Re: [ovirt-users] oVirt 3.5 and FreeIpa

<br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 2. create /etc/ovirt-engine/extensions. d/= din.intranet-authz. properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> ovirt.engine.extension.name =3D din-intran= et-authz </font><br> <font color=3D"#000000">>> ovirt.engine.extension. bindings.method = =3D jbossmodule </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.module =3D </font><br> <font color=3D"#000000">>> org.ovirt.engine-extensions. aaa.ldap = </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.class =3D </font><br> <font color=3D"#000000">>> org.ovirt.engineextensions. aaa.ldap.Authz= Extension </font><br> <font color=3D"#000000">>> ovirt.engine.extension. provides =3D org.o= virt.engine.api. extensions.aaa.Authz </font><br> <font color=3D"#000000">>> config.profile.file.1 =3D /etc/ovirt-engin= e/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 3. create /etc/ovirt-engine/extensions. d/= din.intranet-authn. properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> ovirt.engine.extension.name =3D din-intran= et-authn </font><br> <font color=3D"#000000">>> ovirt.engine.extension. bindings.method = =3D jbossmodule </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.module =3D </font><br> <font color=3D"#000000">>> org.ovirt.engine-extensions. aaa.ldap = </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.class =3D </font><br> <font color=3D"#000000">>> org.ovirt.engineextensions. aaa.ldap.Authn= Extension </font><br> <font color=3D"#000000">>> ovirt.engine.extension. provides =3D org.o= virt.engine.api. extensions.aaa.Authn </font><br> <font color=3D"#000000">>> ovirt.engine.aaa.authn.profile.name =3D di= n.intranet </font><br> <font color=3D"#000000">>> ovirt.engine.aaa.authn.authz. plugin =3D d= in-intranet-authz </font><br> <font color=3D"#000000">>> config.profile.file.1 =3D /etc/ovirt-engin= e/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 4. create /etc/ovirt-engine/aaa/din. intra= net.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> include =3D <ipa.properties> </f= ont><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> vars.user =3D uid=3Dadmin,cn=3Dusers,cn=3D= accounts,dc=3Ddin,dc=3Dintranet </font><br> <font color=3D"#000000">>> vars.password =3D 123456 </font><br> <font color=3D"#000000">>> vars.server =3D ipa1.din.intranet </fo= nt><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> pool.default.serverset.single. server =3D = ${global:vars.server} </font><br> <font color=3D"#000000">>> pool.default.auth.simple. bindDN =3D ${glo= bal:vars.user} </font><br> <font color=3D"#000000">>> pool.default.auth.simple. password =3D ${g= lobal:vars.password} </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 5. restart engine. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Thanks a lot Alon. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Thanks for this, saved me some time! <= /font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Just a couple of addtions, please hash the=

This is a multi-part message in MIME format. ------------MIME-294424302-1441597959-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E =3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A =3E=3E =3E=3E =3E=3E =3E=3E =3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonbl=40re= dhat=2Ecom =3E =3E=3E =3E=3E =3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is available in= =3E=3E ovirt-3=2E5-snapshots repository=2E =3E=3E =3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authz= =2E properties =3E=3E =3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz =3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D =3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D =3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension =3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap= i=2E extensions=2Eaaa=2EAuthz =3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane= t=2Eproperties =3E=3E =3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authn= =2E properties =3E=3E =3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn =3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D =3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D =3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension =3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap= i=2E extensions=2Eaaa=2EAuthn =3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintranet =3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intranet-auth= z =3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane= t=2Eproperties =3E=3E =3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties =3E=3E =3E=3E include =3D =3Cipa=2Eproperties=3E =3E=3E =3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc=3Ddin= =2Cdc=3Dintranet =3E=3E vars=2Epassword =3D 123456 =3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet =3E=3E =3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal=3Avar= s=2Eserver=7D =3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Avars=2Eu= ser=7D =3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3Avars= =2Epassword=7D =3E=3E =3E=3E 5=2E restart engine=2E =3E=3E =3E=3E =3E=3E Thanks a lot Alon=2E =3E=3E =3E=3E =3E=3E =3E=3E Thanks for this=2C saved me some time! =3E=3E =3E=3E Just a couple of addtions=2C please hash the password with SSHA =28I= really hate =3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Epasswor= d =3D=22 =2C but it =3E=3E fails to authenticate while plain text works fine=2E =3E I am unsure I understand=2E =3E using hash to store password hint at server side makes sense=2E =3E but using hash to store password at client side does not makes sens=2C= this means that if I get the server database I can authenticate to any use= r without knowing his password=2E =3E =3E Also=2C please note that the user you specify within configuration shou= ld not have any special privilege but to query public objects within ldap= =2E I don=27t like storing plain text in textfiles=2C so I