4:47 p.m.
Below the solution. Resolved By "Alon Bar-Lev" <alonbl(a)redhat.com>
1. install ovirt-engine-extension-aaa-ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
4. create /etc/ovirt-engine/aaa/din.intranet.properties
include = <ipa.properties>
vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
--
Ao encaminhar esta mensagem, por favor:
1. Apague o meu e-mail e o meu nome.
2. Apague também os endereços dos amigos antes de reenviar
3. Use Cco ou Bcc para enviar mensagens!
Dificulte a disseminação de vírus e spam.
2:41 p.m.
New subject: oVirt 3.5 and FreeIpa
This is a multi-part message in MIME format.
--------------090205000802070604090208
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A
=3E
=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3Calonbl=40redha=
t=2Ecom
=3E =3Cmailto=3Aalonbl=40redhat=2Ecom=3E=3E
=3E
=3E
=3E 1=2E install ovirt-engine-extension-aaa-ldap=2C it is available in
=3E ovirt-3=2E5-snapshots repository=2E
=3E
=3E 2=2E create /etc/ovirt-engine/extensions=2Ed/din=2Eintranet-authz=2Epro=
perties
=3E
=3E ovirt=2Eengine=2Eextension=2Ename =3Chttp=3A//ovirt=2Eengine=2Eextensio=
n=2Ename/=3E =3D
=3E din-intranet-authz
=3E ovirt=2Eengine=2Eextension=2Ebindings=2Emethod =3D jbossmodule
=3E ovirt=2Eengine=2Eextension=2Ebinding=2Ejbossmodule=2Emodule =3D
=3E org=2Eovirt=2Eengine-extensions=2Eaaa=2Eldap
=3E ovirt=2Eengine=2Eextension=2Ebinding=2Ejbossmodule=2Eclass =3D
=3E org=2Eovirt=2Eengineextensions=2Eaaa=2Eldap=2EAuthzExtension
=3E ovirt=2Eengine=2Eextension=2Eprovides =3D
=3E org=2Eovirt=2Eengine=2Eapi=2Eextensions=2Eaaa=2EAuthz
=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2Eintranet=2E=
properties
=3E
=3E 3=2E create /etc/ovirt-engine/extensions=2Ed/din=2Eintranet-authn=2Epro=
perties
=3E
=3E ovirt=2Eengine=2Eextension=2Ename =3Chttp=3A//ovirt=2Eengine=2Eextensio=
n=2Ename/=3E =3D
=3E din-intranet-authn
=3E ovirt=2Eengine=2Eextension=2Ebindings=2Emethod =3D jbossmodule
=3E ovirt=2Eengine=2Eextension=2Ebinding=2Ejbossmodule=2Emodule =3D
=3E org=2Eovirt=2Eengine-extensions=2Eaaa=2Eldap
=3E ovirt=2Eengine=2Eextension=2Ebinding=2Ejbossmodule=2Eclass =3D
=3E org=2Eovirt=2Eengineextensions=2Eaaa=2Eldap=2EAuthnExtension
=3E ovirt=2Eengine=2Eextension=2Eprovides =3D
=3E org=2Eovirt=2Eengine=2Eapi=2Eextensions=2Eaaa=2EAuthn
=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename
=3E =3Chttp=3A//ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename/=3E =3D din=
=2Eintranet
=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2Eplugin =3D din-intranet-authz
=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2Eintranet=2E=
properties
=3E
=3E 4=2E create /etc/ovirt-engine/aaa/din=2Eintranet=2Eproperties
=3E
=3E include =3D =3Cipa=2Eproperties=3E
=3E
=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3Daccounts=2Cdc=3Ddin=2Cd=
c=3Dintranet
=3E vars=2Epassword =3D 123456
=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet
=3E
=3E pool=2Edefault=2Eserverset=2Esingle=2Eserver =3D =24=7Bglobal=3Avars=2E=
server=7D
=3E pool=2Edefault=2Eauth=2Esimple=2EbindDN =3D =24=7Bglobal=3Avars=2Euser=
=7D
=3E pool=2Edefault=2Eauth=2Esimple=2Epassword =3D =24=7Bglobal=3Avars=2Epas=
sword=7D
=3E
=3E 5=2E restart engine=2E
=3E
=3E
=3E Thanks a lot Alon=2E
Thanks for this=2C saved me some time!
Just a couple of addtions=2C please hash the password with SSHA =28I really=
hate plain text admin passwords=2E=2E=2E=29
I tried putting an =7BSSHA=7D encoded password in =22vars=2Epassword =3D=22=
=2C but it
fails to authenticate while plain text works fine=2E
For people with multiple ipa replica=27s I you guess you need to use=3A
Round robin configuration=3A
=09vars=2Eserver1 =3D ipa1=2Edin=2Eintranet
=09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet
=09pool=2Edefault=2Eserverset=2Etype =3D round-robin
=09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D =24=7Bglob=
al=3Avars=2Eserver1=7D
=09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D =24=7Bglob=
al=3Avars=2Eserver2=7D
instead of
vars=2Eserver =3D ipa1=2Edin=2Eintranet
pool=2Edefault=2Eserverset=2Esingle=2Eserver =3D =24=7Bglobal=3Avars=2E=
server=7D
But I still have to test that as our second replica is down at the moment=
=2E
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems=3F As we have ipa we don=27t want=
local login enabled=2C but in emergency situations we might need to turn
it on quickly=2E
Kind regards=2C
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
--------------090205000802070604090208
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Chead=3E
=3Cmeta content=3D=22text/html=3B charset=3Dwindows-1252=22
http-equiv=3D=22Content-Type=22=3E
=3C/head=3E
=3Cbody bgcolor=3D=22=23FFFFFF=22 text=3D=22=23000000=22=3E
=3Cbr=3E
=3Cdiv class=3D=22moz-cite-prefix=22=3EOn 10/31/2014 02=3A47 PM=2C Marc=
elo Donato
wrote=3A=3Cbr=3E
=3C/div=3E
=3Cblockquote
cite=3D=22mid=3ACAPaMScju+7ALzdujfyrAeEBj4xeFcj9K3nGDxeuJQiQJRMgFVQ=40mail=
=2Egmail=2Ecom=22
type=3D=22cite=22=3E
=3Cdiv dir=3D=22ltr=22=3E
=3Cdiv class=3D=22gmail=5Fdefault=22 style=3D=22font-size=3Asmall=
=22=3E=3Cbr=3E
=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22 style=3D=22font-size=3Asmall=
=22=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3EBelow the solution=2E Reso=
lved =A0By
=22Alon Bar-Lev=22 =26lt=3B=3Ca moz-do-not-send=3D=22true=22
href=3D=22mailto=3Aalonbl=40redhat=2Ecom=22=3Ealonbl=40redhat=
=2Ecom=3C/a=3E=26gt=3B=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cbr=3E
=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cbr=3E
=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E1=2E
install=A0 ovirt-engine-extension-aaa-=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eldap=2C
it is available in ovirt-3=2E5-snapshots repository=2E=3C/spa=
n=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E2=2E
create /etc/ovirt-engine/extensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ed/din=2Eintranet-authz=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eproperties=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Ca moz-do-not-send=3D=22true=22
href=3D=22http=3A//ovirt=2Eengine=2Eextension=2Ename/=22 targ=
et=3D=22=5Fblank=22
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eovirt=2Eengine=2Eextension=2Ename=3C/a=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E=A0=3D
din-intranet-authz=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebindings=2Emethod
=3D jbossmodule=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebinding=2Ejbossmodule=2Emodule
=3D org=2Eovirt=2Eengine-extensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eaaa=2Eldap=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebinding=2Ejbossmodule=2Eclass
=3D org=2Eovirt=2Eengineextensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eaaa=2Eldap=2EAuthzExtension=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eprovides
=3D org=2Eovirt=2Eengine=2Eapi=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eextensions=2Eaaa=2EAuthz=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Econfig=2Eprofile=2Efile=2E1
