<br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 2. create /etc/ovirt-engine/extensions. d/= din.intranet-authz. properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> ovirt.engine.extension.name =3D din-intran= et-authz </font><br> <font color=3D"#000000">>> ovirt.engine.extension. bindings.method = =3D jbossmodule </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.module =3D </font><br> <font color=3D"#000000">>> org.ovirt.engine-extensions. aaa.ldap = </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.class =3D </font><br> <font color=3D"#000000">>> org.ovirt.engineextensions. aaa.ldap.Authz= Extension </font><br> <font color=3D"#000000">>> ovirt.engine.extension. provides =3D org.o= virt.engine.api. extensions.aaa.Authz </font><br> <font color=3D"#000000">>> config.profile.file.1 =3D /etc/ovirt-engin= e/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 3. create /etc/ovirt-engine/extensions. d/= din.intranet-authn. properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> ovirt.engine.extension.name =3D din-intran= et-authn </font><br> <font color=3D"#000000">>> ovirt.engine.extension. bindings.method = =3D jbossmodule </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.module =3D </font><br> <font color=3D"#000000">>> org.ovirt.engine-extensions. aaa.ldap = </font><br> <font color=3D"#000000">>> ovirt.engine.extension. binding.jbossmodul= e.class =3D </font><br> <font color=3D"#000000">>> org.ovirt.engineextensions. aaa.ldap.Authn= Extension </font><br> <font color=3D"#000000">>> ovirt.engine.extension. provides =3D org.o= virt.engine.api. extensions.aaa.Authn </font><br> <font color=3D"#000000">>> ovirt.engine.aaa.authn.profile.name =3D di= n.intranet </font><br> <font color=3D"#000000">>> ovirt.engine.aaa.authn.authz. plugin =3D d= in-intranet-authz </font><br> <font color=3D"#000000">>> config.profile.file.1 =3D /etc/ovirt-engin= e/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 4. create /etc/ovirt-engine/aaa/din. intra= net.properties </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> include =3D <ipa.properties> </f= ont><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> vars.user =3D uid=3Dadmin,cn=3Dusers,cn=3D= accounts,dc=3Ddin,dc=3Dintranet </font><br> <font color=3D"#000000">>> vars.password =3D 123456 </font><br> <font color=3D"#000000">>> vars.server =3D ipa1.din.intranet </fo= nt><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> pool.default.serverset.single. server =3D = ${global:vars.server} </font><br> <font color=3D"#000000">>> pool.default.auth.simple. bindDN =3D ${glo= bal:vars.user} </font><br> <font color=3D"#000000">>> pool.default.auth.simple. password =3D ${g= lobal:vars.password} </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 5. restart engine. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Thanks a lot Alon. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Thanks for this, saved me some time! <= /font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Just a couple of addtions, please hash the=

This is a multi-part message in MIME format. ------------MIME-294424302-1441597959-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E =3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A =3E=3E =3E=3E =3E=3E =3E=3E =3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonbl=40re= dhat=2Ecom =3E =3E=3E =3E=3E =3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is available in= =3E=3E ovirt-3=2E5-snapshots repository=2E =3E=3E =3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authz= =2E properties =3E=3E =3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz =3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D =3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D =3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension =3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap= i=2E extensions=2Eaaa=2EAuthz =3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane= t=2Eproperties =3E=3E =3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-authn= =2E properties =3E=3E =3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn =3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodule =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule =3D =3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass =3D =3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension =3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengine=2Eap= i=2E extensions=2Eaaa=2EAuthn =3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintranet =3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intranet-auth= z =3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E