Creating new users on oVirt 3.5
Hello, I have to create some users on my oVirt 3.5 infrastructure. On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start LDAP Quick Start so I correctly created a OpenLDAP server and a Kerberos service, but this morning I read that the instructions are obsolete... Now I'm trying to understand how to implement the new mechanism... but I'm in troubles: 1) run yum install ovirt-engine-extension-aaa-ldap 2) copied files in /etc/ovirt-engine/extensions.d and modified the name in fis.unical.it-auth(n/z).properties 3) copied files in /etc/ovirt-engine/aaa but now I can't do anything Can you help me with newbye instructions to install the aaa-extensions? Thank you very much Fedele Stabile
<html><bodyHi Fedele, Fedele Stabile píše v Po 15. 12. 2014 v 18:05 +0000:
Hello, I have to create some users on my oVirt 3.5 infrastructure. On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start LDAP Quick Start so I correctly created a OpenLDAP server and a Kerberos service, but this morning I read that the instructions are obsolete... Now I'm trying to understand how to implement the new mechanism... but I'm in troubles: 1) run yum install ovirt-engine-extension-aaa-ldap 2) copied files in /etc/ovirt-engine/extensions.d and modified the name in fis.unical.it-auth(n/z).properties 3) copied files in /etc/ovirt-engine/aaa but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions? Thank you very much Fedele Stabile
please send your config files (feel free to mask the password). Update: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in Make sure handle level name is ALL for ENGINE: --- <file-handler name="ENGINE" autoflush="true"> <level name="ALL"/> --- Add the following before the <root-logger> line: --- <logger category="org.ovirt.engineextensions.aaa.ldap"> <level name="ALL"/> </logger> --- Flush the engine log (e.g.: > /var/log/ovirt-engine/engine.log) Restart the engine and send the engine.log, this way we can see what happening during initialization. Cheers, Luf NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service </body></html>
----- Original Message -----
From: "Fedele Stabile" <fedele.stabile@fis.unical.it> To: users@ovirt.org Sent: Monday, December 15, 2014 8:05:28 PM Subject: [ovirt-users] Creating new users on oVirt 3.5
Hello, I have to create some users on my oVirt 3.5 infrastructure. On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start LDAP Quick Start so I correctly created a OpenLDAP server and a Kerberos service, but this morning I read that the instructions are obsolete... Now I'm trying to understand how to implement the new mechanism... but I'm in troubles: 1) run yum install ovirt-engine-extension-aaa-ldap 2) copied files in /etc/ovirt-engine/extensions.d and modified the name in fis.unical.it-auth(n/z).properties 3) copied files in /etc/ovirt-engine/aaa but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions? Thank you very much Fedele Stabile
Hello, Have you read[1]? We of course need help in improving documentation :) Can you please send engine.log when starting up engine so I can see if there are any issues? Please make sure that at /etc/ovirt-engine/extensions.d you set the config.profile.file.1 to absolute file, /etc/ovirt-enigne/aaa/ as we wait for 3.5.1 to support relative names. The simplest sequence is: 1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to /etc/ovirt-engine 2. edit /etc/ovirt-engine/extension.d/* replace ../aaa to /etc/ovirt-engine/aaa this is pending 3.5.1. 3. edit /etc/ovirt-engine/aaa/ldap1.properties and set vars.server, vars.user, vars.password to meet your setup. 4. restart engine. 5. send me engine.log Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
Check out my write-up on AAA, I tried my best to break it down, and make it simple https://cloudspin.me/ovirt-simple-ldap-aaa/ -----Original Message----- From: users-bounces@ovirt.org [mailto:users-bounces@ovirt.org] On Behalf Of Alon Bar-Lev Sent: Tuesday, December 16, 2014 1:49 AM To: Fedele Stabile Cc: users@ovirt.org Subject: Re: [ovirt-users] Creating new users on oVirt 3.5 ----- Original Message -----
From: "Fedele Stabile" <fedele.stabile@fis.unical.it> To: users@ovirt.org Sent: Monday, December 15, 2014 8:05:28 PM Subject: [ovirt-users] Creating new users on oVirt 3.5
Hello, I have to create some users on my oVirt 3.5 infrastructure. On FridayI was following istructions on http://www.ovirt.org/LDAP_Quick_Start LDAP Quick Start so I correctly created a OpenLDAP server and a Kerberos service, but this morning I read that the instructions are obsolete... Now I'm trying to understand how to implement the new mechanism... but I'm in troubles: 1) run yum install ovirt-engine-extension-aaa-ldap 2) copied files in /etc/ovirt-engine/extensions.d and modified the name in fis.unical.it-auth(n/z).properties 3) copied files in /etc/ovirt-engine/aaa but now I can't do anything
Can you help me with newbye instructions to install the aaa-extensions? Thank you very much Fedele Stabile
Hello, Have you read[1]? We of course need help in improving documentation :) Can you please send engine.log when starting up engine so I can see if there are any issues? Please make sure that at /etc/ovirt-engine/extensions.d you set the config.profile.file.1 to absolute file, /etc/ovirt-enigne/aaa/ as we wait for 3.5.1 to support relative names. The simplest sequence is: 1. copy recursive /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple to /etc/ovirt-engine 2. edit /etc/ovirt-engine/extension.d/* replace ../aaa to /etc/ovirt-engine/aaa this is pending 3.5.1. 3. edit /etc/ovirt-engine/aaa/ldap1.properties and set vars.server, vars.user, vars.password to meet your setup. 4. restart engine. 5. send me engine.log Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob; f=README;hb=HEAD _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Donny Davis" <donny@cloudspin.me> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Fedele Stabile" <fedele.stabile@fis.unical.it> Cc: users@ovirt.org Sent: Tuesday, December 16, 2014 4:57:16 PM Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
Check out my write-up on AAA, I tried my best to break it down, and make it simple
Thanks for helpful documentation!