=3D /etc/ovirt-engine/aaa/din=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eintranet=2Eproperties=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E3=2E
create /etc/ovirt-engine/extensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ed/din=2Eintranet-authn=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eproperties=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Ca moz-do-not-send=3D=22true=22
href=3D=22http=3A//ovirt=2Eengine=2Eextension=2Ename/=22 targ=
et=3D=22=5Fblank=22
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eovirt=2Eengine=2Eextension=2Ename=3C/a=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E=A0=3D
din-intranet-authn=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebindings=2Emethod
=3D jbossmodule=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebinding=2Ejbossmodule=2Emodule
=3D org=2Eovirt=2Eengine-extensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eaaa=2Eldap=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Ebinding=2Ejbossmodule=2Eclass
=3D org=2Eovirt=2Eengineextensions=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eaaa=2Eldap=2EAuthnExtension=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eextension=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eprovides
=3D org=2Eovirt=2Eengine=2Eapi=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eextensions=2Eaaa=2EAuthn=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Ca moz-do-not-send=3D=22true=22
href=3D=22http=3A//ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2En=
ame/=22
target=3D=22=5Fblank=22
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename=3C/a=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E=A0=3D
din=2Eintranet=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Eovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eplugin
=3D din-intranet-authz=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Econfig=2Eprofile=2Efile=2E1
=3D /etc/ovirt-engine/aaa/din=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eintranet=2Eproperties=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E4=2E
create /etc/ovirt-engine/aaa/din=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eintranet=2Eproperties=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Einclude
=3D =26lt=3Bipa=2Eproperties=26gt=3B=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Evars=2Euser
=3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eaccounts=2Cdc=3Ddin=2Cdc=3Dintranet=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Evars=2Epassword
=3D 123456=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Evars=2Eserver
=3D ipa1=2Edin=2Eintranet=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Epool=2Edefault=2Eserverset=2Esingle=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Eserver
=3D =24=7Bglobal=3Avars=2Eserver=7D=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Epool=2Edefault=2Eauth=2Esimple=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3EbindDN
=3D =24=7Bglobal=3Avars=2Euser=7D=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3Epool=2Edefault=2Eauth=2Esimple=2E=3C/span=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3Epassword
=3D =24=7Bglobal=3Avars=2Epassword=7D=3C/span=3E=3Cbr
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E
=3Cbr style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E
=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=
=3A13px=22=3E5=2E
restart engine=2E=3C/span=3E=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E=3Cbr=3E
=3C/span=3E=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3E=3Cbr=3E
=3C/span=3E=3C/div=3E
=3Cdiv class=3D=22gmail=5Fdefault=22=3E=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13p=
x=22=3EThanks
a lot Alon=2E=3C/span=3E=3C/div=3E
=3C/div=3E
=3C/div=3E
=3C/blockquote=3E
=3Cbr=3E
=3Cbr=3E
=3Cbr=3E
Thanks for this=2C saved me some time! =3Cbr=3E
=3Cbr=3E
Just a couple of addtions=2C please hash the password with SSHA =28I
really hate plain text admin passwords=2E=2E=2E=29 =3Cbr=3E
I tried putting an =7BSSHA=7D encoded password in =22=3Cspan
style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13px=22=3Ev=
ars=2Epassword
=3D=22=3C/span=3E=2C but it fails to authenticate while plain text wo=
rks
fine=2E=3Cbr=3E
=3Cbr=3E
For people with multiple ipa replica=27s I you guess you need to use=3A=
=3Cbr=3E
=3Cbr=3E
=3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B
charset=3Dwindows-1252=22=3E
=3Cpre style=3D=22box-sizing=3A border-box=3B overflow=3A auto=3B font-=
family=3A Consolas=2C =27Liberation Mono=27=2C Menlo=2C Courier=2C monospac=
e=3B font-size=3A 15px=3B margin-top=3A 0px=3B margin-bottom=3A 0px=3B font=
-style=3A normal=3B font-variant=3A normal=3B font-weight=3A normal=3B line=
-height=3A normal=3B white-space=3A pre-wrap=3B color=3A rgb=2851=2C 51=2C=
51=29=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A star=
t=3B text-indent=3A 0px=3B text-transform=3A none=3B widows=3A auto=3B word=
-spacing=3A 0px=3B -webkit-text-stroke-width=3A 0px=3B=22=3ERound robin con=
figuration=3A
=09=3Cspan style=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13px=
=22=3Evars=2Eserver1 =3D ipa1=2Edin=2Eintranet
=09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet
=3C/span=3E=09pool=2Edefault=2Eserverset=2Etype =3D round-robin
=09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D =24=7Bglob=
al=3Avars=2Eserver1=7D
=09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D =24=7Bglob=
al=3Avars=2Eserver2=7D
=3C/pre=3E
=3Cbr class=3D=22Apple-interchange-newline=22=3E
instead of=3Cbr=3E
=3Cbr=3E
=3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B
charset=3Dwindows-1252=22=3E
=3Cblockquote=3E
=3Cmeta http-equiv=3D=22content-type=22 content=3D=22text/html=3B
charset=3Dwindows-1252=22=3E
=3Cpre style=3D=22box-sizing=3A border-box=3B overflow=3A auto=3B fon=
t-family=3A Consolas=2C =27Liberation Mono=27=2C Menlo=2C Courier=2C monosp=
ace=3B font-size=3A 15px=3B margin-top=3A 0px=3B margin-bottom=3A 0px=3B fo=
nt-style=3A normal=3B font-variant=3A normal=3B font-weight=3A normal=3B li=
ne-height=3A normal=3B white-space=3A pre-wrap=3B color=3A rgb=2851=2C 51=
=2C 51=29=3B letter-spacing=3A normal=3B orphans=3A auto=3B text-align=3A s=
tart=3B text-indent=3A 0px=3B text-transform=3A none=3B widows=3A auto=3B w=
ord-spacing=3A 0px=3B -webkit-text-stroke-width=3A 0px=3B=22=3E=3Cspan styl=
e=3D=22font-family=3Aarial=2Csans-serif=3Bfont-size=3A13px=22=3Evars=2Eserv=
er =3D ipa1=2Edin=2Eintranet=3C/span=3E
pool=2Edefault=2Eserverset=2Esingle=2Eserver =3D =24=7Bglobal=3Avars=2Eserv=
er=7D
=3C/pre=3E
=3C/blockquote=3E
But I still have to test that as our second replica is down at the
moment=2E=3Cbr=3E
=3Cbr=3E
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems=3F As we have ipa we don=27t=
want local login enabled=2C but in emergency situations we might need=
to turn it on quickly=2E=3Cbr=3E
=3Cbr=3E
=3Cbr=3E
=3Cbr=3E
=3Cbr=3E
Kind regards=2C=3Cbr=3E
=20=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
--------------090205000802070604090208--
2:59 p.m.
