[Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
On Fri, Nov 30, 2012 at 12:30 PM, Thierry Kauffmann < thierry.kauffmann@univ-montp2.fr> wrote:
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
[image: SIF - Service Informatique de la Faculté des Sciences]<http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Université de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, This is a response from an older thread from Yair Zaslavsky: " there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues." Best regards,
On 11/30/2012 12:30 PM, Thierry Kauffmann wrote:
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using? thanks, Itamar
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Le 04/12/2012 00:51, Itamar Heim a écrit :
On 11/30/2012 12:30 PM, Thierry Kauffmann wrote:
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using?
thanks, Itamar
Hi, the password is transmitted by the client encrypted (hashed) to the openldap server. We use the standard schemes delivered by openldap : core, cosine, nis, inetorgperson and samba A normal user dn is : uid=username,ou=Users,dc=example,dc=com A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com Group members are a list of values for the attribute "memberUid" of a group dn. regards, Thierry
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
True LDAP does not require a password encryption method and is perfectly happy with cleartext storage and use. In practice, one uses a secure channel (LDAPS or Starttls or encrypted network) and most LDAP servers (such as OpenLDAP) will allow several different kinds of password encryption. An application, though, should not ever deal with this issue. The password should be validated by doing a BIND operation, and the application should not do any READ operations on the userPassword value at any time, only authenticate operations. Let the LDAP server manage authentication. Groups are harder. You cannot rely on the presence of a memberOf attribute, unfortunately, and schema are contextually meaningless, so you need a way for the directory administrator to tell the client code how groups are being stored in the server. Thierry gives one example, another is groupOfNames using a "member" attribute containing DNs of members. Those are the two most common methods, but there are more. --Charlie On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann <thierry.kauffmann@univ-montp2.fr> wrote:
Le 04/12/2012 00:51, Itamar Heim a écrit :
On 11/30/2012 12:30 PM, Thierry Kauffmann wrote:
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using?
thanks, Itamar
Hi,
the password is transmitted by the client encrypted (hashed) to the openldap server. We use the standard schemes delivered by openldap : core, cosine, nis, inetorgperson and samba
A normal user dn is : uid=username,ou=Users,dc=example,dc=com A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com Group members are a list of values for the attribute "memberUid" of a group dn.
regards,
Thierry
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 12/11/2012 09:19 PM, Charlie wrote:
True LDAP does not require a password encryption method and is perfectly happy with cleartext storage and use.
In practice, one uses a secure channel (LDAPS or Starttls or encrypted network) and most LDAP servers (such as OpenLDAP) will allow several different kinds of password encryption.
An application, though, should not ever deal with this issue. The password should be validated by doing a BIND operation, and the application should not do any READ operations on the userPassword value at any time, only authenticate operations. Let the LDAP server manage authentication.
Groups are harder. You cannot rely on the presence of a memberOf attribute, unfortunately, and schema are contextually meaningless, so you need a way for the directory administrator to tell the client code how groups are being stored in the server. Thierry gives one example, another is groupOfNames using a "member" attribute containing DNs of members. Those are the two most common methods, but there are more.
Charlie - Alon wrote a suggestion[1] for the first step of simplifying the kerberos requirement. another phase would be needed to make it configurable for various providers. any help on implementing the first step is welcome. Thanks, Itamar [1] http://lists.ovirt.org/pipermail/engine-devel/2012-December/003257.html
--Charlie
On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann <thierry.kauffmann@univ-montp2.fr> wrote:
Le 04/12/2012 00:51, Itamar Heim a écrit :
On 11/30/2012 12:30 PM, Thierry Kauffmann wrote:
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using?
thanks, Itamar
Hi,
the password is transmitted by the client encrypted (hashed) to the openldap server. We use the standard schemes delivered by openldap : core, cosine, nis, inetorgperson and samba
A normal user dn is : uid=username,ou=Users,dc=example,dc=com A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com Group members are a list of values for the attribute "memberUid" of a group dn.
regards,
Thierry
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (4)
-
Charlie -
Cristian Falcas -
Itamar Heim -
Thierry Kauffmann