intrane= t=2Eproperties =3E=3E =3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties =3E=3E =3E=3E include =3D =3Cipa=2Eproperties=3E =3E=3E =3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc=3Ddin= =2Cdc=3Dintranet =3E=3E vars=2Epassword =3D 123456 =3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet =3E=3E =3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal=3Avar= s=2Eserver=7D =3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Avars=2Eu= ser=7D =3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3Avars= =2Epassword=7D =3E=3E =3E=3E 5=2E restart engine=2E =3E=3E =3E=3E =3E=3E Thanks a lot Alon=2E =3E=3E =3E=3E =3E=3E =3E=3E Thanks for this=2C saved me some time! =3E=3E =3E=3E Just a couple of addtions=2C please hash the password with SSHA =28I= really hate =3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Epasswor= d =3D=22 =2C but it =3E=3E fails to authenticate while plain text works fine=2E =3E I am unsure I understand=2E =3E using hash to store password hint at server side makes sense=2E =3E but using hash to store password at client side does not makes sens=2C= this means that if I get the server database I can authenticate to any use= r without knowing his password=2E =3E =3E Also=2C please note that the user you specify within configuration shou= ld not have any special privilege but to query public objects within ldap= =2E I don=27t like storing plain text in textfiles=2C so I try to avoid it=2E E= ven if it is a read only user there are no =22public=22 objects that I like to= expose to anyone=2E I can query groups=2C group members=2C e-mail addresses= =2C krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E So that=27s why I try to have the bind user password hashed in the properties file=2E =3E=3E For people with multiple ipa replica=27s I you guess you need to use= =3A =3E=3E =3E=3E Round robin configuration=3A vars=2Eserver1 =3D ipa1=2Edin=2Eintrane= t =3E=3E =09=09 vars=2Eserver2 =3D ipa2=2Edin=2Eintranet pool=2Edefault=2Ese= rverset=2Etype =3D =3E=3E =09=09 round-robin =3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E1=2Eserver =3D=20= =24=7Bglobal=3Avars=2Eserver1=7D =3E=3E =09pool=2Edefault=2Eserverset=2Eround-robin=2E2=2Eserver =3D=20= =24=7Bglobal=3Avars=2Eserver2=7D =3E=3E =3E=3E instead of =3E=3E =3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet pool=2Edefault=2Eserverset= =2Esingle=2Eserver =3D =3E=3E =24=7Bglobal=3Avars=2Eserver=7D =3E=3E But I still have to test that as our second replica is down at the m= oment=2E =3E Correct=2C there are multiple policies for you to choose from=2E =3E =3E=3E Also can we get rid of the internal admin or better just disable int= ernal =3E=3E authenticationt without problems=3F As we have ipa we don=27t want l= ocal login =3E=3E enabled=2C but in emergency situations we might need to turn it on q= uickly=2E =3E Yes=2C you can disable the internal by creating /etc/ovirt-engine/engin= e=2Econf=2Ed/50-disable-internal=2Econf =3E --- =3E ENGINE=5FEXTENSION=5FENABLED=5Fbuiltin-authn-internal =3D false =3E --- =3E =3E Hmmm=2E=2E=2E=2E we have a bug in this case=2E=2E=2E will fix=2C so let= =27s just disable the authz for now=2E =3E --- =3E ENGINE=5FEXTENSION=5FENABLED=5Finternal =3D false =3E --- =3E =3E Regards=2C =3E Alon thanks! that will work=2E Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-294424302-1441597959-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 1:41:40 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> On 10/31/2014 02:47 PM, Marcelo Donato wro= te: </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Below the solution. Resolved By "Alon= Bar-Lev" < alonbl@<a href=3D"mailto:redhat.com">redhat.com</a>&nbs= p;> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> 1. install ovirt-engine-extension-aaa- lda= p, it is available in </font><br> <font color=3D"#000000">>> ovirt-3.5-snapshots repository. </font= password with SSHA (I really hate </font><br> <font color=3D"#000000">>> plain text admin passwords...) </font>= <br> <font color=3D"#000000">>> I tried putting an {SSHA} encoded password= in " vars.password =3D" , but it </font><br> <font color=3D"#000000">>> fails to authenticate while plain text wor= ks fine. </font><br> <font color=3D"#000000">> I am unsure I understand. </font><br> <font color=3D"#000000">> using hash to store password hint at server si= de makes sense. </font><br> <font color=3D"#000000">> but using hash to store password at client sid= e does not makes sens, this means that if I get the server database I can a= uthenticate to any user without knowing his password. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Also, please note that the user you specify wi= thin configuration should not have any special privilege but to query publi= c objects within ldap. </font><br> I don't like storing plain text in textfiles, so I try to avoid it. Even
