[Users] Testing LDAP support.

Oved Ourfalli ovedo at redhat.com
Sun Apr 15 06:16:02 UTC 2012



----- Original Message -----
> From: "Sharad Mishra" <snmishra at linux.vnet.ibm.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: "Oved Ourfalli" <ovedo at redhat.com>, users at ovirt.org
> Sent: Thursday, April 12, 2012 9:37:46 PM
> Subject: Re: [Users] Testing LDAP support.
> 
> On Thu, 2012-04-12 at 02:26 +0300, Itamar Heim wrote:
> > On 04/12/2012 01:09 AM, Sharad Mishra wrote:
> > > On Wed, 2012-04-11 at 10:18 -0400, Oved Ourfalli wrote:
> > >>
> > >> ----- Original Message -----
> > >>> From: "Sharad Mishra"<snmishra at linux.vnet.ibm.com>
> > >>> To: "Itamar Heim"<iheim at redhat.com>
> > >>> Cc: "Oved Ourfalli"<ovedo at redhat.com>, users at ovirt.org
> > >>> Sent: Wednesday, April 11, 2012 4:53:37 PM
> > >>> Subject: Re: [Users] Testing LDAP support.
> > >>>
> > >>> On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote:
> > >>>> On 04/10/2012 04:51 AM, Sharad Mishra wrote:
> > >>>>> On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote:
> > >>>>>> On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote:
> > >>>>>>>>>
> > >>>>>>>>>    When a call is made to construct InitialDirContext
> > >>>>>>>>>    with
> > >>>>>>>>>    following
> > >>>>>>>>> settings -
> > >>>>>>>>>
> > >>>>>>>>>    {java.naming.provider.url=ldap://ldapserver.ibm.com:389,
> > >>>>>>>>>    java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> > >>>>>>>>> java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com,
> > >>>>>>>>>    java.naming.security.authentication=DIGEST-MD5 GSSAPI,
> > >>>>>>>>>    java.naming.security.credentials=password,
> > >>>>>>>>>    java.naming.referral=follow,
> > >>>>>>>>>    java.naming.ldap.attributes.binary=objectGUID}
> > >>>>>>>>>
> > >>>>>>>
> > >>>
> > >>> How do I configure the ovirt test setup on my workstation to
> > >>> use LDAP
> > >>> for authentication? I looked around webadmin GUI but could not
> > >>> find
> > >>> it.
> > >>>
> > >>> -Sharad
> > >>>
> > >> If you are working with an installed oVirt environment, you can
> > >> use engine-manage-domains utility in order to add/remove/edit
> > >> domains.
> > >> It will create the krb5.conf file, update database entries, add
> > >> permissions for the user you use, and etc.
> > >>
> > > I was able to move around some jar files and config files to
> > > finally be
> > > able to run engine-manage-domains to add new domains. First I ran
> > >
> > > #./engine-manage-domains -action=list
> > > Manage Domains completed successfully
> > >
> > > I did not get any domain, which makes sense since I only have
> > > default
> > > setup. then I tried
> > >
> > > #./engine-manage-domains -action=add -domain=bluepages.ibm.com
> > > -user=snmishra at us.ibm.com -passwordFile=/tmp/.pwd
> > >
> > > where /tmp/.pwd has my ldap password.
> > >
> > > I got the following error -
> > > Error: Authentication Failed. Please verify the fully qualified
> > > domain
> > > name that is used for authentication is correct.. Problematic
> > > domain is:
> > > bluepages.ibm.com Failure while applying Kerberos configuration.
> > > Details: Authentication Failed. Please verify the fully qualified
> > > domain
> > > name that is used for authentication is correct.
> > >
> > > I also tried "-domain=bluepages.ibm.com:389"
> > 
> > this is kerberos based auth.
> do I need any package/setup on client  machine?
> > usual suspects are dns issues.
> doesn't look like its dns issue, I can run ldapsearch from the
> command
> line.
> > anything in the manage domains log?
> There is nothing in engine or server logs. Where are the manage
> domain
> logs?
> 
the log is in: /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log

> -Sharad
> > 
> > >
> > > -Sharad
> > >
> > >
> > >> If, however, you are in a development environment, then
> > >> currently it is not easy to run this utility, as it requires
> > >> some configuration files and jars that are there when you
> > >> install the engine, but not there in a development environment.
> > >> So, in that case you'll need to run the following (change the
> > >> domain name, user name and user guid):
> > >> update vdc_options set option_value = '<your domain>' where
> > >> option_name = 'DomainName';
> > >>
> > >> update vdc_options set option_value = '<your domain>:<your
> > >> user>@<your domain>' where option_name= 'AdUserName';
> > >>
> > >> update vdc_options set option_value = '<your domain>:<user
> > >> guid>' where option_name='AdUserId';
> > >>
> > >> update vdc_options set option_value = '<your domain>:<your
> > >> password>' where option_name='AdUserPassword';
> > >>
> > >> insert into permissions
> > >> (id,role_id,ad_element_id,object_id,object_type_id) values
> > >> ('<choose a random
> > >> guid>','00000000-0000-0000-0000-000000000001','<user
> > >> guid>','aaa00000-0000-0000-0000-123456789aaa',1);
> > >>
> > >> Also, you'll have to create a krb5.conf file, and place it in
> > >> $JBOSS_HOME/standalone/configuration
> > >>
> > >> An example for the contents of this file:
> > >>
> > >> [libdefaults]
> > >>
> > >> default_realm = EXAMPLE.COM
> > >> dns_lookup_realm = false
> > >> dns_lookup_kdc = false
> > >> ticket_lifetime = 24h
> > >> renew_lifetime = 7d
> > >> forwardable = no
> > >> default_tkt_enctypes = arcfour-hmac-md5
> > >> udp_preference_limit = 1
> > >>
> > >>   [realms]
> > >>          EXAMPLE.COM = {
> > >>                  kdc = my_host.example.com.:88
> > >>          }
> > >>
> > >>
> > >>   [domain_realm]
> > >>          example.com = EXAMPLE.COM
> > >>
> > >> Note that you need to have the following records for your LDAP
> > >> server, defined in the DNS:
> > >> * LDAP SRV record
> > >> * Kerberos SRV record
> > >> * PTR record
> > >>
> > >> (You can use "dnsmasq" if you wish to create those records by
> > >> yourself - if you need help with this let me know).
> > >>
> > >> Oved
> > >>>>>>> Can you also attach the jboss log and engine log? (assuming
> > >>>>>>> you
> > >>>>>>> are testing it in the ovirt-engine environment).
> > >>>>>>> They can be helpful, as it might be related to some class
> > >>>>>>> loading issue or something similar, and the log might shed
> > >>>>>>> light on that.
> > >>>>>>>
> > >>>>>>
> > >>>>> I think its my setup that is the issue here. I am unable to
> > >>>>> run
> > >>>>> ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to
> > >>>>> setup/use
> > >>>>> secret key with sasl. I am running my queries against a
> > >>>>> production ldap
> > >>>>> server on which I have user access. I tried to look around on
> > >>>>> internet
> > >>>>> but did not get a good hit.
> > >>>>
> > >>>> have you tried the kebreros based authentication with it?
> > >>>> I see it is supposed to have it:
> > >>>> http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > 
> 
> 
> 



More information about the Users mailing list