New subject: oVirt 3.5 and FreeIpa
----- Original Message -----
From: "Jorick Astrego" <j.astrego(a)netbulae.eu>
To: users(a)ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By "Alon Bar-Lev" < alonbl(a)redhat.com >
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = <ipa.properties>
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in " vars.password =" , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this means that if I
get the server database I can authenticate to any user without knowing his password.
Also, please note that the user you specify within configuration should not have any
special privilege but to query public objects within ldap.
For people with multiple ipa replica's I you guess you need to
use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable
internal
authenticationt without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm.... we have a bug in this case... will fix, so let's just disable the authz for
now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
3:09 p.m.
New subject: oVirt 3.5 and FreeIpa
This is a multi-part message in MIME format.
------------MIME-294424302-1441597959-delim
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A
=3E
=3E ----- Original Message -----
=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E
=3E=3E To=3A users=40ovirt=2Eorg
=3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM
=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E
=3E=3E
=3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A
=3E=3E
=3E=3E
=3E=3E
=3E=3E
=3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonbl=40re=
dhat=2Ecom =3E
=3E=3E
=3E=3E
=3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is available in=
=3E=3E ovirt-3=2E5-snapshots repository=2E
=3E=3E
=3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authz=
=2E properties
=3E=3E
=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz
=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D
=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D
=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension
=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap=
i=2E extensions=2Eaaa=2EAuthz
=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane=
t=2Eproperties
=3E=3E
=3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authn=
=2E properties
=3E=3E
=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn
=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D
=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D
=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension
=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap=
i=2E extensions=2Eaaa=2EAuthn
=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintranet
=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intranet-auth=
z
=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane=
t=2Eproperties
=3E=3E
=3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties
=3E=3E
=3E=3E include =3D =3Cipa=2Eproperties=3E
=3E=3E
=3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc=3Ddin=
=2Cdc=3Dintranet
=3E=3E vars=2Epassword =3D 123456
=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet
=3E=3E
=3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal=3Avar=
s=2Eserver=7D
=3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Avars=2Eu=
ser=7D
=3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3Avars=
=2Epassword=7D
=3E=3E
=3E=3E 5=2E restart engine=2E
=3E=3E
=3E=3E
=3E=3E Thanks a lot Alon=2E
=3E=3E
=3E=3E
=3E=3E
=3E=3E Thanks for this=2C saved me some time!
=3E=3E
=3E=3E Just a couple of addtions=2C please hash the password with SSHA =28I=
really hate
=3E=3E plain text admin passwords=2E=2E=2E=29
=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Epasswor=
d =3D=22 =2C but it
=3E=3E fails to authenticate while plain text works fine=2E
=3E I am unsure I understand=2E
=3E using hash to store password hint at server side makes sense=2E
=3E but using hash to store password at client side does not makes sens=2C=
this means that if I get the server database I can authenticate to any use=
r without knowing his password=2E
=3E
=3E Also=2C please note that the user you specify within configuration shou=
ld not have any special privilege but to query public objects within ldap=
=2E
I don=27t like storing plain text in textfiles=2C so I try to avoid it=2E E=
ven
if it is a read only user there are no =22public=22 objects that I like to=
expose to anyone=2E I can query groups=2C group members=2C e-mail addresses=
=2C
krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E
So that=27s why I try to have the bind user password hashed in the
properties file=2E
=3E=3E For people with multiple ipa replica=27s I you guess you need to use=
=3A
=3E=3E
=3E=3E Round robin configuration=3A vars=2Eserver1 =3D ipa1=2Edin=2Eintrane=
t
=3E=3E =09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet pool=2Edefault=2Ese=
rverset=2Etype =3D
=3E=3E =09=09 round-robin
=3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D=20=
=24=7Bglobal=3Avars=2Eserver1=7D
=3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D=20=
=24=7Bglobal=3Avars=2Eserver2=7D
=3E=3E
=3E=3E instead of
=3E=3E
=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet pool=2Edefault=2Eserverset=
=2Esingle=2Eserver =3D
=3E=3E =24=7Bglobal=3Avars=2Eserver=7D
=3E=3E But I still have to test that as our second replica is down at the m=
oment=2E
=3E Correct=2C there are multiple policies for you to choose from=2E
=3E
=3E=3E Also can we get rid of the internal admin or better just disable int=
ernal
=3E=3E authenticationt without problems=3F As we have ipa we don=27t want l=
ocal login
=3E=3E enabled=2C but in emergency situations we might need to turn it on q=
uickly=2E
=3E Yes=2C you can disable the internal by creating /etc/ovirt-engine/engin=
e=2Econf=2Ed/50-disable-internal=2Econf
=3E ---
=3E ENGINE=5FEXTENSION=5FENABLED=5Fbuiltin-authn-internal =3D false
=3E ---
=3E
=3E Hmmm=2E=2E=2E=2E we have a bug in this case=2E=2E=2E will fix=2C so let=
=27s just disable the authz for now=2E
=3E ---
=3E ENGINE=5FEXTENSION=5FENABLED=5Finternal =3D false
=3E ---
=3E
=3E Regards=2C
=3E Alon
thanks! that will work=2E
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
------------MIME-294424302-1441597959-delim
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Cbody=3E
<br>
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote: <br>
<font color=3D"#000000">> </font
<br>
<font color=3D"#000000">>
----- Original Message ----- </font<br>
<font color=3D"#000000">>> From: "Jorick
Astrego" <j.ast=
rego@<a
href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font<br>
<font
color=3D"#000000">>> To: users@<a
href=3D"mailto:ovirt.org">ovi=
rt.org</a> </font<br>
<font
color=3D"#000000">>> Sent: Thursday, January 22, 2015 1:41:40
P=
M </font<br>
<font
color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and
F=
reeIpa </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> On 10/31/2014 02:47 PM, Marcelo Donato
wro=
te: </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> Below the solution. Resolved By
"Alon=
Bar-Lev" < alonbl@<a
href=3D"mailto:redhat.com">redhat.com</a>&nbs=
p;> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> 1. install ovirt-engine-extension-aaa-
lda=
p, it is available in </font<br>
<font color=3D"#000000">>> ovirt-3.5-snapshots
repository. </font=
<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> 2. create /etc/ovirt-engine/extensions.