= 3;<br> if it is a read only user there are no "public" objects that I li= ke to <br> expose to anyone. I can query groups, group members, e-mail addresses, = <br> krbPasswordExpiration, krbLastPwdChange etc. with this user. <br> <br> So that's why I try to have the bind user password hashed in the <br> properties file. <br> <font color=3D"#000000">>> For people with multiple ipa replica's I y= ou guess you need to use: </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> Round robin configuration: vars.server1 = =3D ipa1.din.intranet </font><br> <font color=3D"#000000">>>       &= nbsp;        vars.server2 =3D ipa2.din.i= ntranet pool.default.serverset.type =3D </font><br> <font color=3D"#000000">>>       &= nbsp;        round-robin </font><br> <font color=3D"#000000">>>      pool.de= fault.serverset.round-robin.1.server =3D ${global:vars.server1} </font>= <br> <font color=3D"#000000">>>      pool.de= fault.serverset.round-robin.2.server =3D ${global:vars.server2} </font>= <br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> instead of </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> vars.server =3D ipa1.din.intranet pool.def= ault.serverset.single.server =3D </font><br> <font color=3D"#000000">>> ${global:vars.server} </font><br> <font color=3D"#000000">>> But I still have to test that as our secon= d replica is down at the moment. </font><br> <font color=3D"#000000">> Correct, there are multiple policies for you t= o choose from. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">>> Also can we get rid of the internal admin = or better just disable internal </font><br> <font color=3D"#000000">>> authenticationt </font><br> without problems? As we have ipa we don't want local login <br> <font color=3D"#000000">>> enabled, but in emergency situations we mi= ght need to turn it on quickly. </font><br> <font color=3D"#000000">> Yes, you can disable the internal by creating = /etc/ovirt-engine/engine.conf.d/50-disable-internal.conf </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> ENGINE_EXTENSION_ENABLED_builtin-authn-interna= l =3D false </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Hmmm.... we have a bug in this case... will fi= x, so let's just disable the authz for now. </font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> ENGINE_EXTENSION_ENABLED_internal =3D false
= 3;</font><br> <font color=3D"#000000">> --- </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Regards, </font><br> <font color=3D"#000000">> Alon </font><br> thanks! that will work. <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-294424302-1441597959-delim--

This is a multi-part message in MIME format. ------------MIME-295668495-1198010832-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 01=3A13 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A09=3A18 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E =3E=3E On 01/22/2015 12=3A59 PM=2C Alon Bar-Lev wrote=3A =3E=3E=3E ----- Original Message ----- =3E=3E=3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40 netbulae=2Eeu= =3E =3E=3E=3E=3E To=3A users=40 ovirt=2Eorg =3E=3E=3E=3E Sent=3A Thursday=2C January 22=2C 2015 1=3A41=3A40 PM =3E=3E=3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E On 10/31/2014 02=3A47 PM=2C Marcelo Donato wrote=3A =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Below the solution=2E Resolved By =22Alon Bar-Lev=22 =3C alonb= l=40 redhat=2Ecom =3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E 1=2E install ovirt-engine-extension-aaa- ldap=2C it is availab= le in =3E=3E=3E=3E ovirt-3=2E5-snapshots repository=2E =3E=3E=3E=3E =3E=3E=3E=3E 2=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a= uthz=2E properties =3E=3E=3E=3E =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authz =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul= e =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule= =3D =3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20= =3D =3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthzExtension= =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin= e=2Eapi=2E =3E=3E=3E=3E extensions=2Eaaa=2EAuthz =3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i= ntranet=2Eproperties =3E=3E=3E=3E =3E=3E=3E=3E 3=2E create /etc/ovirt-engine/extensions=2E d/din=2Eintranet-a= uthn=2E properties =3E=3E=3E=3E =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2Ename =3D din-intranet-authn =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E bindings=2Emethod =3D jbossmodul= e =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Emodule= =3D =3E=3E=3E=3E org=2Eovirt=2Eengine-extensions=2E aaa=2Eldap =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E binding=2Ejbossmodule=2Eclass=20= =3D =3E=3E=3E=3E org=2Eovirt=2Eengineextensions=2E aaa=2Eldap=2EAuthnExtension= =3E=3E=3E=3E ovirt=2Eengine=2Eextension=2E provides =3D org=2Eovirt=2Eengin= e=2Eapi=2E =3E=3E=3E=3E extensions=2Eaaa=2EAuthn =3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eprofile=2Ename =3D din=2Eintran= et =3E=3E=3E=3E ovirt=2Eengine=2Eaaa=2Eauthn=2Eauthz=2E plugin =3D din-intrane= t-authz =3E=3E=3E=3E config=2Eprofile=2Efile=2E1 =3D /etc/ovirt-engine/aaa/din=2E i= ntranet=2Eproperties =3E=3E=3E=3E =3E=3E=3E=3E 4=2E create /etc/ovirt-engine/aaa/din=2E intranet=2Eproperties= =3E=3E=3E=3E =3E=3E=3E=3E include =3D =3Cipa=2Eproperties=3E =3E=3E=3E=3E =3E=3E=3E=3E vars=2Euser =3D uid=3Dadmin=2Ccn=3Dusers=2Ccn=3D accounts=2Cdc= =3Ddin=2Cdc=3Dintranet =3E=3E=3E=3E vars=2Epassword =3D 123456 =3E=3E=3E=3E vars=2Eserver =3D ipa1=2Edin=2Eintranet =3E=3E=3E=3E =3E=3E=3E=3E pool=2Edefault=2Eserverset=2Esingle=2E server =3D =24=7Bglobal= =3Avars=2Eserver=7D =3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E bindDN =3D =24=7Bglobal=3Ava= rs=2Euser=7D =3E=3E=3E=3E pool=2Edefault=2Eauth=2Esimple=2E password =3D =24=7Bglobal=3A= vars=2Epassword=7D =3E=3E=3E=3E =3E=3E=3E=3E 5=2E restart engine=2E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Thanks a lot Alon=2E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E =3E=3E=3E=3E Thanks for this=2C saved me some time! =3E=3E=3E=3E =3E=3E=3E=3E Just a couple of addtions=2C please hash the password with SSH= A =28I really =3E=3E=3E=3E hate =3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 vars=2Ep= assword =3D=22 =2C but it =3E=3E=3E=3E fails to authenticate while plain text works fine=2E =3E=3E=3E I am unsure I understand=2E =3E=3E=3E using hash to store password hint at server side makes sense=2E= =3E=3E=3E but using hash to store password at client side does not makes se= ns=2C this =3E=3E=3E means that if I get the server database I can authenticate to any= user =3E=3E=3E without knowing his password=2E =3E=3E=3E =3E=3E=3E Also=2C please note that the user you specify within configuratio= n should not =3E=3E=3E have any special privilege but to query public objects within lda= p=2E =3E=3E I don=27t like storing plain text in textfiles=2C so I try to avoid= it=2E Even =3E=3E if it is a read only user there are no =22public=22 objects that I l= ike to =3E=3E expose to anyone=2E I can query groups=2C group members=2C e-mail ad= dresses=2C =3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this user=2E= =3E=3E =3E=3E So that=27s why I try to have the bind user password hashed in the= =3E=3E properties file=2E =3E as I wrote above=2C storing hash instead of password does not enhance s= ecurity=2E =3E it is the same as if you just set the user=27s password to the hash=2E= Ah yes=2C silly me=2E You are absolutely right=2E It has been such a long= habit=2E=2E=2E But it does help when people intercept the traffic=2E Does t= he ldap plugin send it hashed to the ldap server=3F I think FreeIPA supports salted sha512 but I=27m not entirely sure=2E You=27ll probably say that I need to enable TLS=2C but there have been many= weaknesses in ssl and MITM issues=2E So more is always better in a security perspective=2E Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-295668495-1198010832-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 01:13 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 2:09:18 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote= : </font><br> <font color=3D"#000000">>>> ----- Original Message ----- </fon= t><br> <font color=3D"#000000">>>>> From: "Jorick Astrego" &= lt;j.astrego@ netbulae.eu > </font><br> <font color=3D"#000000">>>>> To: users@ ovirt.org </font><b= r> <font color=3D"#000000">>>>> Sent: Thursday, January 22, 2015 1= :41:40 PM </font><br> <font color=3D"#000000">>>>> Subject: Re: [ovirt-users] oVirt 3= .5 and FreeIpa </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> On 10/31/2014 02:47 PM, Marcelo Do= nato wrote: </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Below the solution. Resolved By &q= uot;Alon Bar-Lev" < alonbl@ redhat.com > </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 1. install ovirt-engine-extension-= aaa- ldap, it is available in </font><br> <font color=3D"#000000">>>>> ovirt-3.5-snapshots repository.
