[ovirt-devel] [TEST-REQUEST] New LDAP implementation for ovirt-engine
Alon Bar-Lev
alonbl at redhat.com
Tue Aug 5 18:40:16 UTC 2014
Hello All,
If you are brave enough to test ovirt-engine betas, and you are using or like to use LDAP integration - you can assist us.
Within the 3.4/3.5 cycle we have done major rework on the entire authentication, authorization and accounting or in short AAA, the 3.5.0_rc1 is ready to be tested.
I will appreciate any feedback and help perfecting the solution.
The implementation is the first pluggable implementation of the backend, this means that we can extend the functionality without rebuilding the engine, even implementations that are not LDAP based can be added.
The new LDAP implementation is a backend extension that is called ovirt-engine-extension-aaa-ldap[1], documentation is available[2][3][4], there is no upgrade path between the legacy implementation and the new implementation, users of legacy implementation can continue to use it as-is without enjoying the new features.
Unlike the legacy implementation, the new implementation is pure LDAP implementation, no kerberos and special DNS settings are required. It also supports customization to enable support complex/foreign LDAP sources. It also supports multi domain forest of Active Directory, performance improvements, fallback policy, security and more.
Configuration is file based, the engine-manage-domains utility is obsolete. Examples are available at [2].
First install the extension[5]:
# yum install ovirt-engine-extension-aaa-ldap
A simple active directory configuration is per the following, make sure you define seaerchuser with valid password within the ldap to be used to search for user information during interaction. Other directories that are supported are: OpenLDAP, IPA, RHDS please refer to documentation.
---
Authorization settings - used post authentication to fetch user's attributes and groups.
/etc/ovirt-enigne/extensions.d/authz-company.properties
---
ovirt.engine.extension.name = authz-company
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company.properties
---
---
Authentication settings - user is resolved using search then LDAP bind is used to validate password.
/etc/ovirt-enigne/extensions.d/authn-company.properties
---
ovirt.engine.extension.name = authn-company
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company.com
ovirt.engine.aaa.authn.authz.plugin = authz-company
config.profile.file.1 = /etc/ovirt-engine/aaa/company.properties
---
---
Common profile customization for company.com domain
/etc/ovirt-engine/aaa/company.properties
---
include = <ad.properties>
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = company.com
pool.default.auth.simple.bindDN = searchuser
pool.default.auth.simple.password = 123456
---
Regards,
Alon Bar-Lev
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
[3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.unboundid-ldapsdk;hb=HEAD
[4] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
[5] http://resources.ovirt.org/pub/ovirt-3.5-pre/rpm/
More information about the Devel
mailing list