8:53 a.m.
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign in with. Is
there any way to use a key tab? It seems like it does all this under the surface
eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
9:02 a.m.
--Alternative_=_Boundary_=_1410390175
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Actually I haven't delved very deep into it but I know its not using a keyt=
ab its actually authenticating to the Kerberos server and doing a SASL bind=
=2E<br><br>In a way this is actually proper functionality; however I have t=
o admit it would be nice to have the option of using a
keytab.<br><br><span=
style=3D"font-family:Prelude, Verdana,
san-serif;"><br><br></span><span id=
=3D"signature"><div style=3D"font-family: arial, sans-serif;
font-size: 12p=
x;color: #999999;">-- Sent from my HP
Pre3</div><br></span><span style=3D"c=
olor:navy; font-family:Prelude, Verdana, san-serif; "><hr
align=3D"left" st=
yle=3D"width:75%">On Sep 10, 2014 6:53 PM, William Law
&lt;wlaw(a)stanford.ed=
u> wrote: <br><br></span>Hi,=0D<br>=0D<br>When I try
to use engine-manag=
e-domains it seems to expect an account to sign in with. Is there any way =
to use a key tab? It seems like it does all this under the surface eventua=
lly; I'd just like to do it up front.=0D<br>=0D<br>Even a pointer to
"manua=
l" adding instructions would be very
helpful.=0D<br>=0D<br>Thanks,=0D<br>=
=0D<br>Will=0D<br>_______________________________________________=0D<br>Use=
rs mailing list=0D<br>Users@ovirt.org=0D<br>http://lists.ovirt.org/mailman/=
listinfo/users=0D<br>
--Alternative_=_Boundary_=_1410390175--
9:07 a.m.
----- Original Message -----
From: "William Law" <wlaw(a)stanford.edu>
To: "users" <users(a)ovirt.org>
Sent: Thursday, September 11, 2014 1:53:04 AM
Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign
in with. Is there any way to use a key tab? It seems like it does all this
under the surface eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
Hi Will,
No way to perform this with manage domains at the moment.
Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture
for AAA, based on extensions + configuration files
managed-domains should be used to support existing setups that will undergo upgrade to 3.5
(or of course, will remain in their current versions).
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:11 a.m.
OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5?
Regards,
Will
On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
----- Original Message -----
> From: "William Law" <wlaw(a)stanford.edu>
> To: "users" <users(a)ovirt.org>
> Sent: Thursday, September 11, 2014 1:53:04 AM
> Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
>
> Hi,
>
> When I try to use engine-manage-domains it seems to expect an account to sign
> in with. Is there any way to use a key tab? It seems like it does all this
> under the surface eventually; I'd just like to do it up front.
>
> Even a pointer to "manual" adding instructions would be very helpful.
>
> Thanks,
>
> Will
Hi Will,
No way to perform this with manage domains at the moment.
Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture
for AAA, based on extensions + configuration files
managed-domains should be used to support existing setups that will undergo upgrade to
3.5 (or of course, will remain in their current versions).
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
9:21 a.m.
--Alternative_=_Boundary_=_1410391296
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
William<br><br>Thank you as well I have noticed from the logs that if the m=
anager interface isn't used in a while it has to reinitialize or renew the =
ticket in the cache. This process can cause a noticeable delay in logins an=
d using a keytab. This is a part of (but not the whole) reason keytabs exis=
t in kerberos.<br><br><span style=3D"font-family:Prelude, Verdana,
san-seri=
f;"><br><br></span><span
id=3D"signature"><div style=3D"font-family: arial,=
sans-serif; font-size: 12px;color: #999999;">-- Sent from my HP
Pre3</div>=
<br></span><span style=3D"color:navy; font-family:Prelude, Verdana,
san-ser=
if; "><hr align=3D"left" style=3D"width:75%">On Sep 10,
2014 7:11 PM, Willi=
am Law &lt;wlaw(a)stanford.edu&gt; wrote: <br><br></span>OK,
thanks. Is ther=
e a way to perform it without manage-domains currently or in 3.5?=0D<br>=0D=
<br>Regards,=0D<br>=0D<br>Will=0D<br>=0D<br>On Sep 10, 2014,
at 4:07 PM, Ya=
ir Zaslavsky &lt;yzaslavs(a)redhat.com&gt; wrote:=0D<br>=0D<br>>
=0D<br>&g=
t; =0D<br>> ----- Original Message -----=0D<br>>> From:
"William L=
aw" &lt;wlaw(a)stanford.edu&gt;=0D<br>&gt;&gt; To:
"users" &lt;users(a)ovirt.or=
g>=0D<br>>> Sent: Thursday, September 11, 2014 1:53:04
AM=0D<br>&g=
t;> Subject: [ovirt-users] adding machine to openldap + kerberos with a =
keytab=0D<br>>> =0D<br>>>
Hi,=0D<br>>> =0D<br>>> Wh=
en I try to use engine-manage-domains it seems to expect an account to sign=
=0D<br>>> in with. Is there any way to use a key tab? It seems
like=
it does all this=0D<br>>> under the surface eventually; I'd just
lik=
e to do it up front.=0D<br>>> =0D<br>>> Even a
pointer to "manu=
al" adding instructions would be very helpful.=0D<br>>>
=0D<br>>&g=
t; Thanks,=0D<br>>> =0D<br>>>
Will=0D<br>> =0D<br>> Hi Wi=
ll,=0D<br>> No way to perform this with manage domains at the moment.=0D=
<br>> =0D<br>> Not sure if we will invest in this, as in oVirt
3.5 we=
introduce a pluggable architecture for AAA, based on extensions + configur=
ation files =0D<br>> managed-domains should be used to support existing =
setups that will undergo upgrade to 3.5 (or of course, will remain in their=
current versions).=0D<br>> =0D<br>>>
____________________________=
___________________=0D<br>>> Users mailing
list=0D<br>>> Users@=
ovirt.org=0D<br>>>
http://lists.ovirt.org/mailman/listinfo/users=0D<b=
r>>>
=0D<br>=0D<br>=0D<br>___________________________________________=
____=0D<br>Users mailing
list=0D<br>Users@ovirt.org=0D<br>http://lists.ovir=
t.org/mailman/listinfo/users=0D<br>
--Alternative_=_Boundary_=_1410391296--
9:28 a.m.