d/=
din.intranet-authz. properties </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.name =3D
din-intran=
et-authz </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension. bindings.method =
=3D jbossmodule </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.
binding.jbossmodul=
e.module =3D </font<br>
<font
color=3D"#000000">>> org.ovirt.engine-extensions.
aaa.ldap =
</font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.
binding.jbossmodul=
e.class =3D </font<br>
<font
color=3D"#000000">>> org.ovirt.engineextensions.
aaa.ldap.Authz=
Extension </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension. provides =3D
org.o=
virt.engine.api. extensions.aaa.Authz </font<br>
<font color=3D"#000000">>> config.profile.file.1 =3D
/etc/ovirt-engin=
e/aaa/din. intranet.properties </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> 3. create /etc/ovirt-engine/extensions.
d/=
din.intranet-authn. properties </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.name =3D
din-intran=
et-authn </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension. bindings.method =
=3D jbossmodule </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.
binding.jbossmodul=
e.module =3D </font<br>
<font
color=3D"#000000">>> org.ovirt.engine-extensions.
aaa.ldap =
</font<br>
<font
color=3D"#000000">>> ovirt.engine.extension.
binding.jbossmodul=
e.class =3D </font<br>
<font
color=3D"#000000">>> org.ovirt.engineextensions.
aaa.ldap.Authn=
Extension </font<br>
<font
color=3D"#000000">>> ovirt.engine.extension. provides =3D
org.o=
virt.engine.api. extensions.aaa.Authn </font<br>
<font color=3D"#000000">>>
ovirt.engine.aaa.authn.profile.name =3D di=
n.intranet </font<br>
<font
color=3D"#000000">>> ovirt.engine.aaa.authn.authz. plugin =3D
d=
in-intranet-authz </font<br>
<font color=3D"#000000">>> config.profile.file.1 =3D
/etc/ovirt-engin=
e/aaa/din. intranet.properties </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> 4. create /etc/ovirt-engine/aaa/din.
intra=
net.properties </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> include =3D
<ipa.properties> </f=
ont<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> vars.user =3D
uid=3Dadmin,cn=3Dusers,cn=3D=
accounts,dc=3Ddin,dc=3Dintranet </font<br>
<font color=3D"#000000">>> vars.password =3D
123456 </font<br>
<font
color=3D"#000000">>> vars.server =3D
ipa1.din.intranet </fo=
nt<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> pool.default.serverset.single. server =3D
=
${global:vars.server} </font<br>
<font color=3D"#000000">>> pool.default.auth.simple.
bindDN =3D ${glo=
bal:vars.user} </font<br>
<font
color=3D"#000000">>> pool.default.auth.simple. password =3D
${g=
lobal:vars.password} </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> 5. restart engine. </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> Thanks a lot Alon. </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> Thanks for this, saved me some
time! <=
/font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> Just a couple of addtions, please hash
the=
password with SSHA (I really hate </font<br>
<font color=3D"#000000">>> plain text admin
passwords...) </font>=
<br>
<font color=3D"#000000">>> I tried putting an {SSHA} encoded
password=
in " vars.password =3D" , but it </font<br>
<font
color=3D"#000000">>> fails to authenticate while plain text
wor=
ks fine. </font<br>
<font
color=3D"#000000">> I am unsure I understand. </font<br>
<font color=3D"#000000">>
using hash to store password hint at server si=
de makes sense. </font<br>
<font
color=3D"#000000">> but using hash to store password at client sid=
e does not makes sens, this means that if I get the server database I can a=
uthenticate to any user without knowing his password. </font<br>
<font
color=3D"#000000">> </font<br>
<font color=3D"#000000">> Also, please note that the user you
specify wi=
thin configuration should not have any special privilege but to query publi=
c objects within ldap. </font<br>
I don't like storing plain text in textfiles, so I try to avoid it.
Even=
3;<br>
if it is a read only user there are no "public" objects that I li=
ke to <br>
expose to anyone. I can query groups, group members, e-mail addresses, =
<br>
krbPasswordExpiration, krbLastPwdChange etc. with this user. <br>
<br>
So that's why I try to have the bind user password hashed in the <br>
properties file. <br>
<font color=3D"#000000">>> For people with multiple ipa
replica's I y=
ou guess you need to use: </font<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> Round robin configuration: vars.server1 =
=3D ipa1.din.intranet </font<br>
<font
color=3D"#000000">>> &=
nbsp; vars.server2
=3D ipa2.din.i=
ntranet pool.default.serverset.type =3D </font<br>
<font
color=3D"#000000">>> &=
nbsp;
round-robin </font<br>
<font
color=3D"#000000">>> pool.de=
fault.serverset.round-robin.1.server =3D ${global:vars.server1} </font>=
<br>
<font
color=3D"#000000">>> pool.de=
fault.serverset.round-robin.2.server =3D ${global:vars.server2} </font>=
<br>
<font color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> instead of </font<br>
<font
color=3D"#000000">>> </font<br>
<font
color=3D"#000000">>> vars.server =3D ipa1.din.intranet
pool.def=
ault.serverset.single.server =3D </font<br>
<font color=3D"#000000">>>
${global:vars.server} </font<br>
<font color=3D"#000000">>> But I still have to test
that as our secon=
d replica is down at the moment. </font<br>
<font color=3D"#000000">> Correct, there are multiple
policies for you t=
o choose from. </font<br>
<font
color=3D"#000000">> </font<br>
<font color=3D"#000000">>> Also can we get rid of the
internal admin =
or better just disable internal </font<br>
<font color=3D"#000000">>> authenticationt
</font<br>
without problems? As we
have ipa we don't want local login <br>
<font color=3D"#000000">>> enabled, but in emergency
situations we mi=
ght need to turn it on quickly. </font<br>
<font color=3D"#000000">> Yes, you can disable the internal
by creating =
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf </font<br>
<font color=3D"#000000">>
--- </font<br>
<font
color=3D"#000000">> ENGINE_EXTENSION_ENABLED_builtin-authn-interna=
l =3D false </font<br>
<font
color=3D"#000000">> --- </font<br>
<font color=3D"#000000">> </font<br>
<font color=3D"#000000">>
Hmmm.... we have a bug in this case... will fi=
x, so let's just disable the authz for now. </font<br>
<font color=3D"#000000">>
--- </font<br>
<font
color=3D"#000000">> ENGINE_EXTENSION_ENABLED_internal =3D
false=
3;</font<br>
<font
color=3D"#000000">> --- </font<br>
<font color=3D"#000000">> </font<br>
<font color=3D"#000000">>
Regards, </font<br>
<font
color=3D"#000000">> Alon </font<br>
thanks! that will work. <br>
<br>
<br>
=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
------------MIME-294424302-1441597959-delim--
3:13 p.m.
