This is a multi-part message in MIME format.
------------MIME-294424302-1441597959-delim
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A
=3E
=3E ----- Original Message -----
=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E
=3E=3E To=3A users=40ovirt=2Eorg
=3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM
=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E
=3E=3E
=3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A
=3E=3E
=3E=3E
=3E=3E
=3E=3E
=3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonbl=40re=
dhat=2Ecom =3E
=3E=3E
=3E=3E
=3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is available in=
=3E=3E ovirt-3=2E5-snapshots repository=2E
=3E=3E
=3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authz=
=2E properties
=3E=3E
=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz
=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D
=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D
=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension
=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap=
i=2E extensions=2Eaaa=2EAuthz
=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane=
t=2Eproperties
=3E=3E
=3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authn=
=2E properties
=3E=3E
=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn
=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D
=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D
=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension
=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap=
i=2E extensions=2Eaaa=2EAuthn
=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintranet
=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intranet-auth=
z
=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane=
t=2Eproperties
=3E=3E
=3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties
=3E=3E
=3E=3E include =3D =3Cipa=2Eproperties=3E
=3E=3E
=3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc=3Ddin=
=2Cdc=3Dintranet
=3E=3E vars=2Epassword =3D 123456
=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet
=3E=3E
=3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal=3Avar=
s=2Eserver=7D
=3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Avars=2Eu=
ser=7D
=3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3Avars=
=2Epassword=7D
=3E=3E
=3E=3E 5=2E restart engine=2E
=3E=3E
=3E=3E
=3E=3E Thanks a lot Alon=2E
=3E=3E
=3E=3E
=3E=3E
=3E=3E Thanks for this=2C saved me some time!
=3E=3E
=3E=3E Just a couple of addtions=2C please hash the password with SSHA =28I=
really hate
=3E=3E plain text admin passwords=2E=2E=2E=29
=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Epasswor=
d =3D=22 =2C but it
=3E=3E fails to authenticate while plain text works fine=2E
=3E I am unsure I understand=2E
=3E using hash to store password hint at server side makes sense=2E
=3E but using hash to store password at client side does not makes sens=2C=
this means that if I get the server database I can authenticate to any use=
r without knowing his password=2E
=3E
=3E Also=2C please note that the user you specify within configuration shou=
ld not have any special privilege but to query public objects within ldap=
=2E
I don=27t like storing plain text in textfiles=2C so I try to avoid it=2E E=
ven
if it is a read only user there are no =22public=22 objects that I like to=
expose to anyone=2E I can query groups=2C group members=2C e-mail addresses=
=2C
krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E
So that=27s why I try to have the bind user password hashed in the
properties file=2E
=3E=3E For people with multiple ipa replica=27s I you guess you need to use=
=3A
=3E=3E
=3E=3E Round robin configuration=3A vars=2Eserver1 =3D ipa1=2Edin=2Eintrane=
t
=3E=3E =09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet pool=2Edefault=2Ese=
rverset=2Etype =3D
=3E=3E =09=09 round-robin
=3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D=20=
=24=7Bglobal=3Avars=2Eserver1=7D
=3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D=20=
=24=7Bglobal=3Avars=2Eserver2=7D
=3E=3E
=3E=3E instead of
=3E=3E
=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet pool=2Edefault=2Eserverset=
=2Esingle=2Eserver =3D
=3E=3E =24=7Bglobal=3Avars=2Eserver=7D
=3E=3E But I still have to test that as our second replica is down at the m=
oment=2E
=3E Correct=2C there are multiple policies for you to choose from=2E
=3E
=3E=3E Also can we get rid of the internal admin or better just disable int=
ernal
=3E=3E authenticationt without problems=3F As we have ipa we don=27t want l=
ocal login
=3E=3E enabled=2C but in emergency situations we might need to turn it on q=
uickly=2E
=3E Yes=2C you can disable the internal by creating /etc/ovirt-engine/engin=
e=2Econf=2Ed/50-disable-internal=2Econf
=3E ---
=3E ENGINE=5FEXTENSION=5FENABLED=5Fbuiltin-authn-internal =3D false
=3E ---
=3E
=3E Hmmm=2E=2E=2E=2E we have a bug in this case=2E=2E=2E will fix=2C so let=
=27s just disable the authz for now=2E
=3E ---
=3E ENGINE=5FEXTENSION=5FENABLED=5Finternal =3D false
=3E ---
=3E
=3E Regards=2C
=3E Alon
thanks! that will work=2E
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
------------MIME-294424302-1441597959-delim
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Cbody=3E
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jorick Astrego" <j.ast=
rego@netbulae.eu>
>> To: users@ovi=
rt.org
>> Sent: Thursday, January 22, 2015 1:41:40 P=
M
>> Subject: Re: [ovirt-users] oVirt 3.5 and F=
reeIpa
>>
>>
>> On 10/31/2014 02:47 PM, Marcelo Donato wro=
te:
>>
>>
>>
>>
>> Below the solution. Resolved By "Alon=
Bar-Lev" < alonbl@redhat.com&nbs=
p;>
>>
>>
>> 1. install ovirt-engine-extension-aaa- lda=
p, it is available in
>> ovirt-3.5-snapshots repository.
