Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine

Hi Eduardo, We mainly focus on supporting Kerberos authentication at the moment Can you switch to kerberos authentication? ----- Original Message ----- > From: "Eduardo Ramos" <eduardo(a)freedominterface.org&gt; > To: users(a)ovirt.org > Sent: Wednesday, February 27, 2013 11:04:17 PM > Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine > > Anyone has made success with that? > > > On 12/10/2012 10:18 AM, Eduardo Ramos wrote: >> Hi dudes! >> >> I was following the model below, but without success. That is my >> db: >> >> >> engine=# select * from vdc_options where option_name in >> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId'); >> option_id | option_name | option_value >> | version >> -----------+----------------------------+------------------------------------------------------------+--------- >> >> 63 | DomainName | ovirt >> | general >> 8 | AdUserName | >> ovirt:admin | >> general >> 113 | LDAPProviderTypes | >> ovirt:ipa | >> general >> 112 | LdapServers | >> ovirt:172.16.21.240 | >> general >> 110 | LDAPSecurityAuthentication | >> ovirt:SIMPLE | >> general >> 9 | AdUserPassword | >> ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | >> general >> (7 rows) >> >> As you can see, my ldap server and domain are internal. That's my >> ldap >> user object: >> >> # admin, Users, Accounts, inpe.br >> dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt >> givenName: Admin >> sn: istrator >> uid: admin >> userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= >> uidNumber: 1001 >> gidNumber: 502 >> homeDirectory: /home/users/admin >> loginShell: /bin/sh >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: top >> cn: admin >> >> But the log aways returns: >> >> 2012-12-10 10:07:00,317 ERROR >> [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] >> (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check >> that >> the login name , password and path are correct. >> 2012-12-10 10:07:00,321 ERROR >> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] >> (ajp--0.0.0.0-8009-8) Failed ldap search server >> ldap://172.16.21.240:389 due to >> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. >> We >> should not try the next server: >> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException >> >> Am I doing the right way? >> >> On 12/04/2012 07:07 AM, Oved Ourfalli wrote: >>> ----- Original Message ----- >>>> From: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr&gt; >>>> To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; >>>> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >>>> Sent: Tuesday, December 4, 2012 10:35:34 AM >>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt >>>> Engine >>>> >>>> >>>> Le 04/12/2012 09:09, Oved Ourfalli a écrit : >>>> >>>> >>>> ----- Original Message ----- >>>> >>>> From: "Itamar Heim" <iheim(a)redhat.com&gt; To: "Oved Ourfalli" >>>> <ovedo(a)redhat.com&gt; Cc: users(a)ovirt.org , "Thierry Kauffmann" >>>> <thierry.kauffmann(a)univ-montp2.fr&gt; Sent: Tuesday, December 4, >>>> 2012 >>>> 1:47:52 AM >>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt >>>> Engine >>>> >>>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote: >>>> >>>> ----- Original Message ----- >>>> >>>> From: "Thierry Kauffmann" <thierry.kauffmann(a)univ-montp2.fr&gt; To: >>>> "cristi falcas" <cristi.falcas(a)gmail.com&gt; Cc: users(a)ovirt.org >>>> Sent: >>>> Saturday, December 1, 2012 5:56:14 PM >>>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> I am currently testing Ovirt 3.1 standalone on Fedora 17. >>>> >>>> Until now, I could only use the default user admin@internal. >>>> >>>> Our Directory at the University is OpenLDAP. We use it for >>>> authentication >>>> WITHOUT Kerberos : Simple authentication. >>>> >>>> I wonder how to use this backend to authenticate users and manage >>>> groups >>>> in Ovirt. >>>> >>>> Has anyone already set this up ? >>>> How to configure Ovirt to use Simple Authentication (No >>>> Kerberos). >>>> >>>> Cheers, >>>> >>>> -- >>>> Thierry Kauffmann >>>> Chef du Service Informatique // Facult? des Sciences // >>>> Universit? >>>> de >>>> Montpellier 2 >>>> >>>> [image: SIF - Service Informatique de la Facult? des >>>> Sciences] >>>> <http://sif.info-ufr.univ-montp2.fr/> [image: >>>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> >>>> Service >>>> informatique de la Facult? des Sciences (SIF) >>>> Universit? de Montpellier 2 >>>> CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5 >>>> >>>> T?l : 04 67 14 31 58 >>>> email : thierry.kauffmann(a)univ-montp2.fr web : >>>> http://sif.info-ufr.univ-montp2.fr/ >>>> http://www.fdsweb.univ-montp2.fr/ >>>> _______________________________________________ >>>> Users mailing list Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users Hi, >>>> >>>> This is a response from an older thread from Yair Zaslavsky: >>>> >>>> " there is no code allowing to add simple-authentication domains >>>> to >>>> Manage-Domains. >>>> In the past we did have the ability to do that, but there are >>>> several >>>> problematic issues." >>>> >>>> Best regards, Hi, >>>> >>>> correct-me if I am wrong but this wiki page ( >>>> http://www.ovirt.org/DomainInfrastructure ) states clearly : >>>> >>>> >>>> >>>> >>>> >>>> 1. Authenticating Active Directory, IPA and RHDS using >>>> either >>>> simple or gssapi authentication >>>> 2. Querying the directory using the LDAP