= 3;</font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 2. create /etc/ovirt-engine/extens= ions. d/din.intranet-authz. properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension.name =3D di= n-intranet-authz </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. bindings.m= ethod =3D jbossmodule </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.module =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engine-extensions. aaa.l= dap </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.class =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engineextensions. aaa.ld= ap.AuthzExtension </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. provides = =3D org.ovirt.engine.api. </font><br> <font color=3D"#000000">>>>> extensions.aaa.Authz </font><b= r> <font color=3D"#000000">>>>> config.profile.file.1 =3D /etc/ovi= rt-engine/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 3. create /etc/ovirt-engine/extens= ions. d/din.intranet-authn. properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension.name =3D di= n-intranet-authn </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. bindings.m= ethod =3D jbossmodule </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.module =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engine-extensions. aaa.l= dap </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. binding.jb= ossmodule.class =3D </font><br> <font color=3D"#000000">>>>> org.ovirt.engineextensions. aaa.ld= ap.AuthnExtension </font><br> <font color=3D"#000000">>>>> ovirt.engine.extension. provides = =3D org.ovirt.engine.api. </font><br> <font color=3D"#000000">>>>> extensions.aaa.Authn </font><b= r> <font color=3D"#000000">>>>> ovirt.engine.aaa.authn.profile.nam= e =3D din.intranet </font><br> <font color=3D"#000000">>>>> ovirt.engine.aaa.authn.authz. plug= in =3D din-intranet-authz </font><br> <font color=3D"#000000">>>>> config.profile.file.1 =3D /etc/ovi= rt-engine/aaa/din. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 4. create /etc/ovirt-engine/aaa/di= n. intranet.properties </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> include =3D <ipa.properties>= </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> vars.user =3D uid=3Dadmin,cn=3Duse= rs,cn=3D accounts,dc=3Ddin,dc=3Dintranet </font><br> <font color=3D"#000000">>>>> vars.password =3D 123456 </fon= t><br> <font color=3D"#000000">>>>> vars.server =3D ipa1.din.intranet&= #13;</font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> pool.default.serverset.single. ser= ver =3D ${global:vars.server} </font><br> <font color=3D"#000000">>>>> pool.default.auth.simple. bindDN = =3D ${global:vars.user} </font><br> <font color=3D"#000000">>>>> pool.default.auth.simple. password= =3D ${global:vars.password} </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> 5. restart engine. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Thanks a lot Alon. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Thanks for this, saved me some tim= e! </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> Just a couple of addtions, please = hash the password with SSHA (I really </font><br> <font color=3D"#000000">>>>> hate </font><br> <font color=3D"#000000">>>>> plain text admin passwords...) = ;</font><br> <font color=3D"#000000">>>>> I tried putting an {SSHA} encoded = password in " vars.password =3D" , but it </font><br> <font color=3D"#000000">>>>> fails to authenticate while plain = text works fine. </font><br> <font color=3D"#000000">>>> I am unsure I understand. </font><= br> <font color=3D"#000000">>>> using hash to store password hint at s= erver side makes sense. </font><br> <font color=3D"#000000">>>> but using hash to store password at cl= ient side does not makes sens, this </font><br> <font color=3D"#000000">>>> means that if I get the server databas= e I can authenticate to any user </font><br> <font color=3D"#000000">>>> without knowing his password. </fo= nt><br> <font color=3D"#000000">>>> </font><br> <font