>>
>> 2. create /etc/ovirt-engine/extensions. d/=
din.intranet-authz. properties
>>
>> ovirt.engine.extension.name =3D din-intran=
et-authz
>> ovirt.engine.extension. bindings.method =
=3D jbossmodule
>> ovirt.engine.extension. binding.jbossmodul=
e.module =3D
>> org.ovirt.engine-extensions. aaa.ldap
=
>> ovirt.engine.extension. binding.jbossmodul=
e.class =3D
>> org.ovirt.engineextensions. aaa.ldap.Authz=
Extension
>> ovirt.engine.extension. provides =3D org.o=
virt.engine.api. extensions.aaa.Authz
>> config.profile.file.1 =3D /etc/ovirt-engin=
e/aaa/din. intranet.properties
>>
>> 3. create /etc/ovirt-engine/extensions. d/=
din.intranet-authn. properties
>>
>> ovirt.engine.extension.name =3D din-intran=
et-authn
>> ovirt.engine.extension. bindings.method =
=3D jbossmodule
>> ovirt.engine.extension. binding.jbossmodul=
e.module =3D
>> org.ovirt.engine-extensions. aaa.ldap
=
>> ovirt.engine.extension. binding.jbossmodul=
e.class =3D
>> org.ovirt.engineextensions. aaa.ldap.Authn=
Extension
>> ovirt.engine.extension. provides =3D org.o=
virt.engine.api. extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name =3D di=
n.intranet
>> ovirt.engine.aaa.authn.authz. plugin =3D d=
in-intranet-authz
>> config.profile.file.1 =3D /etc/ovirt-engin=
e/aaa/din. intranet.properties
>>
>> 4. create /etc/ovirt-engine/aaa/din. intra=
net.properties
>>
>> include =3D <ipa.properties>
>>
>> vars.user =3D uid=3Dadmin,cn=3Dusers,cn=3D=
accounts,dc=3Ddin,dc=3Dintranet
>> vars.password =3D 123456
>> vars.server =3D ipa1.din.intranet
>>
>> pool.default.serverset.single. server =3D =
${global:vars.server}
>> pool.default.auth.simple. bindDN =3D ${glo=
bal:vars.user}
>> pool.default.auth.simple. password =3D ${g=
lobal:vars.password}
>>
>> 5. restart engine.
>>
>>
>> Thanks a lot Alon.
>>
>>
>>
>> Thanks for this, saved me some time!
<=
/font>
>>
>> Just a couple of addtions, please hash the=
password with SSHA (I really hate
>> plain text admin passwords...)
=
>> I tried putting an {SSHA} encoded password=
in " vars.password =3D" , but it
>> fails to authenticate while plain text wor=
ks fine.
> I am unsure I understand.
> using hash to store password hint at server si=
de makes sense.
> but using hash to store password at client sid=
e does not makes sens, this means that if I get the server database I can a=
uthenticate to any user without knowing his password.
>
> Also, please note that the user you specify wi=
thin configuration should not have any special privilege but to query publi=
c objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even=
3;
if it is a read only user there are no "public" objects that I li=
ke to
expose to anyone. I can query groups, group members, e-mail addresses,
=
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
>> For people with multiple ipa replica's I y=
ou guess you need to use:
>>
>> Round robin configuration: vars.server1 =
=3D ipa1.din.intranet
>> &=
nbsp; vars.server2 =3D ipa2.din.i=
ntranet pool.default.serverset.type =3D
>> &=
nbsp; round-robin
>> pool.de=
fault.serverset.round-robin.1.server =3D ${global:vars.server1}
=
>> pool.de=
fault.serverset.round-robin.2.server =3D ${global:vars.server2}
=
>>
>> instead of
>>
>> vars.server =3D ipa1.din.intranet pool.def=
ault.serverset.single.server =3D
>> ${global:vars.server}
>> But I still have to test that as our secon=
d replica is down at the moment.
> Correct, there are multiple policies for you t=
o choose from.
>
>> Also can we get rid of the internal admin =
or better just disable internal
>> authenticationt
without problems? As we have ipa we don't want local login
>> enabled, but in emergency situations we mi=
ght need to turn it on quickly.
> Yes, you can disable the internal by creating =
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
> ---
> ENGINE_EXTENSION_ENABLED_builtin-authn-interna=
l =3D false
> ---
>
> Hmmm.... we have a bug in this case... will fi=
x, so let's just disable the authz for now.
> ---
> ENGINE_EXTENSION_ENABLED_internal =3D false=
3;
> ---
>
> Regards,
> Alon
thanks! that will work.
=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
------------MIME-294424302-1441597959-delim--