Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine

----- Original Message ----- > From: "Itamar Heim" <iheim(a)redhat.com&gt; > To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; > Cc: users(a)ovirt.org, "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr&gt; > Sent: Tuesday, December 4, 2012 1:47:52 AM > Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine > > On 12/02/2012 08:10 AM, Oved Ourfalli wrote: >> >> ----- Original Message ----- >>> From: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr&gt; >>> To: "cristi falcas" <cristi.falcas(a)gmail.com&gt; >>> Cc: users(a)ovirt.org >>> Sent: Saturday, December 1, 2012 5:56:14 PM >>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine >>> >>> >>> >>> >>> >>> >>> Hi, >>> >>> I am currently testing Ovirt 3.1 standalone on Fedora 17. >>> >>> Until now, I could only use the default user admin@internal. >>> >>> Our Directory at the University is OpenLDAP. We use it for >>> authentication >>> WITHOUT Kerberos : Simple authentication. >>> >>> I wonder how to use this backend to authenticate users and manage >>> groups >>> in Ovirt. >>> >>> Has anyone already set this up ? >>> How to configure Ovirt to use Simple Authentication (No Kerberos). >>> >>> Cheers, >>> >>> -- >>> Thierry Kauffmann >>> Chef du Service Informatique // Facult? des Sciences // Universit? >>> de >>> Montpellier 2 >>> >>> [image: SIF - Service Informatique de la Facult? des Sciences] >>> <http://sif.info-ufr.univ-montp2.fr/> [image: >>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> >>> Service >>> informatique de la Facult? des Sciences (SIF) >>> Universit? de Montpellier 2 >>> CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5 >>> >>> T?l : 04 67 14 31 58 >>> email : thierry.kauffmann(a)univ-montp2.fr web : >>> http://sif.info-ufr.univ-montp2.fr/ >>> http://www.fdsweb.univ-montp2.fr/ >>> _______________________________________________ >>> Users mailing list Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users Hi, >>> >>> This is a response from an older thread from Yair Zaslavsky: >>> >>> " there is no code allowing to add simple-authentication domains >>> to >>> Manage-Domains. >>> In the past we did have the ability to do that, but there are >>> several >>> problematic issues." >>> >>> Best regards, Hi, >>> >>> correct-me if I am wrong but this wiki page ( >>> http://www.ovirt.org/DomainInfrastructure ) states clearly : >>> >>> >>> >>> >>> >>> 1. Authenticating Active Directory, IPA and RHDS using either >>> simple or gssapi authentication >>> 2. Querying the directory using the LDAP protocol >>> 3. Auto deducing the LDAP provider type >>> 4. Easily adding new LDAP provider types >>> 5. Easily adding new query types >>> >>> So what ? >>> >> We supported simple authentication in the past, but it is no longer >> supported, that's why you can't set that using the manage domains >> utility. >> It may work well in some providers (in the past we supported that >> for active directory, so I guess it would work there). > I don't think we removed SIMPLE from the engine, we just don't > recommend > using it, since it doesn't encrypt user/password on the network (it > is > sometime useful for debugging). > We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc.... but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant).

By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part. Oved

>> We also don't auto deduce the LDAP provider type anymore, as >> changes in the providers caused some issues with it. >> >> I'll edit the wiki accordingly (btw, I remember removing it from >> the wiki... so it is weird that it is still there...). >> >> Oved >> >>> -- >>> signature-TK Thierry Kauffmann >>> Chef du Service Informatique // Faculté des Sciences // Université >>> de >>> Montpellier 2 >>> >>> >>> SIF - Service Informatique de la Faculté >>> des Sciences UM2 - >>> Université de Montpellier 2 Service >>> informatique de >>> la Faculté des Sciences (SIF) >>> Université de Montpellier 2 >>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 >>> >>> Tél : 04 67 14 31 58 >>> email : thierry.kauffmann(a)univ-montp2.fr >>> web : http://sif.info-ufr.univ-montp2.fr/ >>> http://www.fdsweb.univ-montp2.fr/ >>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >