adding machine to openldap + kerberos with a keytab

Hi, When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front. Even a pointer to "manual" adding instructions would be very helpful. Thanks, Will

--Alternative_=_Boundary_=_1410390175 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Actually I haven't delved very deep into it but I know its not using a keyt= ab its actually authenticating to the Kerberos server and doing a SASL bind= =2E<br><br>In a way this is actually proper functionality; however I have t= o admit it would be nice to have the option of using a keytab.<br><br><span= style=3D"font-family:Prelude, Verdana, san-serif;"><br><br></span><span id= =3D"signature"><div style=3D"font-family: arial, sans-serif; font-size: 12p= x;color: #999999;">-- Sent from my HP Pre3</div><br></span><span style=3D"c= olor:navy; font-family:Prelude, Verdana, san-serif; "><hr align=3D"left" st= yle=3D"width:75%">On Sep 10, 2014 6:53 PM, William Law <wlaw@stanford.ed= u> wrote: <br><br></span>Hi,=0D<br>=0D<br>When I try to use engine-manag= e-domains it seems to expect an account to sign in with. Is there any way = to use a key tab? It seems like it does all this under the surface eventua= lly; I'd just like to do it up front.=0D<br>=0D<br>Even a pointer to "manua= l" adding instructions would be very helpful.=0D<br>=0D<br>Thanks,=0D<br>= =0D<br>Will=0D<br>_______________________________________________=0D<br>Use= rs mailing list=0D<br>Users@ovirt.org=0D<br>http://lists.ovirt.org/mailman/= listinfo/users=0D<br> --Alternative_=_Boundary_=_1410390175--

----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
Hi Will, No way to perform this with manage domains at the moment. Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions).
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5? Regards, Will On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
Hi Will, No way to perform this with manage domains at the moment.
Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions).
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

--Alternative_=_Boundary_=_1410391296 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable William<br><br>Thank you as well I have noticed from the logs that if the m= anager interface isn't used in a while it has to reinitialize or renew the = ticket in the cache. This process can cause a noticeable delay in logins an= d using a keytab. This is a part of (but not the whole) reason keytabs exis= t in kerberos.<br><br><span style=3D"font-family:Prelude, Verdana, san-seri= f;"><br><br></span><span id=3D"signature"><div style=3D"font-family: arial,= sans-serif; font-size: 12px;color: #999999;">-- Sent from my HP Pre3</div>= <br></span><span style=3D"color:navy; font-family:Prelude, Verdana, san-ser= if; "><hr align=3D"left" style=3D"width:75%">On Sep 10, 2014 7:11 PM, Willi= am Law <wlaw@stanford.edu> wrote: <br><br></span>OK, thanks. Is ther= e a way to perform it without manage-domains currently or in 3.5?=0D<br>=0D= <br>Regards,=0D<br>=0D<br>Will=0D<br>=0D<br>On Sep 10, 2014, at 4:07 PM, Ya= ir Zaslavsky <yzaslavs@redhat.com> wrote:=0D<br>=0D<br>> =0D<br>&g= t; =0D<br>> ----- Original Message -----=0D<br>>> From: "William L= aw" <wlaw@stanford.edu>=0D<br>>> To: "users" <users@ovirt.or= g>=0D<br>>> Sent: Thursday, September 11, 2014 1:53:04 AM=0D<br>&g= t;> Subject: [ovirt-users] adding machine to openldap + kerberos with a = keytab=0D<br>>> =0D<br>>> Hi,=0D<br>>> =0D<br>>> Wh= en I try to use engine-manage-domains it seems to expect an account to sign= =0D<br>>> in with. Is there any way to use a key tab? It seems like= it does all this=0D<br>>> under the surface eventually; I'd just lik= e to do it up front.=0D<br>>> =0D<br>>> Even a pointer to "manu= al" adding instructions would be very helpful.=0D<br>>> =0D<br>>&g= t; Thanks,=0D<br>>> =0D<br>>> Will=0D<br>> =0D<br>> Hi Wi= ll,=0D<br>> No way to perform this with manage domains at the moment.=0D= <br>> =0D<br>> Not sure if we will invest in this, as in oVirt 3.5 we= introduce a pluggable architecture for AAA, based on extensions + configur= ation files =0D<br>> managed-domains should be used to support existing = setups that will undergo upgrade to 3.5 (or of course, will remain in their= current versions).=0D<br>> =0D<br>>> ____________________________= ___________________=0D<br>>> Users mailing list=0D<br>>> Users@= ovirt.org=0D<br>>> http://lists.ovirt.org/mailman/listinfo/users=0D<b= r>>> =0D<br>=0D<br>=0D<br>___________________________________________= ____=0D<br>Users mailing list=0D<br>Users@ovirt.org=0D<br>http://lists.ovir= t.org/mailman/listinfo/users=0D<br> --Alternative_=_Boundary_=_1410391296--

----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 2:11:08 AM Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5?
in 3.5 - you can add new authn (authentication) and authz (authorization) providers by using configuration files.
Regards,
Will
On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
Hi Will, No way to perform this with manage domains at the moment.
Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions).
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Cool - I'll start looking at that now. Regards, Will On Sep 10, 2014, at 4:28 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 2:11:08 AM Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5?
in 3.5 - you can add new authn (authentication) and authz (authorization) providers by using configuration files.
Regards,
Will
On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "William Law" <wlaw@stanford.edu> To: "users" <users@ovirt.org> Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
Hi,
When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front.
Even a pointer to "manual" adding instructions would be very helpful.
Thanks,
Will
Hi Will, No way to perform this with manage domains at the moment.
Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions).
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

