advanced users authentication, using kerberos, CAS SSO and Active Directory

Monday, 25 April 2016

--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I have a production were hard coded password are avoided. We prefer to =
use kerberos. We also provided a SSO for Web UI using CAS =
<http://jasig.github.io/cas/4.2.x/index.html>;. We use ActiveDirectory =
for user backend.

So I wanted a oVirt installation that will use kerberos for API =
authentication. For the web ui, kerberos is not always the best =
solution, so I wanted to integrated it in our CAS.

The Apache part was easy to setup.

I will show only subpart of the whole Apache setup and only =
authentication related part

# The CAS modules
LoadModule authz_user_module      =
/usr/lib64/httpd/modules/mod_authz_user.so
# Needed because auth_cas_module forget to link openssl
LoadModule ssl_module            /usr/lib64/httpd/modules/mod_ssl.so
LoadModule auth_cas_module       =
/usr/lib64/httpd/modules/mod_auth_cas.so

# For the kerberos authentication on the API
LoadModule auth_gssapi_module    =
/usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module        /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module =
/usr/lib64/httpd/modules/mod_session_cookie.so

CASLoginURL https://sso/cas/login
CASValidateSAML On
CASValidateURL https://sso/cas/samlValidate

<VirtualHost *:443>
    RequestHeader unset X-Remote-User early
    <LocationMatch ^/api($|/)>
        RewriteEngine on
        RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$
        RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1]

        RequestHeader set X-Remote-User %{REMOTE_USER}s

        AuthType GSSAPI
        AuthName "GSSAPI Single Sign On Login"
        GssapiCredStore keytab:.../httpd.keytab
        Require valid-user

        GssapiUseSessions On
        Session On
        SessionCookieName ovirt_gssapi_session =
path=3D/private;httponly;secure;
    </LocationMatch>
    <LocationMatch =
^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke=
y.txt$|rhevm.ssh.key.txt$)>
        AuthType CAS
        Require valid-user
        CASAuthNHeader X-Remote-User
    </LocationMatch>
</VirtualHost>
The authn file /etc/ovirt-engine/extensions.d/apachesso-authn.properties =
is :

ovirt.engine.extension.name =3D apachesso-authn
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name =3D apachesso
ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz
config.artifact.name =3D HEADER
config.artifact.arg =3D X-Remote-User
And the authz file =
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties is:

ovirt.engine.extension.name =3D DOMAIN-authz
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 =3D ../aaa/DOMAIN.properties
I had some difficulties with AD backend. A straightforward solution =
would have been :

include =3D <ad.properties>

vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D domain.com

pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}

pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
# Only TLSv1.2 is secure nowadays
pool.default.ssl.startTLSProtocol =3D TLSv1.2

# long time out should be avoided
pool.default.connection-options.connectTimeoutMillis =3D 500
But if fails. We have a special setup with about 100 domain controlers =
and only two of them can be reached from the ovirt engine. So my first =
try was so defined them directly in the configuration file:

pool.default.serverset.type =3D failover
pool.default.serverset.failover.1.server =3D dcX.domain.com
pool.default.serverset.failover.2.server =3D dcY.domain.com
But that fails. Server-engine was still using a lot of unreachable =
domain controler. After some digging I found that other part of the ldap =
extension use a different serverset, I don=E2=80=99t know why it don=E2=80=
=99t reuse the default pool. It=E2=80=99s called pool.default.dc-resolve =
(it should be called pool.dc-resolve, as it=E2=80=99s not the default =
but a custom one), so I added in my configuration:

pool.default.dc-resolve.default.serverset.type =3D failover
pool.default.dc-resolve.serverset.failover.1.server =3D dcX.domain.com
pool.default.dc-resolve.serverset.failover.2.server =3D dcY.domain.com
But there is a better solution. Ondra Machacek point it to me. In Active =
Directory, there is something called a =E2=80=9Csite=E2=80=9D, with a =
subset of all the domain controler in it. It can be found under =
CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...

To list them:

ldapsearch -H ldap://somedc -b CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN =
-s one -o ldif-wrap=3Dno cn
The information to write down is the cn returned

You get a list of all domain, just pick the right one, remove all the =
serverset configuration and add :

pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
The entry _sites.${domain} don=E2=80=99t exist in the DNS, so to check =
that your regex is good, try instead:

dig +short _ldap._tcp.GOOD_SITE._sites.${domain} srv
It should return only reachable domain controlers.

