advanced users authentication, using kerberos, CAS SSO and Active Directory

is :</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code =
--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I have a production were hard coded password are avoided. We prefer to = use kerberos. We also provided a SSO for Web UI using CAS = <http://jasig.github.io/cas/4.2.x/index.html>. We use ActiveDirectory = for user backend. So I wanted a oVirt installation that will use kerberos for API = authentication. For the web ui, kerberos is not always the best = solution, so I wanted to integrated it in our CAS. The Apache part was easy to setup. I will show only subpart of the whole Apache setup and only = authentication related part # The CAS modules LoadModule authz_user_module = /usr/lib64/httpd/modules/mod_authz_user.so # Needed because auth_cas_module forget to link openssl LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so LoadModule auth_cas_module = /usr/lib64/httpd/modules/mod_auth_cas.so # For the kerberos authentication on the API LoadModule auth_gssapi_module = /usr/lib64/httpd/modules/mod_auth_gssapi.so LoadModule session_module /usr/lib64/httpd/modules/mod_session.so LoadModule session_cookie_module = /usr/lib64/httpd/modules/mod_session_cookie.so CASLoginURL https://sso/cas/login CASValidateSAML On CASValidateURL https://sso/cas/samlValidate <VirtualHost *:443> RequestHeader unset X-Remote-User early <LocationMatch ^/api($|/)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$ RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:.../httpd.keytab Require valid-user GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session = path=3D/private;httponly;secure; </LocationMatch> <LocationMatch = ^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke= y.txt$|rhevm.ssh.key.txt$)> AuthType CAS Require valid-user CASAuthNHeader X-Remote-User </LocationMatch> </VirtualHost> The authn file /etc/ovirt-engine/extensions.d/apachesso-authn.properties = is : ovirt.engine.extension.name =3D apachesso-authn ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name =3D apachesso ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz config.artifact.name =3D HEADER config.artifact.arg =3D X-Remote-User And the authz file = /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties is: ovirt.engine.extension.name =3D DOMAIN-authz ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 =3D ../aaa/DOMAIN.properties I had some difficulties with AD backend. A straightforward solution = would have been : include =3D <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D domain.com pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 # Only TLSv1.2 is secure nowadays pool.default.ssl.startTLSProtocol =3D TLSv1.2 # long time out should be avoided pool.default.connection-options.connectTimeoutMillis =3D 500 But if fails. We have a special setup with about 100 domain controlers = and only two of them can be reached from the ovirt engine. So my first = try was so defined them directly in the configuration file: pool.default.serverset.type =3D failover pool.default.serverset.failover.1.server =3D dcX.domain.com pool.default.serverset.failover.2.server =3D dcY.domain.com But that fails. Server-engine was still using a lot of unreachable = domain controler. After some digging I found that other part of the ldap = extension use a different serverset, I don=E2=80=99t know why it don=E2=80= =99t reuse the default pool. It=E2=80=99s called pool.default.dc-resolve = (it should be called pool.dc-resolve, as it=E2=80=99s not the default = but a custom one), so I added in my configuration: pool.default.dc-resolve.default.serverset.type =3D failover pool.default.dc-resolve.serverset.failover.1.server =3D dcX.domain.com pool.default.dc-resolve.serverset.failover.2.server =3D dcY.domain.com But there is a better solution. Ondra Machacek point it to me. In Active = Directory, there is something called a =E2=80=9Csite=E2=80=9D, with a = subset of all the domain controler in it. It can be found under = CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,... To list them: ldapsearch -H ldap://somedc -b CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN = -s one -o ldif-wrap=3Dno cn The information to write down is the cn returned You get a list of all domain, just pick the right one, remove all the = serverset configuration and add : pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} The entry _sites.${domain} don=E2=80=99t exist in the DNS, so to check = that your regex is good, try instead: dig +short _ldap._tcp.GOOD_SITE._sites.${domain} srv It should return only reachable domain controlers. So the final /etc/ovirt-engine/aaa/DOMAIN.properties was : include =3D <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D domain.com pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 pool.default.ssl.startTLSProtocol =3D TLSv1.2 pool.default.connection-options.connectTimeoutMillis =3D 500 pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} With this setup, my python client = <https://github.com/fbacchella/ovirtcmd> can connect to ovirt-engine = using kerberos ticket, web users are authenticated using CAS. And there = is no need to duplicate user base. --Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D""><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: auto; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">I have a production were hard coded password are avoided. We = prefer to use kerberos. We also provided a SSO for Web UI using <a = href=3D"http://jasig.github.io/cas/4.2.x/index.html" style=3D"color: = rgb(104, 0, 148); text-decoration: none; margin-top: auto;" = class=3D"">CAS</a>. We use ActiveDirectory for user backend.</p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">So I wanted a oVirt installation that will use kerberos for = API authentication. For the web ui, kerberos is not always the best = solution, so I wanted to integrated it in our CAS.</p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">The Apache part was easy to setup.