I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ? Found this: http://www.ovirt.org/LDAP_Quick_Start But the article seem only half-finished. Rgds Jonas
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
this may help you. https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4 https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5 help finishing the wiki would be great... thanks, Itamar
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you. https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4 https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks, Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and Kerberos for both Fedora and RHEL/CentOS. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you. https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4 https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks, Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and Kerberos for both Fedora and RHEL/CentOS.
Anyone knows if ovirt is able to handle that the kdc and directory service are running on separate hosts ? In my environment this is the case where the kdc is located at a service with it's own name/IP (admin.elementary.se), and the directory-service on ldap.elementary.se. Even though I see both names are resolved by a name server lookup a network sniffer trace shows that later (ldap.elementary.se) used for both kerberos and ldap access. Furthermore this (incorrect) configuration file is created [libdefaults] default_realm = ELEMENTARY.SE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 [realms] ELEMENTARY.SE = { kdc = ldap.elementary.se } [domain_realm] elementary.se = ELEMENTARY.SE In my lab both these services are actually placed on the same physical server and since the kdc binds to all local interfaces ovirt actually does reach the kdc via the incorrect name, this is however not the case later in production. When trying to add the domain it crashes with the following stack trace General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show And this gets written to the log 2013-11-18 10:22:12,479 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): elementary.se 2013-11-18 10:22:12,493 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): elementary.se 2013-11-18 10:22:12,493 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: elementary.se 2013-11-18 10:22:12,569 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-11-18 10:22:12,571 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain elementary.se. Details: Kerberos error. Please check log for further details. Could this checksum error be a result of the incorrect name being used ? Rgds Jonas
On 11/18/2013 12:17 PM, Jonas Israelsson wrote:
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you. https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4 https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks, Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and Kerberos for both Fedora and RHEL/CentOS.
I just updated the wiki with the latest version of the instructions that I use. I think they work. Any enhancement is welcome.
Anyone knows if ovirt is able to handle that the kdc and directory service are running on separate hosts ? In my environment this is the case where the kdc is located at a service with it's own name/IP (admin.elementary.se), and the directory-service on ldap.elementary.se. Even though I see both names are resolved by a name server lookup a network sniffer trace shows that later (ldap.elementary.se) used for both kerberos and ldap access.
By default oVirt uses the Kerberos and LDAP servers that are provided by DNS. Can you please check what is the result of the following DNS query? # dig -t SRV _kerberos._tcp.elementary.se
Furthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1
[realms] ELEMENTARY.SE = { kdc = ldap.elementary.se }
[domain_realm] elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical server and since the kdc binds to all local interfaces ovirt actually does reach the kdc via the incorrect name, this is however not the case later in production.
This file is generated from the above mentioned DNS queries. Please let us know what is the content of your SRV DNS records.
When trying to add the domain it crashes with the following stack trace
General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
And this gets written to the log
2013-11-18 10:22:12,479 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): elementary.se 2013-11-18 10:22:12,493 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): elementary.se 2013-11-18 10:22:12,493 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: elementary.se 2013-11-18 10:22:12,569 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-11-18 10:22:12,571 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain elementary.se. Details: Kerberos error. Please check log for further details.
Could this checksum error be a result of the incorrect name being used ?
I don't think so. This is a known problem with the Kerberos implementation in the Java virtual machine. It generates this error when the SASL minssf configuration parameter is 0. You should be able to change this OpenLDAP setting as follows: # cat > fixssf.ldif <<'.' dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - . # ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
I don't think so. This is a known problem with the Kerberos implementation in the Java virtual machine. It generates this error when the SASL minssf configuration parameter is 0. You should be able to change this OpenLDAP setting as follows: Yes, that seem to do the trick and the domain now got successfully added. I have not tried to use it yet though ...
participants (3)
-
Itamar Heim -
Jonas Israelsson -
Juan Hernandez