So the final /etc/ovirt-engine/aaa/DOMAIN.properties was :

include =3D <ad.properties>

vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D domain.com

pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}

pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
pool.default.ssl.startTLSProtocol =3D TLSv1.2

pool.default.connection-options.connectTimeoutMillis =3D 500

pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
With this setup, my python client =
<https://github.com/fbacchella/ovirtcmd> can connect to ovirt-engine =
using kerberos ticket, web users are authenticated using CAS. And there =
is no need to duplicate user base.

--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type"
content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: auto; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I have a production were hard coded password are avoided. We =
prefer to use kerberos. We also provided a SSO for Web UI using&nbsp;<a =
href=3D"http://jasig.github.io/cas/4.2.x/index.html" style=3D"color: =
rgb(104, 0, 148); text-decoration: none; margin-top: auto;" =
class=3D"">CAS</a>. We use ActiveDirectory for user
backend.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">So I wanted a oVirt installation that will use kerberos for =
API authentication. For the web ui, kerberos is not always the best =
solution, so I wanted to integrated it in our CAS.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The Apache part was easy to setup.</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I will show only subpart of the whole Apache setup and only =
authentication related part</p><pre style=3D"font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D""># The CAS modules
LoadModule authz_user_module      =
/usr/lib64/httpd/modules/mod_authz_user.so
# Needed because auth_cas_module forget to link openssl
LoadModule ssl_module            /usr/lib64/httpd/modules/mod_ssl.so
LoadModule auth_cas_module       =
/usr/lib64/httpd/modules/mod_auth_cas.so

# For the kerberos authentication on the API
LoadModule auth_gssapi_module    =
/usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module        /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module =
/usr/lib64/httpd/modules/mod_session_cookie.so

CASLoginURL <a href=3D"https://sso/cas/login" =
class=3D"">https://sso/cas/login</a>
CASValidateSAML On
CASValidateURL <a href=3D"https://sso/cas/samlValidate" =
class=3D"">https://sso/cas/samlValidate</a>

&lt;VirtualHost *:443&gt;
    RequestHeader unset X-Remote-User early
    &lt;LocationMatch ^/api($|/)&gt;
        RewriteEngine on
        RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$
        RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1]

        RequestHeader set X-Remote-User %{REMOTE_USER}s

        AuthType GSSAPI
        AuthName "GSSAPI Single Sign On Login"
        GssapiCredStore keytab:.../httpd.keytab
        Require valid-user

        GssapiUseSessions On
        Session On
        SessionCookieName ovirt_gssapi_session =
path=3D/private;httponly;secure;
    &lt;/LocationMatch&gt;
    &lt;LocationMatch =
^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke=
y.txt$|rhevm.ssh.key.txt$)&gt;
        AuthType CAS
        Require valid-user
        CASAuthNHeader X-Remote-User
    &lt;/LocationMatch&gt;
&lt;/VirtualHost&gt;
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The authn file&nbsp;<code style=3D"font-size: 12px; =
font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: =
break-word; white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">/etc/ovirt-engine/extensions.d/apachesso-authn.properties</code=
...
&nbsp;is :</p><pre style=3D"font-family: Menlo,
Monaco, 'Courier New', = monospace; word-wrap: normal; white-space:
pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">ovirt.engine.extension.name =3D apachesso-authn
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name =3D apachesso
ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz
config.artifact.name =3D HEADER
config.artifact.arg =3D X-Remote-User
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">And the authz file&nbsp;<code style=3D"font-size:
12px; =
font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: =
break-word; white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties</code>&n=
bsp;is:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New',
=
monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">ovirt.engine.extension.name =3D DOMAIN-authz
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =3D =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =3D =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 =3D ../aaa/DOMAIN.properties
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">I had some difficulties with AD backend. A straightforward =
solution would have been :</p><pre style=3D"font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">include =3D =
&lt;ad.properties&gt;

vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D <a href=3D"http://domain.com"
class=3D"">domain.com</a>

pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}

pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
# Only TLSv1.2 is secure nowadays
pool.default.ssl.startTLSProtocol =3D TLSv1.2

