12:11 a.m.
------=_Part_4294774_448373883.1355177461751
Content-Type: multipart/related;
boundary="----=_Part_4294775_299734258.1355177461751"
------=_Part_4294775_299734258.1355177461751
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
----- Original Message -----
From: "Yaniv Kaul" <ykaul(a)redhat.com>
To: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr>
Cc: users(a)ovirt.org
Sent: Monday, December 10, 2012 11:58:30 PM
Subject: Re: [Users] Adding Authentication mechanism to oVirt
=20
=20
=20
Wasn't it going to be deprecated?
http://tools.ietf.org/html/rfc6331
Every IETF can be depreciated using better implementation... :)
For now we need to support this for AD and maybe others.
It is much lighter than using SSL.
=20
I do think the right way is SSL (LDAPS) support. Most LDAP servers
(but Active Directory out of the box) support it.
Y.
We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS=
, and maybe keep SASL(GSSAPI).
I already wrote a sample to use all, I will share this soon with a quick de=
sign of what needed to be implemented in this regard.
Alon.
=20
=20
Hi,
=20
Ovirt presently supports only GSSAPI and SIMPLE authentication
against an LDAP server. The latter is far to weak to be used in a
production environment. The first is only offered as an external
authentication mechanism in many LDAP servers.
=20
I suggest adding DIGEST-MD5 support to oVirt which is a secured way
of authenticating to an LDAP server and which is a required
authentication mechanism in LDAPv3 specification. (see
http://www.ietf.org/rfc/rfc2829.txt paragraph 4.2).
=20
This would make it possible to access every LDAP servers securely
without the need to implement the GSSAPI mechanism.
=20
I also actively suggest to add support for the OpenLDAP Directory
server. It is a widely used LDAP server (and the one we use at our
University by the way...).
=20
Are there developers wishing to implement such support (DIGEST-MD5
and OpenLDAP) ?
=20
Or please tell me what I should do to start implementing it ?
=20
Cheers,
=20
Thierry
=20
=20
=20
--
signature-TK Thierry Kauffmann
Chef du Service Informatique // Facult=C3=A9 des Sciences // Universit=C3=
=A9 de
Montpellier 2
=20
=20
=09SIF - Service Informatique de la Facult=C3=A9
des Sciences=09UM2 -
Universit=C3=A9 de Montpellier 2=09Service informatique=
de
la Facult=C3=A9 des Sciences (SIF)
Universit=C3=A9 de Montpellier 2
CC437 // Place Eug=C3=A8ne Bataillon // 34095 Montpellier Cedex 5
=20
T=C3=A9l : 04 67 14 31 58
email : thierry.kauffmann(a)univ-montp2.fr
web : http://sif.info-ufr.univ-montp2.fr/
http://www.fdsweb.univ-montp2.fr/
=20
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
=20
=20
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
=20
------=_Part_4294775_299734258.1355177461751--
------=_Part_4294774_448373883.1355177461751--