----- Original Message -----
From: "William Law" <wlaw(a)stanford.edu>
To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Thursday, September 11, 2014 2:11:08 AM
Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
OK, thanks. Is there a way to perform it without manage-domains currently or
in 3.5?
in 3.5 - you can add new authn (authentication) and authz (authorization) providers by
using configuration files.
Regards,
Will
On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
>
>
> ----- Original Message -----
>> From: "William Law" <wlaw(a)stanford.edu>
>> To: "users" <users(a)ovirt.org>
>> Sent: Thursday, September 11, 2014 1:53:04 AM
>> Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
>>
>> Hi,
>>
>> When I try to use engine-manage-domains it seems to expect an account to
>> sign
>> in with. Is there any way to use a key tab? It seems like it does all
>> this
>> under the surface eventually; I'd just like to do it up front.
>>
>> Even a pointer to "manual" adding instructions would be very helpful.
>>
>> Thanks,
>>
>> Will
>
> Hi Will,
> No way to perform this with manage domains at the moment.
>
> Not sure if we will invest in this, as in oVirt 3.5 we introduce a
> pluggable architecture for AAA, based on extensions + configuration files
> managed-domains should be used to support existing setups that will undergo
> upgrade to 3.5 (or of course, will remain in their current versions).
>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
9:32 a.m.
Cool - I'll start looking at that now.
Regards,
Will
On Sep 10, 2014, at 4:28 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
----- Original Message -----
> From: "William Law" <wlaw(a)stanford.edu>
> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Thursday, September 11, 2014 2:11:08 AM
> Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
>
> OK, thanks. Is there a way to perform it without manage-domains currently or
> in 3.5?
in 3.5 - you can add new authn (authentication) and authz (authorization) providers by
using configuration files.
>
> Regards,
>
> Will
>
> On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>>> From: "William Law" <wlaw(a)stanford.edu>
>>> To: "users" <users(a)ovirt.org>
>>> Sent: Thursday, September 11, 2014 1:53:04 AM
>>> Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
>>>
>>> Hi,
>>>
>>> When I try to use engine-manage-domains it seems to expect an account to
>>> sign
>>> in with. Is there any way to use a key tab? It seems like it does all
>>> this
>>> under the surface eventually; I'd just like to do it up front.
>>>
>>> Even a pointer to "manual" adding instructions would be very
helpful.
>>>
>>> Thanks,
>>>
>>> Will
>>
>> Hi Will,
>> No way to perform this with manage domains at the moment.
>>
>> Not sure if we will invest in this, as in oVirt 3.5 we introduce a
>> pluggable architecture for AAA, based on extensions + configuration files
>> managed-domains should be used to support existing setups that will undergo
>> upgrade to 3.5 (or of course, will remain in their current versions).
>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>
>
>
9:48 a.m.
--Alternative_=_Boundary_=_1410392894
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Interesting so does that mean it can support GSSAPI authentication from the=
browser like the apache modules?<br><br><span
style=3D"font-family:Prelude=
, Verdana, san-serif;"><br><br></span><span
id=3D"signature"><div style=3D"=
font-family: arial, sans-serif; font-size: 12px;color: #999999;">-- Sent fr=
om my HP Pre3</div><br></span><span style=3D"color:navy;
font-family:Prelud=
e, Verdana, san-serif; "><hr align=3D"left"
style=3D"width:75%">On Sep 10, =
2014 7:32 PM, William Law &lt;wlaw(a)stanford.edu&gt; wrote:
<br><br></span>C=
ool - I'll start looking at that now.