New subject: oVirt 3.5 and FreeIpa
----- Original Message -----
From: "Jorick Astrego" <j.astrego(a)netbulae.eu>
To: users(a)ovirt.org
Sent: Thursday, January 22, 2015 2:09:18 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jorick Astrego" <j.astrego@ netbulae.eu >
>> To: users@ ovirt.org
>> Sent: Thursday, January 22, 2015 1:41:40 PM
>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>
>>
>> On 10/31/2014 02:47 PM, Marcelo Donato wrote:
>>
>>
>>
>>
>> Below the solution. Resolved By "Alon Bar-Lev" < alonbl@ redhat.com
>
>>
>>
>> 1. install ovirt-engine-extension-aaa- ldap, it is available in
>> ovirt-3.5-snapshots repository.
>>
>> 2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
>>
>> ovirt.engine.extension.name = din-intranet-authz
>> ovirt.engine.extension. bindings.method = jbossmodule
>> ovirt.engine.extension. binding.jbossmodule.module =
>> org.ovirt.engine-extensions. aaa.ldap
>> ovirt.engine.extension. binding.jbossmodule.class =
>> org.ovirt.engineextensions. aaa.ldap.AuthzExtension
>> ovirt.engine.extension. provides = org.ovirt.engine.api.
>> extensions.aaa.Authz
>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
>>
>> 3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
>>
>> ovirt.engine.extension.name = din-intranet-authn
>> ovirt.engine.extension. bindings.method = jbossmodule
>> ovirt.engine.extension. binding.jbossmodule.module =
>> org.ovirt.engine-extensions. aaa.ldap
>> ovirt.engine.extension. binding.jbossmodule.class =
>> org.ovirt.engineextensions. aaa.ldap.AuthnExtension
>> ovirt.engine.extension. provides = org.ovirt.engine.api.
>> extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name = din.intranet
>> ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
>>
>> 4. create /etc/ovirt-engine/aaa/din. intranet.properties
>>
>> include = <ipa.properties>
>>
>> vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
>> vars.password = 123456
>> vars.server = ipa1.din.intranet
>>
>> pool.default.serverset.single. server = ${global:vars.server}
>> pool.default.auth.simple. bindDN = ${global:vars.user}
>> pool.default.auth.simple. password = ${global:vars.password}
>>
>> 5. restart engine.
>>
>>
>> Thanks a lot Alon.
>>
>>
>>
>> Thanks for this, saved me some time!
>>
>> Just a couple of addtions, please hash the password with SSHA (I really
>> hate
>> plain text admin passwords...)
>> I tried putting an {SSHA} encoded password in " vars.password =" , but
it
>> fails to authenticate while plain text works fine.
> I am unsure I understand.
> using hash to store password hint at server side makes sense.
> but using hash to store password at client side does not makes sens, this
> means that if I get the server database I can authenticate to any user
> without knowing his password.
>
> Also, please note that the user you specify within configuration should not
> have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no "public" objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance security.
it is the same as if you just set the user's password to the hash.
>> For people with multiple ipa replica's I you guess you
need to use:
>>
>> Round robin configuration: vars.server1 = ipa1.din.intranet
>> vars.server2 = ipa2.din.intranet pool.default.serverset.type =
>> round-robin
>> pool.default.serverset.round-robin.1.server = ${global:vars.server1}
>> pool.default.serverset.round-robin.2.server = ${global:vars.server2}
>>
>> instead of
>>
>> vars.server = ipa1.din.intranet pool.default.serverset.single.server =
>> ${global:vars.server}
>> But I still have to test that as our second replica is down at the moment.
> Correct, there are multiple policies for you to choose from.
>
>> Also can we get rid of the internal admin or better just disable internal
>> authenticationt
without problems? As we have ipa we don't want local login
>> enabled, but in emergency situations we might need to turn it on quickly.
> Yes, you can disable the internal by creating
> /etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
> ---
> ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
> ---
>
> Hmmm.... we have a bug in this case... will fix, so let's just disable the
> authz for now.
> ---
> ENGINE_EXTENSION_ENABLED_internal = false
> ---
>
> Regards,
> Alon
thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 info(a)netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3:30 p.m.
New subject: oVirt 3.5 and FreeIpa
This is a multi-part message in MIME format.
------------MIME-295668495-1198010832-delim
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 01/22/2015 01=3A13 PM=2C Alon Bar-Lev wrote=3A
=3E
=3E ----- Original Message -----
=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E
=3E=3E To=3A users=40ovirt=2Eorg
=3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A09=3A18 PM
=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E
=3E=3E
=3E=3E On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A
=3E=3E=3E ----- Original Message -----
=3E=3E=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40 netbulae=2Eeu=
=3E
=3E=3E=3E=3E To=3A users=40 ovirt=2Eorg
=3E=3E=3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM
=3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonb=
l=40 redhat=2Ecom =3E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is availab=
le in
=3E=3E=3E=3E ovirt-3=2E5-snapshots repository=2E
=3E=3E=3E=3E
=3E=3E=3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a=
uthz=2E properties
=3E=3E=3E=3E
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul=
e
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule=
=3D
=3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20=
=3D
=3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension=
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin=
e=2Eapi=2E
=3E=3E=3E=3E extensions=2Eaaa=2EAuthz
=3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i=
ntranet=2Eproperties
=3E=3E=3E=3E
=3E=3E=3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a=
uthn=2E properties
=3E=3E=3E=3E
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul=
e
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule=
=3D
=3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20=
=3D
=3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension=
=3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin=
e=2Eapi=2E
=3E=3E=3E=3E extensions=2Eaaa=2EAuthn
=3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintran=
et
=3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intrane=
t-authz
=3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i=
ntranet=2Eproperties
=3E=3E=3E=3E
=3E=3E=3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties=
=3E=3E=3E=3E
=3E=3E=3E=3E include =3D =3Cipa=2Eproperties=3E
=3E=3E=3E=3E
=3E=3E=3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc=
=3Ddin=2Cdc=3Dintranet
=3E=3E=3E=3E vars=2Epassword =3D 123456
=3E=3E=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet
=3E=3E=3E=3E
=3E=3E=3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal=
=3Avars=2Eserver=7D
=3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Ava=
rs=2Euser=7D
=3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3A=
vars=2Epassword=7D
=3E=3E=3E=3E
=3E=3E=3E=3E 5=2E restart engine=2E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E Thanks a lot Alon=2E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E
=3E=3E=3E=3E Thanks for this=2C saved me some time!