protocol >>>> 3. Auto deducing the LDAP provider type >>>> 4. Easily adding new LDAP provider types >>>> 5. Easily adding new query types >>>> >>>> So what ? We supported simple authentication in the past, but it >>>> is >>>> no longer >>>> supported, that's why you can't set that using the manage domains >>>> utility. >>>> It may work well in some providers (in the past we supported that >>>> for active directory, so I guess it would work there). I don't >>>> think >>>> we removed SIMPLE from the engine, we just don't >>>> recommend >>>> using it, since it doesn't encrypt user/password on the network >>>> (it >>>> is >>>> sometime useful for debugging). We indeed didn't remove the >>>> engine >>>> code. We just blocked it from the utility. >>>> Once you have a configured oVirt domain, you can set the >>>> LDAPSecurityAuthentication configuration parameter (in the >>>> vdc_options table), to use simple, by putting a value of: >>>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc.... >>>> >>>> but, if you want to add a new domain with it then you would need >>>> to >>>> add it manually (can give a detailed explanation on how, if >>>> relevant). Yes, I would like to know how to add directly a domain >>>> which is not GSSAPI controlled. >>>> >>> The vdc_options table is a table containing the configuration >>> values >>> of the engine. Among those, there are directory-related >>> configuration >>> values: >>> >>> engine=# select * from vdc_options where option_name in >>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); >>> option_id | option_name | >>> option_value | version >>> -----------+----------------------------+-------------------------------------------------+--------- >>> >>> 9 | AdUserName | >>> domain1:user1,domain2:user2 | general >>> 10 | AdUserPassword | >>> domain1:password1,domain2:password2 | general >>> 114 | LdapServers | >>> deomain1:ldap_server_address1,domain2:ldap_server_address2 | >>> general >>> 64 | DomainName | >>> domain1,domain2 | general >>> 112 | LDAPSecurityAuthentication | >>> domain1:GSSAPI,domain2:SIMPLE | general >>> 115 | LDAPProviderTypes | >>> domain1:activeDirectory,domain2:ipa | general >>> >>> AdUserName is the user that will be used to query the directory. >>> AdUserPassword is the password that will be used to query the >>> directory. >>> LdapServers - the LDAP server that will be used (only one is >>> allowed >>> in this configuration. This configuration is optional. If empty, >>> we >>> will check the DNS for LDAP SRV records for the relevant domain). >>> DomainName - the names of the domains >>> LDAPSecurityAuthentication - SIMPLE/GSSAPI >>> LDAPProviderTypes - the provider type >>> (activeDirectory/ipa/rhds/itds) >>> >>> All the entries above are per-domain, in the format >>> domain1:value1, >>> domain2:value2 and etc.... >>> >>> If manually adding a GSSAPI domain, you also need to supply a >>> krb5.conf file, and put it in the ENGINE_ETC path. If adding a >>> SIMPLE >>> domain that isn't neccesary. >>> >>> We haven't worked with simple domain for a while now, so hopefully >>> it >>> will work for you as expected. >>> >>> Let me know if you have further questions. >>> >>> Oved >>>> >>>> By default we work GSSAPI (I think the config option is empty by >>>> default which is equivalent to working GSSAPI). >>>> If/When we would need to support that again it shouldn't be a >>>> major >>>> effort to add the code... the testing with the different >>>> providers >>>> will be the hard part. >>>> >>>> Oved >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> We also don't auto deduce the LDAP provider type anymore, as >>>> changes in the providers caused some issues with it. >>>> >>>> I'll edit the wiki accordingly (btw, I remember removing it from >>>> the wiki... so it is weird that it is still there...). >>>> >>>> Oved >>>> >>>> -- >>>> signature-TK Thierry Kauffmann >>>> Chef du Service Informatique // Faculté des Sciences // >>>> Université >>>> de >>>> Montpellier 2 >>>> >>>> >>>> SIF - Service Informatique de la Faculté >>>> des Sciences UM2 - >>>> Université de Montpellier 2 Service >>>> informatique de >>>> la Faculté des Sciences (SIF) >>>> Université de Montpellier 2 >>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 >>>> >>>> Tél : 04 67 14 31 58 >>>> email : thierry.kauffmann(a)univ-montp2.fr web : >>>> http://sif.info-ufr.univ-montp2.fr/ >>>> http://www.fdsweb.univ-montp2.fr/ >>>> _______________________________________________ >>>> Users mailing list Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> _______________________________________________ >>>> Users mailing list Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> _______________________________________________ >>>> Users mailing list Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>>> -- >>>> signature-TK Thierry Kauffmann >>>> Chef du Service Informatique // Faculté des Sciences // >>>> Université de >>>> Montpellier 2 >>>> >>>> >>>> SIF - Service Informatique de la Faculté >>>> des Sciences UM2 - >>>> Université de Montpellier 2 Service >>>> informatique de >>>> la Faculté des Sciences (SIF) >>>> Université de Montpellier 2 >>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 >>>> >>>> Tél : 04 67 14 31 58 >>>> email : thierry.kauffmann(a)univ-montp2.fr >>>> web : http://sif.info-ufr.univ-montp2.fr/ >>>> http://www.fdsweb.univ-montp2.fr/ >>>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users