color=3D"#000000">>>> Also, please note that the user you sp= ecify within configuration should not </font><br> <font color=3D"#000000">>>> have any special privilege but to quer= y public objects within ldap. </font><br> <font color=3D"#000000">>> I don't like storing plain text in textfil= es, so I try to avoid it. Even </font><br> <font color=3D"#000000">>> if it is a read only user there are no &qu= ot;public" objects that I like to </font><br> <font color=3D"#000000">>> expose to anyone. I can query groups, grou= p members, e-mail addresses, </font><br> <font color=3D"#000000">>> krbPasswordExpiration, krbLastPwdChange et= c. with this user. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> So that's why I try to have the bind user = password hashed in the </font><br> <font color=3D"#000000">>> properties file. </font><br> <font color=3D"#000000">> as I wrote above, storing hash instead of pass= word does not enhance security. </font><br> <font color=3D"#000000">> it is the same as if you just set the user's p= assword to the hash. </font><br> <br> Ah yes, silly me. You are absolutely <br> right. It has been such a long <br> habit... But it does help when people intercept the traffic. Does the <= br> ldap plugin send it hashed to the ldap server? <br> <br> I think FreeIPA supports salted sha512 but I'm not entirely sure. <br> <br> You'll probably say that I need to enable TLS, but there have been many = ;<br> weaknesses in ssl and MITM issues. So more is always better in a <br> security perspective. <br> <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-295668495-1198010832-delim--

This is a multi-part message in MIME format. ------------MIME-298306900-1749159437-delim Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 01/22/2015 01=3A47 PM=2C Alon Bar-Lev wrote=3A =3E =3E ----- Original Message ----- =3E=3E From=3A =22Jorick Astrego=22 =3Cj=2Eastrego=40netbulae=2Eeu=3E =3E=3E To=3A users=40ovirt=2Eorg =3E=3E Sent=3A Thursday=2C January 22=2C 2015 2=3A30=3A30 PM =3E=3E Subject=3A Re=3A =5Bovirt-users=5D oVirt 3=2E5 and FreeIpa =3E=3E =3E=3E=3E=3E=3E=3E Just a couple of addtions=2C please hash the password wi= th SSHA =28I really =3E=3E=3E=3E=3E=3E hate =3E=3E=3E=3E=3E=3E plain text admin passwords=2E=2E=2E=29 =3E=3E=3E=3E=3E=3E I tried putting an =7BSSHA=7D encoded password in =22 va= rs=2Epassword =3D=22 =2C but =3E=3E=3E=3E=3E=3E it =3E=3E=3E=3E=3E=3E fails to authenticate while plain text works fine=2E =3E=3E=3E=3E=3E I am unsure I understand=2E =3E=3E=3E=3E=3E using hash to store password hint at server side makes sens= e=2E =3E=3E=3E=3E=3E but using hash to store password at client side does not ma= kes sens=2C this =3E=3E=3E=3E=3E means that if I get the server database I can authenticate= to any user =3E=3E=3E=3E=3E without knowing his password=2E =3E=3E=3E=3E=3E =3E=3E=3E=3E=3E Also=2C please note that the user you specify within config= uration should =3E=3E=3E=3E=3E not =3E=3E=3E=3E=3E have any special privilege but to query public objects with= in ldap=2E =3E=3E=3E=3E I don=27t like storing plain text in textfiles=2C so I try to= avoid it=2E Even =3E=3E=3E=3E if it is a read only user there are no =22public=22 objects th= at I like to =3E=3E=3E=3E expose to anyone=2E I can query groups=2C group members=2C e-m= ail addresses=2C =3E=3E=3E=3E krbPasswordExpiration=2C krbLastPwdChange etc=2E with this use= r=2E =3E=3E=3E=3E =3E=3E=3E=3E So that=27s why I try to have the bind user password hashed in= the =3E=3E=3E=3E properties file=2E =3E=3E=3E as I wrote above=2C storing hash instead of password does not enh= ance =3E=3E=3E security=2E =3E=3E=3E it is the same as if you just set the user=27s password to the ha= sh=2E =3E=3E Ah yes=2C silly me=2E You are absolutely =3E=3E right=2E It has been such a long =3E=3E habit=2E=2E=2E But it does help when people intercept the traffic=2E= =3E No it is not=2E=2E=2E exactly the opposite=2E=2E=2E if the hash is sent= it is actually weaker than password=2C as it has lower