=3E=3E=3E=3E
=3E=3E=3E=3E Just a couple of addtions=2C please hash the password with SSH=
A =28I really
=3E=3E=3E=3E hate
=3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29
=3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Ep=
assword =3D=22 =2C but it
=3E=3E=3E=3E fails to authenticate while plain text works fine=2E
=3E=3E=3E I am unsure I understand=2E
=3E=3E=3E using hash to store password hint at server side makes sense=2E=
=3E=3E=3E but using hash to store password at client side does not makes se=
ns=2C this
=3E=3E=3E means that if I get the server database I can authenticate to any=
user
=3E=3E=3E without knowing his password=2E
=3E=3E=3E
=3E=3E=3E Also=2C please note that the user you specify within configuratio=
n should not
=3E=3E=3E have any special privilege but to query public objects within lda=
p=2E
=3E=3E I don=27t like storing plain text in textfiles=2C so I try to avoid=
it=2E Even
=3E=3E if it is a read only user there are no =22public=22 objects that I l=
ike to
=3E=3E expose to anyone=2E I can query groups=2C group members=2C e-mail ad=
dresses=2C
=3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E=
=3E=3E
=3E=3E So that=27s why I try to have the bind user password hashed in the=
=3E=3E properties file=2E
=3E as I wrote above=2C storing hash instead of password does not enhance s=
ecurity=2E
=3E it is the same as if you just set the user=27s password to the hash=2E=
Ah yes=2C silly me=2E You are absolutely right=2E It has been such a long=
habit=2E=2E=2E But it does help when people intercept the traffic=2E Does t=
he
ldap plugin send it hashed to the ldap server=3F
I think FreeIPA supports salted sha512 but I=27m not entirely sure=2E
You=27ll probably say that I need to enable TLS=2C but there have been many=
weaknesses in ssl and MITM issues=2E So more is always better in a
security perspective=2E
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
------------MIME-295668495-1198010832-delim
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Cbody=3E
<br>
On 01/22/2015 01:13 PM, Alon Bar-Lev wrote: <br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">> ----- Original Message
----- </font><br>
<font color=3D"#000000">>> From: "Jorick
Astrego" <j.ast=
rego@<a
href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br>
<font color=3D"#000000">>> To: users@<a
href=3D"mailto:ovirt.org">ovi=
rt.org</a> </font><br>
<font color=3D"#000000">>> Sent: Thursday, January 22, 2015
2:09:18 P=
M </font><br>
<font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt
3.5 and F=
reeIpa </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> On 01/22/2015 12:59 PM, Alon
Bar-Lev wrote=
: </font><br>
<font color=3D"#000000">>>> ----- Original Message
----- </fon=
t><br>
<font color=3D"#000000">>>>> From:
"Jorick Astrego" &=
lt;j.astrego@ netbulae.eu > </font><br>
<font color=3D"#000000">>>>> To: users@
ovirt.org </font><b=
r>
<font color=3D"#000000">>>>> Sent: Thursday,
January 22, 2015 1=
:41:40 PM </font><br>
<font color=3D"#000000">>>>> Subject: Re:
[ovirt-users] oVirt 3=
.5 and FreeIpa </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> On 10/31/2014
02:47 PM, Marcelo Do=
nato wrote: </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> Below the
solution. Resolved By &q=
uot;Alon Bar-Lev" < alonbl@ redhat.com
> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> 1. install
ovirt-engine-extension-=
aaa- ldap, it is available in </font><br>
<font color=3D"#000000">>>>>
ovirt-3.5-snapshots repository.=
3;</font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> 2. create
/etc/ovirt-engine/extens=
ions. d/din.intranet-authz. properties </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension.name =3D di=
n-intranet-authz </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. bindings.m=
ethod =3D jbossmodule </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. binding.jb=
ossmodule.module =3D </font><br>
<font color=3D"#000000">>>>>
org.ovirt.engine-extensions. aaa.l=
dap </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. binding.jb=
ossmodule.class =3D </font><br>
<font color=3D"#000000">>>>>
org.ovirt.engineextensions. aaa.ld=
ap.AuthzExtension </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. provides =
=3D org.ovirt.engine.api. </font><br>
<font color=3D"#000000">>>>>
extensions.aaa.Authz </font><b=
r>
<font color=3D"#000000">>>>>
config.profile.file.1 =3D /etc/ovi=
rt-engine/aaa/din. intranet.properties </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> 3. create
/etc/ovirt-engine/extens=
ions. d/din.intranet-authn. properties </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension.name =3D di=
n-intranet-authn </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. bindings.m=
ethod =3D jbossmodule </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. binding.jb=
ossmodule.module =3D </font><br>
<font color=3D"#000000">>>>>
org.ovirt.engine-extensions. aaa.l=
dap </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. binding.jb=
ossmodule.class =3D </font><br>
<font color=3D"#000000">>>>>
org.ovirt.engineextensions. aaa.ld=
ap.AuthnExtension </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.extension. provides =
=3D org.ovirt.engine.api. </font><br>
<font color=3D"#000000">>>>>
extensions.aaa.Authn </font><b=
r>
<font color=3D"#000000">>>>>
ovirt.engine.aaa.authn.profile.nam=
e =3D din.intranet </font><br>
<font color=3D"#000000">>>>>
ovirt.engine.aaa.authn.authz. plug=
in =3D din-intranet-authz </font><br>
<font color=3D"#000000">>>>>
config.profile.file.1 =3D /etc/ovi=
rt-engine/aaa/din. intranet.properties </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> 4. create
/etc/ovirt-engine/aaa/di=
n. intranet.properties </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> include =3D
<ipa.properties>=
</font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> vars.user =3D
uid=3Dadmin,cn=3Duse=
rs,cn=3D accounts,dc=3Ddin,dc=3Dintranet </font><br>
<font color=3D"#000000">>>>> vars.password =3D
123456 </fon=
t><br>
<font color=3D"#000000">>>>> vars.server =3D
ipa1.din.intranet&=
#13;</font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>>
pool.default.serverset.single. ser=
ver =3D ${global:vars.server} </font><br>
<font color=3D"#000000">>>>>
pool.default.auth.simple. bindDN =
=3D ${global:vars.user} </font><br>
<font color=3D"#000000">>>>>
pool.default.auth.simple. password=
=3D ${global:vars.password} </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> 5. restart
engine. </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> Thanks a lot
Alon. </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> Thanks for this,
saved me some tim=
e! </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> Just a couple of
addtions, please =
hash the password with SSHA (I really </font><br>
<font color=3D"#000000">>>>>
hate </font><br>
<font color=3D"#000000">>>>> plain text admin
passwords...)
