[Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences]<http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page (http://www.ovirt.org/DomainInfrastructure) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ?
We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it. I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...). Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ?
We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there).
I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging).
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org, "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ?
We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there).
I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging).
We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc.... but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part. Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org, "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ?
We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there).
I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging).
We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant).
Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 <http://www.univ-montp2.fr/> Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr <mailto:thierry.kauffmann@univ-montp2.fr> web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values: engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+--------- 9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds) All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc.... If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary. We haven't worked with simple domain for a while now, so hopefully it will work for you as expected. Let me know if you have further questions. Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
Hi dudes! I was following the model below, but without success. That is my db: engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId'); option_id | option_name | option_value | version -----------+----------------------------+------------------------------------------------------------+--------- 63 | DomainName | ovirt | general 8 | AdUserName | ovirt:admin | general 113 | LDAPProviderTypes | ovirt:ipa | general 112 | LdapServers | ovirt:172.16.21.240 | general 110 | LDAPSecurityAuthentication | ovirt:SIMPLE | general 9 | AdUserPassword | ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general (7 rows) As you can see, my ldap server and domain are internal. That's my ldap user object: # admin, Users, Accounts, inpe.br dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt givenName: Admin sn: istrator uid: admin userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= uidNumber: 1001 gidNumber: 502 homeDirectory: /home/users/admin loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: admin But the log aways returns: 2012-12-10 10:07:00,317 ERROR [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that the login name , password and path are correct. 2012-12-10 10:07:00,321 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-8) Failed ldap search server ldap://172.16.21.240:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException Am I doing the right way? On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+--------- 9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general
AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....
If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.
We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.
Let me know if you have further questions.
Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Anyone has made success with that? On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my db:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId'); option_id | option_name | option_value | version -----------+----------------------------+------------------------------------------------------------+---------
63 | DomainName | ovirt | general 8 | AdUserName | ovirt:admin | general 113 | LDAPProviderTypes | ovirt:ipa | general 112 | LdapServers | ovirt:172.16.21.240 | general 110 | LDAPSecurityAuthentication | ovirt:SIMPLE | general 9 | AdUserPassword | ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general (7 rows)
As you can see, my ldap server and domain are internal. That's my ldap user object:
# admin, Users, Accounts, inpe.br dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt givenName: Admin sn: istrator uid: admin userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= uidNumber: 1001 gidNumber: 502 homeDirectory: /home/users/admin loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that the login name , password and path are correct. 2012-12-10 10:07:00,321 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-8) Failed ldap search server ldap://172.16.21.240:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+---------
9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general
AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....
If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.
We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.
Let me know if you have further questions.
Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Eduardo, We mainly focus on supporting Kerberos authentication at the moment Can you switch to kerberos authentication? ----- Original Message -----
From: "Eduardo Ramos" <eduardo@freedominterface.org> To: users@ovirt.org Sent: Wednesday, February 27, 2013 11:04:17 PM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my db:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId'); option_id | option_name | option_value | version -----------+----------------------------+------------------------------------------------------------+---------
63 | DomainName | ovirt | general 8 | AdUserName | ovirt:admin | general 113 | LDAPProviderTypes | ovirt:ipa | general 112 | LdapServers | ovirt:172.16.21.240 | general 110 | LDAPSecurityAuthentication | ovirt:SIMPLE | general 9 | AdUserPassword | ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general (7 rows)
As you can see, my ldap server and domain are internal. That's my ldap user object:
# admin, Users, Accounts, inpe.br dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt givenName: Admin sn: istrator uid: admin userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= uidNumber: 1001 gidNumber: 502 homeDirectory: /home/users/admin loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that the login name , password and path are correct. 2012-12-10 10:07:00,321 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-8) Failed ldap search server ldap://172.16.21.240:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+---------
9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general
AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....
If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.
We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.
Let me know if you have further questions.
Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I was also testing simple auth without success. Our ldap doesn't support kerberos so we're stuck. Engine log doesn't report anything, and the server log shows: 2013-02-28 09:53:52,850 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "engine.ear" was rolled back with failure message {"JBAS014671: Failed services" => {"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START" => "org.jboss.msc.service.StartException in service jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START: Failed to start service"}} We're using 3.1 on CentOS, rpms from dev.centos.org repo. On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
Hi Eduardo, We mainly focus on supporting Kerberos authentication at the moment Can you switch to kerberos authentication?