Once again, don’t get hung up on the file names, they really only mean something to you. Maybe someone that knows more than me can shed some light on this??
Indeed the file names are not important as long as the extension is .properties the files will be read.
Important to note, that if you use an IP Address here you may have TLS problems, and once again I am no pro, but I had problems trying to get TLS and IP addresses to play nice
Indeed, the certificate should contain ip address in subject or subject alternate name in order to ip to be usable in tls, this is not specific to this implementation.
nano ca.pem – This is done on your engine, and you paste the above output into this file
not sure why you cannot just use ca.pem as-is when using keytool. Regards, Alon Bar-Lev.
For the ca.pem, I had to import it from my ldap server, and this was my method of getting it to the engine. I use nano to create the file. there is probably a better way, but this was for my enviroment. -----Original Message----- From: Alon Bar-Lev [mailto:alonbl@redhat.com] Sent: Tuesday, December 16, 2014 10:13 AM To: Donny Davis Cc: Fedele Stabile; users@ovirt.org Subject: Re: [ovirt-users] Creating new users on oVirt 3.5 ----- Original Message -----
From: "Donny Davis" <donny@cloudspin.me> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Fedele Stabile" <fedele.stabile@fis.unical.it> Cc: users@ovirt.org Sent: Tuesday, December 16, 2014 4:57:16 PM Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
Check out my write-up on AAA, I tried my best to break it down, and make it simple
Thanks for helpful documentation!
Once again, don’t get hung up on the file names, they really only mean something to you. Maybe someone that knows more than me can shed some light on this??
Indeed the file names are not important as long as the extension is .properties the files will be read.
Important to note, that if you use an IP Address here you may have TLS problems, and once again I am no pro, but I had problems trying to get TLS and IP addresses to play nice
Indeed, the certificate should contain ip address in subject or subject alternate name in order to ip to be usable in tls, this is not specific to this implementation.
nano ca.pem – This is done on your engine, and you paste the above output into this file
not sure why you cannot just use ca.pem as-is when using keytool. Regards, Alon Bar-Lev.
----- Original Message -----
From: "Donny Davis" <donny@cloudspin.me> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Fedele Stabile" <fedele.stabile@fis.unical.it>, users@ovirt.org Sent: Tuesday, December 16, 2014 7:19:53 PM Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
For the ca.pem, I had to import it from my ldap server, and this was my method of getting it to the engine. I use nano to create the file. there is probably a better way, but this was for my enviroment.
ok, no problem. usually ssh is better :)
-----Original Message----- From: Alon Bar-Lev [mailto:alonbl@redhat.com] Sent: Tuesday, December 16, 2014 10:13 AM To: Donny Davis Cc: Fedele Stabile; users@ovirt.org Subject: Re: [ovirt-users] Creating new users on oVirt 3.5
----- Original Message -----
From: "Donny Davis" <donny@cloudspin.me> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Fedele Stabile" <fedele.stabile@fis.unical.it> Cc: users@ovirt.org Sent: Tuesday, December 16, 2014 4:57:16 PM Subject: RE: [ovirt-users] Creating new users on oVirt 3.5
Check out my write-up on AAA, I tried my best to break it down, and make it simple
Thanks for helpful documentation!
Once again, don’t get hung up on the file names, they really only mean something to you. Maybe someone that knows more than me can shed some light on this??
Indeed the file names are not important as long as the extension is .properties the files will be read.
Important to note, that if you use an IP Address here you may have TLS problems, and once again I am no pro, but I had problems trying to get TLS and IP addresses to play nice
Indeed, the certificate should contain ip address in subject or subject alternate name in order to ip to be usable in tls, this is not specific to this implementation.
nano ca.pem – This is done on your engine, and you paste the above output into this file
not sure why you cannot just use ca.pem as-is when using keytool.
Regards, Alon Bar-Lev.
participants (4)
-
Alon Bar-Lev -
Donny Davis -
Fedele Stabile -
Finstrle, Ludek