=
;</font><br>
<font color=3D"#000000">>>>> I tried putting
an {SSHA} encoded =
password in " vars.password =3D" , but
it </font><br>
<font color=3D"#000000">>>>> fails to
authenticate while plain =
text works fine. </font><br>
<font color=3D"#000000">>>> I am unsure I
understand. </font><=
br>
<font color=3D"#000000">>>> using hash to store
password hint at s=
erver side makes sense. </font><br>
<font color=3D"#000000">>>> but using hash to store
password at cl=
ient side does not makes sens, this </font><br>
<font color=3D"#000000">>>> means that if I get the
server databas=
e I can authenticate to any user </font><br>
<font color=3D"#000000">>>> without knowing his
password. </fo=
nt><br>
<font
color=3D"#000000">>>> </font><br>
<font color=3D"#000000">>>> Also, please note that
the user you sp=
ecify within configuration should not </font><br>
<font color=3D"#000000">>>> have any special
privilege but to quer=
y public objects within ldap. </font><br>
<font color=3D"#000000">>> I don't like storing plain
text in textfil=
es, so I try to avoid it. Even </font><br>
<font color=3D"#000000">>> if it is a read only user there
are no &qu=
ot;public" objects that I like to </font><br>
<font color=3D"#000000">>> expose to anyone. I can query
groups, grou=
p members, e-mail addresses, </font><br>
<font color=3D"#000000">>> krbPasswordExpiration,
krbLastPwdChange et=
c. with this user. </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> So that's why I try to have
the bind user =
password hashed in the </font><br>
<font color=3D"#000000">>> properties
file. </font><br>
<font color=3D"#000000">> as I wrote above, storing hash instead of
pass=
word does not enhance security. </font><br>
<font color=3D"#000000">> it is the same as if you just set the
user's p=
assword to the hash. </font><br>
<br>
Ah yes, silly me. You are absolutely <br>
right. It has been such a long <br>
habit... But it does help when people intercept the traffic. Does the <=
br>
ldap plugin send it hashed to the ldap server? <br>
<br>
I think FreeIPA supports salted sha512 but I'm not entirely sure. <br>
<br>
You'll probably say that I need to enable TLS, but there have been many
=
;<br>
weaknesses in ssl and MITM issues. So more is always better in a <br>
security perspective. <br>
<br>
<br>
<br>
=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
------------MIME-295668495-1198010832-delim--
3:47 p.m.
New subject: oVirt 3.5 and FreeIpa
----- Original Message -----
From: "Jorick Astrego" <j.astrego(a)netbulae.eu>
To: users(a)ovirt.org
Sent: Thursday, January 22, 2015 2:30:30 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>>>
>>>> Just a couple of addtions, please hash the password with SSHA (I really
>>>> hate
>>>> plain text admin passwords...)
>>>> I tried putting an {SSHA} encoded password in " vars.password
=" , but
>>>> it
>>>> fails to authenticate while plain text works fine.
>>> I am unsure I understand.
>>> using hash to store password hint at server side makes sense.
>>> but using hash to store password at client side does not makes sens, this
>>> means that if I get the server database I can authenticate to any user
>>> without knowing his password.
>>>
>>> Also, please note that the user you specify within configuration should
>>> not
>>> have any special privilege but to query public objects within ldap.
>> I don't like storing plain text in textfiles, so I try to avoid it. Even
>> if it is a read only user there are no "public" objects that I like
to
>> expose to anyone. I can query groups, group members, e-mail addresses,
>> krbPasswordExpiration, krbLastPwdChange etc. with this user.
>>
>> So that's why I try to have the bind user password hashed in the
>> properties file.
> as I wrote above, storing hash instead of password does not enhance
> security.
> it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely
right. It has been such a long
habit... But it does help when people intercept the traffic.
No it is not... exactly the opposite... if the hash is sent it is actually weaker than
password, as it has lower diversity.
If you wish you can enable digest-MD5 and use SASL, but still you must store the plain
password at client side.
Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Using plain protocol will always be weaker than using TLS, even if you use digest-MD5,
kerberos or any other challenge-response mechanism.
As the password must be kept at client side no mater what protocol you use, using TLS and
simple bind is the minimum you can have.
I believe that TLS + simple bind is sufficient for most usages for a user that has no
special access to information.
From my experience enabling SASL does have its issues, but you may
want to check it out if you do not trust TLS, but even if you use SASL, better to use it
over TLS.
Alon
4:13 p.m.
New subject: oVirt 3.5 and FreeIpa
This is a multi-part message in MIME format.
------------MIME-298306900-1749159437-delim
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 01/22/2015 01=3A47 PM=2C Alon Bar-Lev wrote=3A
=3E
=3E ----- Original Message -----
=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E
=3E=3E To=3A users=40ovirt=2Eorg
=3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A30=3A30 PM
=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa
=3E=3E
=3E=3E=3E=3E=3E=3E Just a couple of addtions=2C please hash the password wi=
th SSHA =28I really
=3E=3E=3E=3E=3E=3E hate
=3E=3E=3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29
=3E=3E=3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 va=
rs=2Epassword =3D=22 =2C but
=3E=3E=3E=3E=3E=3E it
=3E=3E=3E=3E=3E=3E fails to authenticate while plain text works fine=2E
=3E=3E=3E=3E=3E I am unsure I understand=2E
=3E=3E=3E=3E=3E using hash to store password hint at server side makes sens=
e=2E
=3E=3E=3E=3E=3E but using hash to store password at client side does not ma=
kes sens=2C this
=3E=3E=3E=3E=3E means that if I get the server database I can authenticate=
to any user
=3E=3E=3E=3E=3E without knowing his password=2E
=3E=3E=3E=3E=3E
=3E=3E=3E=3E=3E Also=2C please note that the user you specify within config=
uration should
=3E=3E=3E=3E=3E not
=3E=3E=3E=3E=3E have any special privilege but to query public objects with=
in ldap=2E
=3E=3E=3E=3E I don=27t like storing plain text in textfiles=2C so I try to=
avoid it=2E Even
=3E=3E=3E=3E if it is a read only user there are no =22public=22 objects th=
at I like to
=3E=3E=3E=3E expose to anyone=2E I can query groups=2C group members=2C e-m=
ail addresses=2C
=3E=3E=3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this use=
r=2E
=3E=3E=3E=3E
=3E=3E=3E=3E So that=27s why I try to have the bind user password hashed in=
the
=3E=3E=3E=3E properties file=2E
=3E=3E=3E as I wrote above=2C storing hash instead of password does not enh=
ance
=3E=3E=3E security=2E
=3E=3E=3E it is the same as if you just set the user=27s password to the ha=
sh=2E
=3E=3E Ah yes=2C silly me=2E You are absolutely
=3E=3E right=2E It has been such a long
=3E=3E habit=2E=2E=2E But it does help when people intercept the traffic=2E=
=3E No it is not=2E=2E=2E exactly the opposite=2E=2E=2E if the hash is sent=
it is actually weaker than password=2C as it has lower diversity=2E
=3E If you wish you can enable digest-MD5 and use SASL=2C but still you mus=
t store the plain password at client side=2E
=3E
=3E=3E Does the
=3E=3E ldap plugin send it hashed to the ldap server=3F
=3E=3E
=3E=3E I think FreeIPA supports salted sha512 but I=27m not entirely sure=