diversity=2E =3E If you wish you can enable digest-MD5 and use SASL=2C but still you mus= t store the plain password at client side=2E =3E =3E=3E Does the =3E=3E ldap plugin send it hashed to the ldap server=3F =3E=3E =3E=3E I think FreeIPA supports salted sha512 but I=27m not entirely sure= =2E =3E=3E =3E=3E You=27ll probably say that I need to enable TLS=2C but there have be= en many =3E=3E weaknesses in ssl and MITM issues=2E So more is always better in a= =3E=3E security perspective=2E =3E=3E =3E Using plain protocol will always be weaker than using TLS=2C even if yo= u use digest-MD5=2C kerberos or any other challenge-response mechanism=2E= =3E As the password must be kept at client side no mater what protocol you= use=2C using TLS and simple bind is the minimum you can have=2E =3E I believe that TLS + simple bind is sufficient for most usages for a us= er that has no special access to information=2E =3E From my experience enabling SASL does have its issues=2C but you may wa= nt to check it out if you do not trust TLS=2C but even if you use SASL=2C b= etter to use it over TLS=2E =3E =3E Alon Thanks for clarifying! So I was thought wrong all these years ago =3B-=29= Met vriendelijke groet=2C With kind regards=2C Jorick Astrego Netbulae Virtualization Experts=20 ---------------- =09Tel=3A 053 20 30 270 =09info=40netbulae=2Eeu =09Staalsteden 4-3A =09KvK= 08198180 =09Fax=3A 053 20 30 271 =09www=2Enetbulae=2Eeu =097547 TA Enschede =09BTW= NL821234584B01 ---------------- ------------MIME-298306900-1749159437-delim Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =3Chtml=3E =3Cbody=3E <br> On 01/22/2015 01:47 PM, Alon Bar-Lev wrote: <br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> ----- Original Message ----- </font><br> <font color=3D"#000000">>> From: "Jorick Astrego" <j.ast= rego@<a href=3D"mailto:netbulae.eu">netbulae.eu</a>> </font><br> <font color=3D"#000000">>> To: users@<a href=3D"mailto:ovirt.org">ovi= rt.org</a> </font><br> <font color=3D"#000000">>> Sent: Thursday, January 22, 2015 2:30:30 P= M </font><br> <font color=3D"#000000">>> Subject: Re: [ovirt-users] oVirt 3.5 and F= reeIpa </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>>>>>> Just a couple of addtions,= please hash the password with SSHA (I really </font><br> <font color=3D"#000000">>>>>>> hate </font><br> <font color=3D"#000000">>>>>>> plain text admin passwords= ...) </font><br> <font color=3D"#000000">>>>>>> I tried putting an {SSHA} = encoded password in " vars.password =3D" , but </font><br> <font color=3D"#000000">>>>>>> it </font><br> <font color=3D"#000000">>>>>>> fails to authenticate whil= e plain text works fine. </font><br> <font color=3D"#000000">>>>>> I am unsure I understand. = </font><br> <font color=3D"#000000">>>>>> using hash to store password h= int at server side makes sense. </font><br> <font color=3D"#000000">>>>>> but using hash to store passwo= rd at client side does not makes sens, this </font><br> <font color=3D"#000000">>>>>> means that if I get the server= database I can authenticate to any user </font><br> <font color=3D"#000000">>>>>> without knowing his password.&= #13;</font><br> <font color=3D"#000000">>>>>> </font><br> <font color=3D"#000000">>>>>> Also, please note that the use= r you specify within configuration should </font><br> <font color=3D"#000000">>>>>> not </font><br> <font color=3D"#000000">>>>>> have any special privilege but= to query public objects within ldap. </font><br> <font color=3D"#000000">>>>> I don't like storing plain text in= textfiles, so I try to avoid it. Even </font><br> <font color=3D"#000000">>>>> if it is a read only user there ar= e no "public" objects that I like to </font><br> <font color=3D"#000000">>>>> expose to anyone. I can query grou= ps, group members, e-mail addresses, </font><br> <font color=3D"#000000">>>>> krbPasswordExpiration, krbLastPwdC= hange etc. with this user. </font><br> <font color=3D"#000000">>>>> </font><br> <font color=3D"#000000">>>>> So that's why I try to