9:05 p.m.
Hello,
I have to create some users on my oVirt 3.5 infrastructure.
On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start
LDAP Quick Start
so I correctly created a OpenLDAP server and a Kerberos service, but
this morning I read that the instructions are obsolete...
Now I'm trying to understand how to implement the new mechanism... but I'm
in troubles:
1) run yum install ovirt-engine-extension-aaa-ldap
2) copied files in /etc/ovirt-engine/extensions.d and modified the name in
fis.unical.it-auth(n/z).properties
3) copied files in /etc/ovirt-engine/aaa
but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions?
Thank you very much
Fedele Stabile
11:23 a.m.
<html><bodyHi Fedele,
Fedele Stabile píše v Po 15. 12. 2014 v 18:05 +0000:
Hello,
I have to create some users on my oVirt 3.5 infrastructure.
On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start
LDAP Quick Start
so I correctly created a OpenLDAP server and a Kerberos service, but
this morning I read that the instructions are obsolete...
Now I'm trying to understand how to implement the new mechanism... but I'm
in troubles:
1) run yum install ovirt-engine-extension-aaa-ldap
2) copied files in /etc/ovirt-engine/extensions.d and modified the name in
fis.unical.it-auth(n/z).properties
3) copied files in /etc/ovirt-engine/aaa
but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions?
Thank you very much
Fedele Stabile
please send your config files (feel free to mask the password).
Update:
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Make sure handle level name is ALL for ENGINE:
---
<file-handler name="ENGINE" autoflush="true">
<level name="ALL"/>
---
Add the following before the <root-logger> line:
---
<logger category="org.ovirt.engineextensions.aaa.ldap">
<level name="ALL"/>
</logger>
---
Flush the engine log (e.g.: > /var/log/ovirt-engine/engine.log)
Restart the engine and send the engine.log, this way we can see what
happening during initialization.
Cheers,
Luf
NOTICE: This email and any attachments may contain confidential and proprietary
information of NetSuite Inc. and is for the sole use of the intended recipient for the
stated purpose. Any improper use or distribution is prohibited. If you are not the
intended recipient, please notify the sender; do not review, copy or distribute; and
promptly delete or destroy all transmitted information. Please note that all
communications and information transmitted through this email system may be monitored by
NetSuite or its agents and that all incoming email is automatically scanned by a third
party spam and filtering service
</body></html>
11:49 a.m.
----- Original Message -----
From: "Fedele Stabile"
<fedele.stabile(a)fis.unical.it>
To: users(a)ovirt.org
Sent: Monday, December 15, 2014 8:05:28 PM
Subject: [ovirt-users] Creating new users on oVirt 3.5
Hello,
I have to create some users on my oVirt 3.5 infrastructure.
On FridayI was following istructions on
http://www.ovirt.org/LDAP_Quick_Start
LDAP Quick Start
so I correctly created a OpenLDAP server and a Kerberos service, but
this morning I read that the instructions are obsolete...
Now I'm trying to understand how to implement the new mechanism... but I'm
in troubles:
1) run yum install ovirt-engine-extension-aaa-ldap
2) copied files in /etc/ovirt-engine/extensions.d and modified the name in
fis.unical.it-auth(n/z).properties
3) copied files in /etc/ovirt-engine/aaa
but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions?
Thank you very much
Fedele Stabile
Hello,
Have you read[1]?
We of course need help in improving documentation :)
Can you please send engine.log when starting up engine so I can see if there are any
issues?
Please make sure that at /etc/ovirt-engine/extensions.d you set the config.profile.file.1
to absolute file, /etc/ovirt-enigne/aaa/ as we wait for 3.5.1 to support relative names.
The simplest sequence is:
1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to
/etc/ovirt-engine
2. edit /etc/ovirt-engine/extension.d/* replace ../aaa to /etc/ovirt-engine/aaa this is
pending 3.5.1.
3. edit /etc/ovirt-engine/aaa/ldap1.properties and set vars.server, vars.user,
vars.password to meet your setup.
4. restart engine.
5. send me engine.log
Regards,
Alon
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
5:57 p.m.
Check out my write-up on AAA,
I tried my best to break it down, and make it simple
https://cloudspin.me/ovirt-simple-ldap-aaa/
-----Original Message-----
From: users-bounces(a)ovirt.org [mailto:users-bounces@ovirt.org] On Behalf Of
Alon Bar-Lev
Sent: Tuesday, December 16, 2014 1:49 AM
To: Fedele Stabile
Cc: users(a)ovirt.org
Subject: Re: [ovirt-users] Creating new users on oVirt 3.5
----- Original Message -----
From: "Fedele Stabile"
<fedele.stabile(a)fis.unical.it>
To: users(a)ovirt.org
Sent: Monday, December 15, 2014 8:05:28 PM
Subject: [ovirt-users] Creating new users on oVirt 3.5
Hello,
I have to create some users on my oVirt 3.5 infrastructure.
On FridayI was following istructions on
http://www.ovirt.org/LDAP_Quick_Start
LDAP Quick Start
so I correctly created a OpenLDAP server and a Kerberos service, but
this morning I read that the instructions are obsolete...
Now I'm trying to understand how to implement the new mechanism... but
I'm in troubles:
1) run yum install ovirt-engine-extension-aaa-ldap
2) copied files in /etc/ovirt-engine/extensions.d and modified the
name in fis.unical.it-auth(n/z).properties
3) copied files in /etc/ovirt-engine/aaa but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions?
Thank you very much
Fedele Stabile
Hello,
Have you read[1]?
