------=_Part_4294774_448373883.1355177461751 Content-Type: multipart/related; boundary="----=_Part_4294775_299734258.1355177461751" ------=_Part_4294775_299734258.1355177461751 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ----- Original Message -----
From: "Yaniv Kaul" <ykaul@redhat.com> To: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Cc: users@ovirt.org Sent: Monday, December 10, 2012 11:58:30 PM Subject: Re: [Users] Adding Authentication mechanism to oVirt =20 =20 =20 Wasn't it going to be deprecated? http://tools.ietf.org/html/rfc6331
Every IETF can be depreciated using better implementation... :) For now we need to support this for AD and maybe others. It is much lighter than using SSL. =20
I do think the right way is SSL (LDAPS) support. Most LDAP servers (but Active Directory out of the box) support it. Y.
We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS= , and maybe keep SASL(GSSAPI). I already wrote a sample to use all, I will share this soon with a quick de= sign of what needed to be implemented in this regard. Alon. =20
=20 Hi, =20 Ovirt presently supports only GSSAPI and SIMPLE authentication against an LDAP server. The latter is far to weak to be used in a production environment. The first is only offered as an external authentication mechanism in many LDAP servers. =20 I suggest adding DIGEST-MD5 support to oVirt which is a secured way of authenticating to an LDAP server and which is a required authentication mechanism in LDAPv3 specification. (see http://www.ietf.org/rfc/rfc2829.txt paragraph 4.2). =20 This would make it possible to access every LDAP servers securely without the need to implement the GSSAPI mechanism. =20 I also actively suggest to add support for the OpenLDAP Directory server. It is a widely used LDAP server (and the one we use at our University by the way...). =20 Are there developers wishing to implement such support (DIGEST-MD5 and OpenLDAP) ? =20 Or please tell me what I should do to start implementing it ? =20 Cheers, =20 Thierry =20 =20 =20 -- signature-TK Thierry Kauffmann Chef du Service Informatique // Facult=C3=A9 des Sciences // Universit=C3= =A9 de Montpellier 2 =20 =20 =09SIF - Service Informatique de la Facult=C3=A9 des Sciences=09UM2 - Universit=C3=A9 de Montpellier 2=09Service informatique= de la Facult=C3=A9 des Sciences (SIF) Universit=C3=A9 de Montpellier 2 CC437 // Place Eug=C3=A8ne Bataillon // 34095 Montpellier Cedex 5 =20 T=C3=A9l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ =20 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users =20 =20 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users =20
------=_Part_4294775_299734258.1355177461751-- ------=_Part_4294774_448373883.1355177461751--