----- Original Message -----
From: "Eduardo Ramos" <eduardo@freedominterface.org> To: users@ovirt.org Sent: Wednesday, February 27, 2013 11:04:17 PM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my db:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId'); option_id | option_name | option_value | version -----------+----------------------------+------------------------------------------------------------+---------
63 | DomainName | ovirt | general 8 | AdUserName | ovirt:admin | general 113 | LDAPProviderTypes | ovirt:ipa | general 112 | LdapServers | ovirt:172.16.21.240 | general 110 | LDAPSecurityAuthentication | ovirt:SIMPLE | general 9 | AdUserPassword | ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general (7 rows)
As you can see, my ldap server and domain are internal. That's my ldap user object:
# admin, Users, Accounts, inpe.br dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt givenName: Admin sn: istrator uid: admin userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= uidNumber: 1001 gidNumber: 502 homeDirectory: /home/users/admin loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that the login name , password and path are correct. 2012-12-10 10:07:00,321 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-8) Failed ldap search server ldap://172.16.21.240:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword'); option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+---------
9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general
AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....
If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.
We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.
Let me know if you have further questions.
Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/28/2013 11:04 AM, Jure Kranjc wrote:
I was also testing simple auth without success. Our ldap doesn't support kerberos so we're stuck. Engine log doesn't report anything, and the server log shows:
2013-02-28 09:53:52,850 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "engine.ear" was rolled back with failure message {"JBAS014671: Failed services" => {"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START" => "org.jboss.msc.service.StartException in service jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START: Failed to start service"}}
We're using 3.1 on CentOS, rpms from dev.centos.org repo.
lets debug kerberos: vi /var/lib/jboss/jboss-as/bin/run.conf add this at the bottom JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true" restart jboss Its weird that the ear didn't deploy. Please paste engine.log and server.log
On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
Hi Eduardo, We mainly focus on supporting Kerberos authentication at the moment Can you switch to kerberos authentication?
----- Original Message -----
From: "Eduardo Ramos" <eduardo@freedominterface.org> To: users@ovirt.org Sent: Wednesday, February 27, 2013 11:04:17 PM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my db:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id | option_name | option_value | version -----------+----------------------------+------------------------------------------------------------+---------
63 | DomainName | ovirt | general 8 | AdUserName | ovirt:admin | general 113 | LDAPProviderTypes | ovirt:ipa | general 112 | LdapServers | ovirt:172.16.21.240 | general 110 | LDAPSecurityAuthentication | ovirt:SIMPLE | general 9 | AdUserPassword | ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general (7 rows)
As you can see, my ldap server and domain are internal. That's my ldap user object:
# admin, Users, Accounts, inpe.br dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt givenName: Admin sn: istrator uid: admin userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= uidNumber: 1001 gidNumber: 502 homeDirectory: /home/users/admin loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that the login name , password and path are correct. 2012-12-10 10:07:00,321 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-8) Failed ldap search server ldap://172.16.21.240:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Tuesday, December 4, 2012 10:35:34 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org , "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Thierry Kauffmann" <thierry.kauffmann@univ-montp2.fr> To: "cristi falcas" <cristi.falcas@gmail.com> Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage groups in Ovirt.
Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
-- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences] <http://sif.info-ufr.univ-montp2.fr/> [image: UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/> Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
" there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues."
Best regards, Hi,
correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). Yes, I would like to know how to add directly a domain which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
option_id | option_name | option_value | version -----------+----------------------------+-------------------------------------------------+---------
9 | AdUserName | domain1:user1,domain2:user2 | general 10 | AdUserPassword | domain1:password1,domain2:password2 | general 114 | LdapServers | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general 64 | DomainName | domain1,domain2 | general 112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE | general 115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa | general
AdUserName is the user that will be used to query the directory. AdUserPassword is the password that will be used to query the directory. LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain). DomainName - the names of the domains LDAPSecurityAuthentication - SIMPLE/GSSAPI LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....
If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.
We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.
Let me know if you have further questions.
Oved
By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
Oved
We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it.
I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...).
Oved
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2
SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58 email : thierry.kauffmann@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (7)
-
Eduardo Ramos -
Itamar Heim -
Jure Kranjc -
Oved Ourfalli -
Roy Golan -
Thierry Kauffmann -
Yair Zaslavsky