--Alternative_=_Boundary_=_1410392894 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Interesting so does that mean it can support GSSAPI authentication from the= browser like the apache modules?<br><br><span style=3D"font-family:Prelude= , Verdana, san-serif;"><br><br></span><span id=3D"signature"><div style=3D"= font-family: arial, sans-serif; font-size: 12px;color: #999999;">-- Sent fr= om my HP Pre3</div><br></span><span style=3D"color:navy; font-family:Prelud= e, Verdana, san-serif; "><hr align=3D"left" style=3D"width:75%">On Sep 10, = 2014 7:32 PM, William Law <wlaw@stanford.edu> wrote: <br><br></span>C= ool - I'll start looking at that now. =0D<br>=0D<br>Regards,=0D<br>=0D<br>W= ill=0D<br>=0D<br>On Sep 10, 2014, at 4:28 PM, Yair Zaslavsky <yzaslavs@r= edhat.com> wrote:=0D<br>=0D<br>> =0D<br>> =0D<br>> ----- Origin= al Message -----=0D<br>>> From: "William Law" <wlaw@stanford.edu&g= t;=0D<br>>> To: "Yair Zaslavsky" <yzaslavs@redhat.com>=0D<br>&g= t;> Cc: "users" <users@ovirt.org>=0D<br>>> Sent: Thursday, S= eptember 11, 2014 2:11:08 AM=0D<br>>> Subject: Re: [ovirt-users] addi= ng machine to openldap + kerberos with a keytab=0D<br>>> =0D<br>>&= gt; OK, thanks. Is there a way to perform it without manage-domains curren= tly or=0D<br>>> in 3.5?=0D<br>> =0D<br>> in 3.5 - you can add = new authn (authentication) and authz (authorization) providers by using con= figuration files.=0D<br>> =0D<br>>> =0D<br>>> Regards,=0D<br=
>> =0D<br>>> Will=0D<br>>> =0D<br>>> On Sep 10, 20= 14, at 4:07 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:=0D<br>>= ;> =0D<br>>>> =0D<br>>>> =0D<br>>>> ----- Ori= ginal Message -----=0D<br>>>>> From: "William Law" <wlaw@sta= nford.edu>=0D<br>>>>> To: "users" <users@ovirt.org>=0D= <br>>>>> Sent: Thursday, September 11, 2014 1:53:04 AM=0D<br>&g= t;>>> Subject: [ovirt-users] adding machine to openldap + kerberos= with a keytab=0D<br>>>>> =0D<br>>>>> Hi,=0D<br>>= ;>>> =0D<br>>>>> When I try to use engine-manage-domai= ns it seems to expect an account to=0D<br>>>>> sign=0D<br>>&= gt;>> in with. Is there any way to use a key tab? It seems like it = does all=0D<br>>>>> this=0D<br>>>>> under the surfa= ce eventually; I'd just like to do it up front.=0D<br>>>>> =0D<= br>>>>> Even a pointer to "manual" adding instructions would be= very helpful.=0D<br>>>>> =0D<br>>>>> Thanks,=0D<br= >>>> =0D<br>>>>> Will=0D<br>>>> =0D<br>&g= t;>> Hi Will,=0D<br>>>> No way to perform this with manage d= omains at the moment.=0D<br>>>> =0D<br>>>> Not sure if we= will invest in this, as in oVirt 3.5 we introduce a=0D<br>>>> plu= ggable architecture for AAA, based on extensions + configuration files=0D<b= r>>>> managed-domains should be used to support existing setups th= at will undergo=0D<br>>>> upgrade to 3.5 (or of course, will remai= n in their current versions).=0D<br>>>> =0D<br>>>>> __= _____________________________________________=0D<br>>>>> Users = mailing list=0D<br>>>>> Users@ovirt.org=0D<br>>>>> = http://lists.ovirt.org/mailman/listinfo/users=0D<br>>>>> =0D<br= >> =0D<br>>> =0D<br>>> =0D<br>=0D<br>=0D<br>____________= ___________________________________=0D<br>Users mailing list=0D<br>Users@ov= irt.org=0D<br>http://lists.ovirt.org/mailman/listinfo/users=0D<br> --Alternative_=_Boundary_=_1410392894--

Hi, We are doing significant rework within the authentication and authorization slot, most will be available in 3.5. In nut shell, there are two packages: ovirt-engine-extension-aaa-ldap - provider of authentication and authorization using ldap protocol. ovirt-engine-extnesion-aaa-misc - for misc support (see documentation). Integrating with ldap now does not require using kerberos, a preferred way is to use the ldap protocol using startTLS and basic authentication, as in this mode most ldap implementations returns valid result codes out of failures. GSSAPI is still supported, although I recommend to avoid, but if you insist... you can probably use keytab, I did not test this... but it should be available using, if it works, please tell me :) --- pool.default.auth.gssapi.useTicketCache = true pool.default.auth.gssapi.ticketCachePath = <path-to-keytab> --- As per single signon with apache, please refer to "APACHE SSO CONFIGURATION" within[1]. Any feedback will be appreciated. Regards, Alon Bar-Lev ovirt-engine-extension-aaa-ldap documentation [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... ovirt-engine-extension-aaa-misc documentation [4] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;... [5] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;...
participants (4)
-
Alon Bar-Lev
-
Paul Robert Marino
-
William Law
-
Yair Zaslavsky