=0D<br>=0D<br>Regards,=0D<br>=0D<br>W=
ill=0D<br>=0D<br>On Sep 10, 2014, at 4:28 PM, Yair Zaslavsky
<yzaslavs@r=
edhat.com> wrote:=0D<br>=0D<br>> =0D<br>>
=0D<br>> ----- Origin=
al Message -----=0D<br>>> From: "William Law"
&lt;wlaw(a)stanford.edu&g=
t;=0D<br>>> To: "Yair Zaslavsky"
&lt;yzaslavs(a)redhat.com&gt;=0D<br>&g=
t;> Cc: "users"
&lt;users(a)ovirt.org&gt;=0D<br>&gt;&gt; Sent: Thursday, S=
eptember 11, 2014 2:11:08 AM=0D<br>>> Subject: Re: [ovirt-users]
addi=
ng machine to openldap + kerberos with a keytab=0D<br>>>
=0D<br>>&=
gt; OK, thanks. Is there a way to perform it without manage-domains curren=
tly or=0D<br>>> in 3.5?=0D<br>> =0D<br>> in
3.5 - you can add =
new authn (authentication) and authz (authorization) providers by using con=
figuration files.=0D<br>> =0D<br>>>
=0D<br>>> Regards,=0D<br=
>> =0D<br>>>
Will=0D<br>>> =0D<br>>> On Sep 10, 20=
14,
at 4:07 PM, Yair Zaslavsky &lt;yzaslavs(a)redhat.com&gt;
wrote:=0D<br>>=
;> =0D<br>>>> =0D<br>>>>
=0D<br>>>> ----- Ori=
ginal Message -----=0D<br>>>>> From: "William
Law" <wlaw@sta=
nford.edu>=0D<br>>>>> To: "users"
&lt;users(a)ovirt.org&gt;=0D=
<br>>>>> Sent: Thursday, September 11, 2014 1:53:04
AM=0D<br>&g=
t;>>> Subject: [ovirt-users] adding machine to openldap + kerberos=
with a keytab=0D<br>>>>>
=0D<br>>>>> Hi,=0D<br>>=
;>>> =0D<br>>>>> When I try to use
engine-manage-domai=
ns it seems to expect an account to=0D<br>>>>>
sign=0D<br>>&=
gt;>> in with. Is there any way to use a key tab? It seems like it =
does all=0D<br>>>>>
this=0D<br>>>>> under the surfa=
ce eventually; I'd just like to do it up
front.=0D<br>>>>> =0D<=
br>>>>> Even a pointer to "manual" adding
instructions would be=
very helpful.=0D<br>>>>>
=0D<br>>>>> Thanks,=0D<br=
>>>>
=0D<br>>>>> Will=0D<br>>>>
=0D<br>&g=
t;>> Hi
Will,=0D<br>>>> No way to perform this with manage d=
omains at the moment.=0D<br>>>>
=0D<br>>>> Not sure if we=
will invest in this, as in oVirt 3.5 we introduce a=0D<br>>>>
plu=
ggable architecture for AAA, based on extensions + configuration files=0D<b=
r>>>> managed-domains should be used to support existing setups
th=
at will undergo=0D<br>>>> upgrade to 3.5 (or of course, will
remai=
n in their current versions).=0D<br>>>>
=0D<br>>>>> __=
_____________________________________________=0D<br>>>>>
Users =
mailing list=0D<br>>>>>
Users(a)ovirt.org=0D<br>&gt;&gt;&gt;&gt; =
http://lists.ovirt.org/mailman/listinfo/users=0D<br>>>...
=0D<br=
>> =0D<br>>>
=0D<br>>> =0D<br>=0D<br>=0D<br>____________=
___________________________________=0D<br>Users mailing
list=0D<br>Users@ov=
irt.org=0D<br>http://lists.ovirt.org/mailman/listinfo/users=0D<b...
--Alternative_=_Boundary_=_1410392894--
5:45 p.m.
New subject: adding machine to openldap + kerberos with a keytab
Hi,
We are doing significant rework within the authentication and authorization slot, most
will be available in 3.5.
In nut shell, there are two packages:
ovirt-engine-extension-aaa-ldap - provider of authentication and authorization using ldap
protocol.
ovirt-engine-extnesion-aaa-misc - for misc support (see documentation).
Integrating with ldap now does not require using kerberos, a preferred way is to use the
ldap protocol using startTLS and basic authentication, as in this mode most ldap
implementations returns valid result codes out of failures.
GSSAPI is still supported, although I recommend to avoid, but if you insist... you can
probably use keytab, I did not test this... but it should be available using, if it works,
please tell me :)
---
pool.default.auth.gssapi.useTicketCache = true
pool.default.auth.gssapi.ticketCachePath = <path-to-keytab>
---
As per single signon with apache, please refer to "APACHE SSO CONFIGURATION"
within[1].
Any feedback will be appreciated.
Regards,
Alon Bar-Lev
ovirt-engine-extension-aaa-ldap documentation
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
[3]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
ovirt-engine-extension-aaa-misc documentation
[4]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=bl...
[5]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=bl...
3582
days inactive
3583
days old
8 comments
4 participants
participants (4)
-
Alon Bar-Lev -
Paul Robert Marino -
William Law -
Yair Zaslavsky