We of course need help in improving documentation :) Can you please send
engine.log when starting up engine so I can see if there are any issues?
Please make sure that at /etc/ovirt-engine/extensions.d you set the
config.profile.file.1 to absolute file, /etc/ovirt-enigne/aaa/ as we wait
for 3.5.1 to support relative names.
The simplest sequence is:
1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
to /etc/ovirt-engine 2. edit /etc/ovirt-engine/extension.d/* replace ../aaa
to /etc/ovirt-engine/aaa this is pending 3.5.1.
3. edit /etc/ovirt-engine/aaa/ldap1.properties and set vars.server,
vars.user, vars.password to meet your setup.
4. restart engine.
5. send me engine.log
Regards,
Alon
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;
f=README;hb=HEAD
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
8:12 p.m.
----- Original Message -----
From: "Donny Davis" <donny(a)cloudspin.me>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Fedele Stabile"
<fedele.stabile(a)fis.unical.it>
Cc: users(a)ovirt.org
Sent: Tuesday, December 16, 2014 4:57:16 PM
Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
Check out my write-up on AAA,
I tried my best to break it down, and make it simple
https://cloudspin.me/ovirt-simple-ldap-aaa/
Thanks for helpful documentation!
Once again, don’t get hung up on the file names, they really only
mean something to you. Maybe someone that knows more than me can shed some light on this??
Indeed the file names are not important as long as the extension is .properties the files
will be read.
Important to note, that if you use an IP Address here you may have
TLS problems, and once again I am no pro, but I had problems trying to get TLS and IP
addresses to play nice
Indeed, the certificate should contain ip address in subject or subject alternate name in
order to ip to be usable in tls, this is not specific to this implementation.
nano ca.pem – This is done on your engine, and you paste the above
output into this file
not sure why you cannot just use ca.pem as-is when using keytool.
Regards,
Alon Bar-Lev.
8:19 p.m.
For the ca.pem, I had to import it from my ldap server, and this was my method of getting
it to the engine.
I use nano to create the file. there is probably a better way, but this was for my
enviroment.
-----Original Message-----
From: Alon Bar-Lev [mailto:alonbl@redhat.com]
Sent: Tuesday, December 16, 2014 10:13 AM
To: Donny Davis
Cc: Fedele Stabile; users(a)ovirt.org
Subject: Re: [ovirt-users] Creating new users on oVirt 3.5
----- Original Message -----
From: "Donny Davis" <donny(a)cloudspin.me>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Fedele Stabile"
<fedele.stabile(a)fis.unical.it>
Cc: users(a)ovirt.org
Sent: Tuesday, December 16, 2014 4:57:16 PM
Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
Check out my write-up on AAA,
I tried my best to break it down, and make it simple
https://cloudspin.me/ovirt-simple-ldap-aaa/
Thanks for helpful documentation!
Once again, don’t get hung up on the file names, they really only
mean something to you. Maybe someone that knows more than me can shed some light on this??
Indeed the file names are not important as long as the extension is .properties the files
will be read.
Important to note, that if you use an IP Address here you may have
TLS problems, and once again I am no pro, but I had problems trying to get TLS and IP
addresses to play nice
Indeed, the certificate should contain ip address in subject or subject alternate name in
order to ip to be usable in tls, this is not specific to this implementation.
nano ca.pem – This is done on your engine, and you paste the above
output into this file
not sure why you cannot just use ca.pem as-is when using keytool.
Regards,
Alon Bar-Lev.
9:20 p.m.
----- Original Message -----
From: "Donny Davis" <donny(a)cloudspin.me>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "Fedele Stabile" <fedele.stabile(a)fis.unical.it>, users(a)ovirt.org
Sent: Tuesday, December 16, 2014 7:19:53 PM
Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
For the ca.pem, I had to import it from my ldap server, and this was my
method of getting it to the engine.
I use nano to create the file. there is probably a better way, but this was
for my enviroment.
ok, no problem. usually ssh is better :)
-----Original Message-----
From: Alon Bar-Lev [mailto:alonbl@redhat.com]
Sent: Tuesday, December 16, 2014 10:13 AM
To: Donny Davis
Cc: Fedele Stabile; users(a)ovirt.org
Subject: Re: [ovirt-users] Creating new users on oVirt 3.5
----- Original Message -----
> From: "Donny Davis" <donny(a)cloudspin.me>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Fedele Stabile"
> <fedele.stabile(a)fis.unical.it>
> Cc: users(a)ovirt.org
> Sent: Tuesday, December 16, 2014 4:57:16 PM
> Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
>
> Check out my write-up on AAA,
> I tried my best to break it down, and make it simple
>
> https://cloudspin.me/ovirt-simple-ldap-aaa/
Thanks for helpful documentation!
> Once again, don’t get hung up on the file names, they really only mean
> something to you. Maybe someone that knows more than me can shed some
> light on this??
Indeed the file names are not important as long as the extension is
.properties the files will be read.
> Important to note, that if you use an IP Address here you may have TLS
> problems, and once again I am no pro, but I had problems trying to get TLS
> and IP addresses to play nice
Indeed, the certificate should contain ip address in subject or subject
alternate name in order to ip to be usable in tls, this is not specific to
this implementation.
> nano ca.pem – This is done on your engine, and you paste the above output
> into this file
not sure why you cannot just use ca.pem as-is when using keytool.
Regards,
Alon Bar-Lev.
3629
days inactive
3630
days old
6 comments
4 participants
participants (4)
-
Alon Bar-Lev -
Donny Davis -
Fedele Stabile -
Finstrle, Ludek