# long time out should be avoided
pool.default.connection-options.connectTimeoutMillis =3D 500
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But if fails. We have a special setup with about 100 domain =
controlers and only two of them can be reached from the ovirt engine. So =
my first try was so defined them directly in the configuration =
file:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', =
monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em =
0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.serverset.type =3D failover
pool.default.serverset.failover.1.server =3D <a =
href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a>
pool.default.serverset.failover.2.server =3D <a =
href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a>
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But that fails. Server-engine was still using a lot of =
unreachable domain controler. After some digging I found that other part =
of the ldap extension use a different serverset, I don=E2=80=99t know =
why it don=E2=80=99t reuse the default pool. It=E2=80=99s =
called&nbsp;<code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">pool.default.dc-resolve</code>&nbsp;(it should be =
called&nbsp;<code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px;" =
class=3D"">pool.dc-resolve</code>, as it=E2=80=99s not the default but
a =
custom one), so I added in my configuration:</p><pre style=3D"font-family:=
 Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; =
white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier
New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.dc-resolve.default.serverset.type =3D failover
pool.default.dc-resolve.serverset.failover.1.server =3D <a =
href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a>
pool.default.dc-resolve.serverset.failover.2.server =3D <a =
href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a>
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">But there is a better solution. Ondra Machacek point it to =
me. In Active Directory, there is something called a =E2=80=9Csite=E2=80=9D=
, with a subset of all the domain controler in it. It can be found =
under&nbsp;<code style=3D"font-size: 12px; font-family: Menlo, Monaco, =
'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; display: inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...</code></p><p
=
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">To list them:</p><pre style=3D"font-family: Menlo,
Monaco, =
'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; =
padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: =
border-box; overflow: auto; position: relative;" class=3D""><code =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">ldapsearch -H <a =
href=3D"ldap://somedc" class=3D"">ldap://somedc</a> -b =
CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN -s one -o ldif-wrap=3Dno cn
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The information to write down is the cn returned</p><p =
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">You get a list of all domain, just pick the right one, remove =
all the serverset configuration and add :</p><pre style=3D"font-family: =
Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: =
pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: =
collapse; -webkit-margin-after-collapse: collapse; =
border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier
New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" =
class=3D"">pool.default.serverset.srvrecord.domain-conversion.type =3D =
regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?&lt;domain&gt;.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">The entry&nbsp;<code style=3D"font-size: 12px;
font-family: =
Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; =
white-space: pre-wrap; border-top-left-radius: 3px; =
border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: white; =
-webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; =
box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: =
inline-block; padding: 1px 4px; margin-top: auto;" =
class=3D"">_sites.${domain}</code>&nbsp;don=E2=80=99t exist in the
DNS, =
so to check that your regex is good, try instead:</p><pre =
style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; =
word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier
New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">dig +short =
_ldap._tcp.GOOD_SITE._sites.${domain} srv
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">It should return only reachable domain controlers.</p><p
=
style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">So the final /etc/ovirt-engine/aaa/DOMAIN.properties was =
:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New',
monospace; =
word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; =
-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: =
collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; =
border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; =
background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) =
0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px =
0px; box-sizing: border-box; overflow: auto; position: relative;" =
class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier
New', =
monospace; word-wrap: normal; white-space: pre; border-top-left-radius: =
3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; =
border-bottom-left-radius: 3px; background-color: transparent; =
-webkit-box-shadow: none; box-shadow: none; display: inline; padding: =
0px; border: none; margin-top: auto;" class=3D"">include =3D =
&lt;ad.properties&gt;

vars.domain =3D DOMAIN
vars.user =3D BINDDN
vars.password =3D BINDPWD
vars.forest =3D <a href=3D"http://domain.com"
class=3D"">domain.com</a>

pool.default.auth.simple.bindDN =3D ${global:vars.user}
pool.default.auth.simple.password =3D ${global:vars.password}
pool.default.serverset.type =3D srvrecord
pool.default.serverset.srvrecord.domain =3D ${global:vars.domain}

pool.default.ssl.startTLS =3D true
pool.default.ssl.truststore.file =3D .../domain.jks
pool.default.ssl.truststore.password =3D=20
pool.default.ssl.startTLSProtocol =3D TLSv1.2

pool.default.connection-options.connectTimeoutMillis =3D 500

pool.default.serverset.srvrecord.domain-conversion.type =3D regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D =
^(?&lt;domain&gt;.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D =
GOOD_SITE._sites.${domain}
</code></pre><p style=3D"-webkit-margin-before-collapse: collapse; =
-webkit-margin-after-collapse: collapse; margin-top: 15px; =
margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" =
class=3D"">With this setup, my&nbsp;<a =
href=3D"https://github.com/fbacchella/ovirtcmd" style=3D"color: rgb(104, =
0, 148); text-decoration: none; margin-top: auto;" class=3D"">python =
client</a>&nbsp;can connect to ovirt-engine using kerberos ticket, web =
users are authenticated using CAS. And there is no need to duplicate =
user base.</p><div class=3D""><br
class=3D""></div></body></html>=

--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205--

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011