.univ-montp2.fr/
>> _______________________________________________
>> Users mailing list Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>> --
>> signature-TK Thierry Kauffmann
>> Chef du Service Informatique // Faculté des Sciences // Université de
>> Montpellier 2
>>
>>
>> SIF - Service Informatique de la Faculté
>> des Sciences UM2 -
>> Université de Montpellier 2 Service
>> informatique de
>> la Faculté des Sciences (SIF)
>> Université de Montpellier 2
>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>
>> Tél : 04 67 14 31 58
>> email : thierry.kauffmann(a)univ-montp2.fr
>> web : http://sif.info-ufr.univ-montp2.fr/
>> http://www.fdsweb.univ-montp2.fr/
>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users