=2E
=3E=3E
=3E=3E You=27ll probably say that I need to enable TLS=2C but there have be=
en many
=3E=3E weaknesses in ssl and MITM issues=2E So more is always better in a=
=3E=3E security perspective=2E
=3E=3E
=3E Using plain protocol will always be weaker than using TLS=2C even if yo=
u use digest-MD5=2C kerberos or any other challenge-response mechanism=2E=
=3E As the password must be kept at client side no mater what protocol you=
use=2C using TLS and simple bind is the minimum you can have=2E
=3E I believe that TLS + simple bind is sufficient for most usages for a us=
er that has no special access to information=2E
=3E From my experience enabling SASL does have its issues=2C but you may wa=
nt to check it out if you do not trust TLS=2C but even if you use SASL=2C b=
etter to use it over TLS=2E
=3E
=3E Alon
Thanks for clarifying! So I was thought wrong all these years ago =3B-=29=
Met vriendelijke groet=2C With kind regards=2C
Jorick Astrego
Netbulae Virtualization Experts=20
----------------
=09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK=
08198180
=09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW=
NL821234584B01
----------------
------------MIME-298306900-1749159437-delim
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=3Chtml=3E
=3Cbody=3E
<br>
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote: <br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">> ----- Original Message
----- </font><br>
<font color=3D"#000000">>> From: "Jorick
Astrego" <j.ast=
rego@<a
href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br>
<font color=3D"#000000">>> To: users@<a
href=3D"mailto:ovirt.org">ovi=
rt.org</a> </font><br>
<font color=3D"#000000">>> Sent: Thursday, January 22, 2015
2:30:30 P=
M </font><br>
<font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt
3.5 and F=
reeIpa </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>>>>>>
Just a couple of addtions,=
please hash the password with SSHA (I really </font><br>
<font color=3D"#000000">>>>>>>
hate </font><br>
<font color=3D"#000000">>>>>>>
plain text admin passwords=
...) </font><br>
<font color=3D"#000000">>>>>>> I
tried putting an {SSHA} =
encoded password in " vars.password =3D" ,
but </font><br>
<font color=3D"#000000">>>>>>>
it </font><br>
<font color=3D"#000000">>>>>>>
fails to authenticate whil=
e plain text works fine. </font><br>
<font color=3D"#000000">>>>>> I am
unsure I understand. =
</font><br>
<font color=3D"#000000">>>>>> using
hash to store password h=
int at server side makes sense. </font><br>
<font color=3D"#000000">>>>>> but using
hash to store passwo=
rd at client side does not makes sens, this </font><br>
<font color=3D"#000000">>>>>> means
that if I get the server=
database I can authenticate to any user </font><br>
<font color=3D"#000000">>>>>> without
knowing his password.&=
#13;</font><br>
<font
color=3D"#000000">>>>>> </font><br>
<font color=3D"#000000">>>>>> Also,
please note that the use=
r you specify within configuration should </font><br>
<font color=3D"#000000">>>>>>
not </font><br>
<font color=3D"#000000">>>>>> have any
special privilege but=
to query public objects within ldap. </font><br>
<font color=3D"#000000">>>>> I don't like
storing plain text in=
textfiles, so I try to avoid it. Even </font><br>
<font color=3D"#000000">>>>> if it is a read
only user there ar=
e no "public" objects that I like to </font><br>
<font color=3D"#000000">>>>> expose to anyone.
I can query grou=
ps, group members, e-mail addresses, </font><br>
<font color=3D"#000000">>>>>
krbPasswordExpiration, krbLastPwdC=
hange etc. with this user. </font><br>
<font
color=3D"#000000">>>>> </font><br>
<font color=3D"#000000">>>>> So that's why
I try to have the bi=
nd user password hashed in the </font><br>
<font color=3D"#000000">>>>> properties
file. </font><br>
<font color=3D"#000000">>>> as I wrote above, storing
hash instead=
of password does not enhance </font><br>
<font color=3D"#000000">>>>
security. </font><br>
<font color=3D"#000000">>>> it is the same as if you
just set the =
user's password to the hash. </font><br>
<font color=3D"#000000">>> Ah yes, silly me. You are
absolutely <=
/font><br>
<font color=3D"#000000">>> right. It has been such a
long </font>=
<br>
<font color=3D"#000000">>> habit... But it does help when
people inte=
rcept the traffic. </font><br>
<font color=3D"#000000">> No it is not... exactly the opposite...
if the=
hash is sent it is actually weaker than password, as it has lower diversit=
y. </font><br>
<font color=3D"#000000">> If you wish you can enable digest-MD5 and
use =
SASL, but still you must store the plain password at client side. </fon=
t><br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">>> Does
the </font><br>
<font color=3D"#000000">>> ldap plugin send it hashed to the
ldap ser=
ver? </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> I think FreeIPA supports salted
sha512 but=
I'm not entirely sure. </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">>> You'll probably say that I
need to enable =
TLS, but there have been many </font><br>
<font color=3D"#000000">>> weaknesses in ssl and MITM
issues. So more=
is always better in a </font><br>
<font color=3D"#000000">>> security
perspective. </font><br>
<font color=3D"#000000">>> </font><br>
<font color=3D"#000000">> Using plain protocol will always be
weaker tha=
n using TLS, even if you use digest-MD5, kerberos or any other challenge-re=
sponse mechanism. </font><br>
<font color=3D"#000000">> As the password must be kept at client
side no=
mater what protocol you use, using TLS and simple bind is the minimum you =
can have. </font><br>
<font color=3D"#000000">> I believe that TLS + simple bind is
sufficient=
for most usages for a user that has no special access to information. =
</font><br>
<font color=3D"#000000">> From my experience enabling SASL does
have its=
issues, but you may want to check it out if you do not trust TLS, but even=
if you use SASL, better to use it over TLS. </font><br>
<font color=3D"#000000">> </font><br>
<font color=3D"#000000">> Alon </font><br>
Thanks for clarifying! So I was thought wrong all these years ago ;-) <=
br>
<br>
<br>
<br>
<br>
=
=3CBR /=3E
=3CBR /=3E
=3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c=
olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22=
mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet=
=2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font=
=3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul=
ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B=
border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22=
=3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=
=22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf=
ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid=
th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty=
le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr=
=3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax=
=3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=
=3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130=
px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w=
idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E=
=3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top=
=3A1px solid =23ccc=3B=22=3E=3CBR /=3E
=3C/body=3E
=3C/html=3E
------------MIME-298306900-1749159437-delim--
3591
days inactive
3674
days old
7 comments
3 participants
participants (3)
-
Alon Bar-Lev -
Jorick Astrego -
Marcelo Donato