try to avoid it=2E E= ven if it is a read only user there are no =22public=22 objects that I like to= expose to anyone=2E I can query groups=2C group members=2C e-mail addresses= =2C krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E So that=27s why I try to have the bind user password hashed in the properties file=2E =3E=3E For people with multiple ipa replica=27s I you guess you need to use= =3A =3E=3E =3E=3E Round robin configuration=3A vars=2Eserver1 =3D ipa1=2Edin=2Eintrane= t =3E=3E =09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet pool=2Edefault=2Ese= rverset=2Etype =3D =3E=3E =09=09 round-robin =3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D=20= =24=7Bglobal=3Avars=2Eserver1=7D =3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D=20= =24=7Bglobal=3Avars=2Eserver2=7D =3E=3E =3E=3E instead of =3E=3E =3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet pool=2Edefault=2Eserverset= =2Esingle=2Eserver =3D =3E=3E =24=7Bglobal=3Avars=2Eserver=7D =3E=3E But I still have to test that as our second replica is down at the m= oment=2E =3E Correct=2C there are multiple policies for you to choose from=2E =3E =3E=3E Also can we get rid of the internal admin or better just disable int= ernal =3E=3E authenticationt without problems=3F As we have ipa we don=27t want l= ocal login =3E=3E enabled=2C but in emergency situations we might need to turn it on q= uickly=2E =3E Yes=2C you can disable the internal by creating /etc/ovirt-engine/engin= e=2Econf=2Ed/50-disable-internal=2Econf =3E --- =3E ENGINE=5FEXTENSION=5FENABLED=5Fbuiltin-authn-internal =3D false =3E --- =3E =3E Hmmm=2E=2E=2E=2E we have a bug in this case=2E=2E=2E will fix=2C so let= =27s just disable the authz for now=2E =3E --- =3E ENGINE=5FEXTENSION=5FENABLED=5Finternal =3D false =3E --- =3E =3E Regards=2C =3E Alon thanks! that will work=2E Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-294424302-1441597959-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 1:41:40 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> On 10/31/2014 02:47 PM, Marcelo Donato wro= te: </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Below the solution. Resolved By "Alon= Bar-Lev" < alonbl@<a href=3D"mailto:redhat.com">redhat.com</a>&nbs= p;> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 1. install ovirt-engine-extension-aaa- lda= p, it is available in </font><br> <font color=3D"#000000">>> ovirt-3.5-snapshots repository. </font= password with SSHA (I really hate </font><br> <font color=3D"#000000">>> plain text admin passwords...) </font>= <br> <font color=3D"#000000">>> I tried putting an {SSHA} encoded password= in " vars.password =3D" , but it </font><br> <font color=3D"#000000">>> fails to authenticate while plain text wor= ks fine. </font><br> <font color=3D"#000000">> I am unsure I understand. </font><br> <font color=3D"#000000">> using hash to store password hint at server si= de makes sense. </font><br> <font color=3D"#000000">> but using hash to store password at client sid= e does not makes sens, this means that if I get the server database I can a= uthenticate to any user without knowing his password. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Also, please note that the user you specify wi= thin configuration should not have any special privilege but to query publi= c objects within ldap. </font><br> I don't like storing plain text in textfiles, so I try to avoid it. Even
= 3;<br> if it is a read only user there are no "public" objects that I li= ke to <br> expose to anyone. I can query groups, group members, e-mail addresses, = <br> krbPasswordExpiration, krbLastPwdChange etc. with this user. <br> <br> So that's why I try to have the bind user password hashed in the <br> properties file. <br> <font color=3D"#000000">>> For people with multiple ipa replica's I y= ou guess you need to use: </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Round robin configuration: vars.server1 = =3D ipa1.din.intranet </font><br> <font color=3D"#000000">>>       &= nbsp;        vars.server2 =3D ipa2.din.i= ntranet pool.default.serverset.type =3D </font><br> <font color=3D"#000000">>>       &= nbsp;        round-robin </font><br> <font color=3D"#000000">>>      pool.de= fault.serverset.round-robin.1.server =3D ${global:vars.server1} </font>= <br> <font color=3D"#000000">>>      pool.de= fault.serverset.round-robin.2.server =3D ${global:vars.server2} </font>= <br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> instead of </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> vars.server =3D ipa1.din.intranet pool.def= ault.serverset.single.server =3D </font><br> <font color=3D"#000000">>> ${global:vars.server} </font><br> <font color=3D"#000000">>> But I still have to test that as our secon= d replica is down at the moment. </font><br> <font color=3D"#000000">> Correct, there are multiple policies for you t= o choose from. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">>> Also can we get rid of the internal admin = or better just disable internal </font><br> <font color=3D"#000000">>> authenticationt </font><br> without problems? As we have ipa we don't want local login <br> <font color=3D"#000000">>> enabled, but in emergency situations we mi= ght need to turn it on quickly. </font><br> <font color=3D"#000000">> Yes, you can disable the internal by creating = /etc/ovirt-engine/engine.conf.d/50-disable-internal.conf </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> ENGINE_EXTENSION_ENABLED_builtin-authn-interna= l =3D false </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Hmmm.... we have a bug in this case... will fi= x, so let's just disable the authz for now. </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> ENGINE_EXTENSION_ENABLED_internal =3D false
= 3;</font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Regards, </font><br> <font color=3D"#000000">> Alon </font><br> thanks! that will work. <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-294424302-1441597959-delim--