have the bi= nd user password hashed in the </font><br> <font color=3D"#000000">>>>> properties file. </font><br> <font color=3D"#000000">>>> as I wrote above, storing hash instead= of password does not enhance </font><br> <font color=3D"#000000">>>> security. </font><br> <font color=3D"#000000">>>> it is the same as if you just set the = user's password to the hash. </font><br> <font color=3D"#000000">>> Ah yes, silly me. You are absolutely <= /font><br> <font color=3D"#000000">>> right. It has been such a long </font>= <br> <font color=3D"#000000">>> habit... But it does help when people inte= rcept the traffic. </font><br> <font color=3D"#000000">> No it is not... exactly the opposite... if the= hash is sent it is actually weaker than password, as it has lower diversit= y. </font><br> <font color=3D"#000000">> If you wish you can enable digest-MD5 and use = SASL, but still you must store the plain password at client side. </fon= t><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">>> Does the </font><br> <font color=3D"#000000">>> ldap plugin send it hashed to the ldap ser= ver? </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> I think FreeIPA supports salted sha512 but= I'm not entirely sure. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">>> You'll probably say that I need to enable = TLS, but there have been many </font><br> <font color=3D"#000000">>> weaknesses in ssl and MITM issues. So more= is always better in a </font><br> <font color=3D"#000000">>> security perspective. </font><br> <font color=3D"#000000">>> </font><br> <font color=3D"#000000">> Using plain protocol will always be weaker tha= n using TLS, even if you use digest-MD5, kerberos or any other challenge-re= sponse mechanism. </font><br> <font color=3D"#000000">> As the password must be kept at client side no= mater what protocol you use, using TLS and simple bind is the minimum you = can have. </font><br> <font color=3D"#000000">> I believe that TLS + simple bind is sufficient= for most usages for a user that has no special access to information. = </font><br> <font color=3D"#000000">> From my experience enabling SASL does have its= issues, but you may want to check it out if you do not trust TLS, but even= if you use SASL, better to use it over TLS. </font><br> <font color=3D"#000000">> </font><br> <font color=3D"#000000">> Alon </font><br> Thanks for clarifying! So I was thought wrong all these years ago ;-) <= br> <br> <br> <br> <br> = =3CBR /=3E =3CBR /=3E =3Cb style=3D=22color=3A=23604c78=22=3E=3C/b=3E=3Cbr=3E=3Cspan style=3D=22c= olor=3A=23604c78=3B=22=3E=3Cfont color=3D=22000000=22=3E=3Cspan style=3D=22= mso-fareast-language=3Aen-gb=3B=22 lang=3D=22NL=22=3EMet vriendelijke groet= =2C With kind regards=2C=3Cbr=3E=3Cbr=3E=3C/span=3EJorick Astrego=3C/font= =3E=3C/span=3E=3Cb style=3D=22color=3A=23604c78=22=3E=3Cbr=3E=3Cbr=3ENetbul= ae Virtualization Experts =3C/b=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3B= border-top=3A1px solid =23ccc=3B=22=3E=3Ctable style=3D=22width=3A 522px=22= =3E=3Ctbody=3E=3Ctr=3E=3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px= =22=3ETel=3A 053 20 30 270=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bf= ont-size=3A 10px=22=3Einfo=40netbulae=2Eeu=3C/td=3E =3Ctd style=3D=22wid= th=3A 130px=3Bfont-size=3A 10px=22=3EStaalsteden 4-3A=3C/td=3E =3Ctd sty= le=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EKvK 08198180=3C/td=3E=3C/tr= =3E=3Ctr=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size=3A 10px=22=3EFax= =3A 053 20 30 271=3C/td=3E =3Ctd style=3D=22width=3A 130px=3Bfont-size= =3A 10px=22=3Ewww=2Enetbulae=2Eeu=3C/td=3E =3Ctd style=3D=22width=3A 130= px=3Bfont-size=3A 10px=22=3E7547 TA Enschede=3C/td=3E =3Ctd style=3D=22w= idth=3A 130px=3Bfont-size=3A 10px=22=3EBTW NL821234584B01=3C/td=3E=3C/tr=3E= =3C/tbody=3E=3C/table=3E=3Cbr=3E=3Chr style=3D=22border=3Anone=3Bborder-top= =3A1px solid =23ccc=3B=22=3E=3CBR /=3E =3C/body=3E =3C/html=3E ------------MIME-298306900-1749159437-delim--