</p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">I will show only subpart of the whole Apache setup and only = authentication related part</p><pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D""># The CAS modules LoadModule authz_user_module = /usr/lib64/httpd/modules/mod_authz_user.so # Needed because auth_cas_module forget to link openssl LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so LoadModule auth_cas_module = /usr/lib64/httpd/modules/mod_auth_cas.so # For the kerberos authentication on the API LoadModule auth_gssapi_module = /usr/lib64/httpd/modules/mod_auth_gssapi.so LoadModule session_module /usr/lib64/httpd/modules/mod_session.so LoadModule session_cookie_module = /usr/lib64/httpd/modules/mod_session_cookie.so CASLoginURL <a href=3D"https://sso/cas/login" = class=3D"">https://sso/cas/login</a> CASValidateSAML On CASValidateURL <a href=3D"https://sso/cas/samlValidate" = class=3D"">https://sso/cas/samlValidate</a> <VirtualHost *:443> RequestHeader unset X-Remote-User early <LocationMatch ^/api($|/)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$ RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:.../httpd.keytab Require valid-user GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session = path=3D/private;httponly;secure; </LocationMatch> <LocationMatch = ^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke= y.txt$|rhevm.ssh.key.txt$)> AuthType CAS Require valid-user CASAuthNHeader X-Remote-User </LocationMatch> </VirtualHost> </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">The authn file <code style=3D"font-size: 12px; = font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: = break-word; white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">/etc/ovirt-engine/extensions.d/apachesso-authn.properties</code= style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">ovirt.engine.extension.name =3D apachesso-authn ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name =3D apachesso ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz config.artifact.name =3D HEADER config.artifact.arg =3D X-Remote-User </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">And the authz file <code style=3D"font-size: 12px; = font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: = break-word; white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties</code>&n= bsp;is:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">ovirt.engine.extension.name =3D DOMAIN-authz ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 =3D ../aaa/DOMAIN.properties </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">I had some difficulties with AD backend. A straightforward = solution would have been :</p><pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">include =3D = <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a> pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 # Only TLSv1.2 is secure nowadays pool.default.ssl.startTLSProtocol =3D TLSv1.2 # long time out should be avoided pool.default.connection-options.connectTimeoutMillis =3D 500 </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">But if fails. We have a special setup with about 100 domain = controlers and only two of them can be reached from the ovirt engine. So = my first try was so defined them directly in the configuration = file:</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.serverset.type =3D failover pool.default.serverset.failover.1.server =3D <a = href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a> pool.default.serverset.failover.2.server =3D <a = href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a> </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">But that fails. Server-engine was still using a lot of = unreachable domain controler. After some digging I found that other part = of the ldap extension use a different serverset, I don=E2=80=99t know = why it don=E2=80=99t reuse the default pool. It=E2=80=99s = called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">pool.default.dc-resolve</code> (it should be = called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px;" = class=3D"">pool.dc-resolve</code>, as it=E2=80=99s not the default but a = custom one), so I added in my configuration:</p><pre style=3D"font-family:= Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; = white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.dc-resolve.default.serverset.type =3D failover pool.default.dc-resolve.serverset.failover.1.server =3D <a = href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a> pool.default.dc-resolve.serverset.failover.2.server =3D <a = href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a> </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">But there is a better solution. Ondra Machacek point it to = me. In Active Directory, there is something called a =E2=80=9Csite=E2=80=9D= , with a subset of all the domain controler in it. It can be found = under <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...</code></p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">To list them:</p><pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">ldapsearch -H <a = href=3D"ldap://somedc" class=3D"">ldap://somedc</a> -b = CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN -s one -o ldif-wrap=3Dno cn </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">The information to write down is the cn returned</p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">You get a list of all domain, just pick the right one, remove = all the serverset configuration and add :</p><pre style=3D"font-family: = Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: = pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: = collapse; -webkit-margin-after-collapse: collapse; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.serverset.srvrecord.domain-conversion.type =3D = regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">The entry <code style=3D"font-size: 12px; font-family: = Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; = white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">_sites.${domain}</code> don=E2=80=99t exist in the DNS, = so to check that your regex is good, try instead:</p><pre = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">dig +short = _ldap._tcp.GOOD_SITE._sites.${domain} srv </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">It should return only reachable domain controlers.</p><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">So the final /etc/ovirt-engine/aaa/DOMAIN.properties was = :</p><pre style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">include =3D = <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a> pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 pool.default.ssl.startTLSProtocol =3D TLSv1.2 pool.default.connection-options.connectTimeoutMillis =3D 500 pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} </code></pre><p style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">With this setup, my <a = href=3D"https://github.com/fbacchella/ovirtcmd" style=3D"color: rgb(104, = 0, 148); text-decoration: none; margin-top: auto;" class=3D"">python = client</a> can connect to ovirt-engine using kerberos ticket, web = users are authenticated using CAS. And there is no need to duplicate = user base.</p><div class=3D""><br class=3D""></div></body></html>= --Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205--
participants (1)
-
Fabrice Bacchella