4:57 p.m.
I saw that openldap is now listed as a provider when invoking
engine-manage-domains. I'm eager to find more information about this.
Does anyone know if there is any updated documentation floating around
somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
6:15 p.m.
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking
engine-manage-domains. I'm eager to find more information about this.
Does anyone know if there is any updated documentation floating around
somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
this may help you.
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks,
Itamar
6:22 p.m.
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
> I saw that openldap is now listed as a provider when invoking
> engine-manage-domains. I'm eager to find more information about this.
> Does anyone know if there is any updated documentation floating around
> somewhere ?
>
> Found this: http://www.ovirt.org/LDAP_Quick_Start
>
> But the article seem only half-finished.
>
> Rgds Jonas
>
this may help you.
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks,
Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and
Kerberos for both Fedora and RHEL/CentOS.
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
2:17 p.m.
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
> On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
>> I saw that openldap is now listed as a provider when invoking
>> engine-manage-domains. I'm eager to find more information about this.
>> Does anyone know if there is any updated documentation floating around
>> somewhere ?
>>
>> Found this: http://www.ovirt.org/LDAP_Quick_Start
>>
>> But the article seem only half-finished.
>>
>> Rgds Jonas
>>
> this may help you.
> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
>
> help finishing the wiki would be great...
>
> thanks,
> Itamar
>
I am attaching slightly updated notes on how to configure OpenLDAP and
Kerberos for both Fedora and RHEL/CentOS.
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se), and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.
Furthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
ELEMENTARY.SE = {
kdc = ldap.elementary.se
}
[domain_realm]
elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.
When trying to add the domain it crashes with the following stack trace
General error has occurednull
java.lang.NegativeArraySizeException
at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
at
com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.modules.Module.run(Module.java:260)
at org.jboss.modules.Main.main(Main.java:291)
Failure while testing domain %1$s. Details: %2$s: One of the parameters
for this error is null and no default message to show
And this gets written to the log
2013-11-18 10:22:12,479 INFO
[org.ovirt.engine.core.domains.ManageDomains] Creating kerberos
configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO
[org.ovirt.engine.core.domains.ManageDomains] Successfully created
kerberos configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO
[org.ovirt.engine.core.domains.ManageDomains] Testing kerberos
configuration for domain: elementary.se
2013-11-18 10:22:12,569 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-11-18 10:22:12,571 ERROR
[org.ovirt.engine.core.domains.ManageDomains] Failure while testing
domain elementary.se. Details: Kerberos error. Please check log for
further details.
Could this checksum error be a result of the incorrect name being used ?
Rgds Jonas
7:24 p.m.
On 11/18/2013 12:17 PM, Jonas Israelsson wrote:
On 17/10/13 17:22, Juan Hernandez wrote:
> On 10/17/2013 05:15 PM, Itamar Heim wrote:
>> On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
>>> I saw that openldap is now listed as a provider when invoking
>>> engine-manage-domains. I'm eager to find more information about this.
>>> Does anyone know if there is any updated documentation floating around
>>> somewhere ?
>>>
>>> Found this: http://www.ovirt.org/LDAP_Quick_Start
>>>
>>> But the article seem only half-finished.
>>>
>>> Rgds Jonas
>>>
>> this may help you.
>> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
>> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
>>
>> help finishing the wiki would be great...
>>
>> thanks,
>> Itamar
>>
> I am attaching slightly updated notes on how to configure OpenLDAP and
> Kerberos for both Fedora and RHEL/CentOS.
>
I just updated the wiki with the latest version of the instructions that
I use. I think they work. Any enhancement is welcome.
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se), and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.
By default oVirt uses the Kerberos and LDAP servers that are provided by
DNS. Can you please check what is the result of the following DNS query?
# dig -t SRV _kerberos._tcp.elementary.se
Furthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
ELEMENTARY.SE = {
kdc = ldap.elementary.se
}
[domain_realm]
elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.
This file is generated from the above mentioned DNS queries. Please let
us know what is the content of your SRV DNS records.
When trying to add the domain it crashes with the following stack
trace
General error has occurednull
java.lang.NegativeArraySizeException
at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
at
com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.modules.Module.run(Module.java:260)
at org.jboss.modules.Main.main(Main.java:291)
Failure while testing domain %1$s. Details: %2$s: One of the parameters
for this error is null and no default message to show
And this gets written to the log
2013-11-18 10:22:12,479 INFO
[org.ovirt.engine.core.domains.ManageDomains] Creating kerberos
configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO
[org.ovirt.engine.core.domains.ManageDomains] Successfully created
kerberos configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO
[org.ovirt.engine.core.domains.ManageDomains] Testing kerberos
configuration for domain: elementary.se
2013-11-18 10:22:12,569 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-11-18 10:22:12,571 ERROR
[org.ovirt.engine.core.domains.ManageDomains] Failure while testing
domain elementary.se. Details: Kerberos error. Please check log for
further details.
Could this checksum error be a result of the incorrect name being used ?
I don't think so. This is a known problem with the Kerberos
implementation in the Java virtual machine. It generates this error when
the SASL minssf configuration parameter is 0. You should be able to
change this OpenLDAP setting as follows:
# cat > fixssf.ldif <<'.'
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=1
-
.
# ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
9:15 p.m.
I don't think so. This is a known problem with the Kerberos
implementation in the Java virtual machine. It generates this error when
the SASL minssf configuration parameter is 0. You should be able to
change this OpenLDAP setting as follows:
Yes, that seem to do the trick and the
domain now got successfully
added. I have not tried to use it yet though ...
4022
days inactive
4054
days old
5 comments
3 participants
participants (3)
-
Itamar Heim -
Jonas Israelsson -
Juan Hernandez