[Engine-devel] Adding Authentication mechanism to oVirt
Thierry Kauffmann
thierry.kauffmann at univ-montp2.fr
Thu Dec 13 07:14:19 UTC 2012
Le 12/12/2012 17:53, Alon Bar-Lev a écrit :
> Hello Thierry,
>
> If I understand correctly you wish to help in modifying the engine to support non GSSAPI authentication methods.
Hi Alon,
you're right.
My main (selfish) goal is to adapt oVirt authentication schemes to our
requirements : that is "LDAP SIMPLE auth over startTLS."
> Following is a quick design goals for this implementation.
>
> I will be glad to improve this.
> Alon
Thanks a lot for this description.
Tell me how I could help : I am more a system administrator than a
developer. I kwon a bit of java (at least I can read and understand
oVirt's code that I downloaded recently).
Thierry
> ---
>
> Implementation should support the following transports:
>
> 1. LDAP (plain).
> 2. LDAP over TLS.
> 3. LDAP with StartTLS.
>
> Implementation should support the following authentication methods:
>
> 1. Simple.
> 2. Digest-MD5 (plain and strong).
>
> I believe the GSSAPI can be dropped, I see no advantage of using it.
>
> A sample of low level implementation for transport and authentication is attached.
>
> When adding a domain the following facts should be provided:
>
> 1. Search user name.
> 2. Search user password.
> 3. Transport type (ldap, ldaps, ldap+startTLS)
> 4. Authentication (simple, Digest-MD5)
> 5. Sever selection policy (failover, round-robin, random).
> 6. Server address type (explicit, DNS record)
> 7. Server address set.
> 8. Optional base DN.
> 9. Optional root certificate.
> 10. Optional certificate chain.
> 11. Search page size.
> 10. Query timeout.
> etc...
>
> Within product there are two separate components that perform LDAP authentication:
>
> 1. User password validation.
> 2. User permission fetch.
>
> These two components needs to work in share-nothing mode, meaning that each should communicate with directory independently with the other.
>
> USER PASSWORD VALIDATION
>
> Input: user
> Input: domain
> Input: password
> Output: DN of user
> Output: success/failure
> Credentials used: user/password provided.
> Notes: LDAP session should not be cached.
> Logic: Perform LDAP bind.
>
> USER PERMISSION FETCH
>
> Input: DN of user (passed by user password validation)
> Input: domain (passed by user password validation)
> Output: A set of permissions
> Credentials used: search user and password configured within system.
> Notes: LDAP context can be cached.
> Logic: Perform LDAP searches, this is most of current logic.
--
signature-TK Thierry Kauffmann
Chef du Service Informatique // Faculté des Sciences // Université de
Montpellier 2
SIF - Service Informatique de la Faculté des Sciences
<http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2
<http://www.univ-montp2.fr/> Service informatique de la Faculté des
Sciences (SIF)
Université de Montpellier 2
CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
Tél : 04 67 14 31 58
email : thierry.kauffmann at univ-montp2.fr
<mailto:thierry.kauffmann at univ-montp2.fr>
web : http://sif.info-ufr.univ-montp2.fr/
http://www.fdsweb.univ-montp2.fr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121213/e1e33b52/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sif.png
Type: image/png
Size: 11755 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121213/e1e33b52/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: um2.png
Type: image/png
Size: 29129 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20121213/e1e33b52/attachment-0001.png>
More information about the Engine-devel
mailing list