[Users] OpenLDAP Simple Authentication in Ovirt Engine

Oved Ourfalli ovedo at redhat.com
Tue Dec 4 08:09:22 UTC 2012 


----- Original Message -----
> From: "Itamar Heim" <iheim at redhat.com>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: users at ovirt.org, "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> Sent: Tuesday, December 4, 2012 1:47:52 AM
> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> 
> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> >> To: "cristi falcas" <cristi.falcas at gmail.com>
> >> Cc: users at ovirt.org
> >> Sent: Saturday, December 1, 2012 5:56:14 PM
> >> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> >>
> >>
> >>
> >>
> >>
> >>
> >> Hi,
> >>
> >> I am currently testing Ovirt 3.1 standalone on Fedora 17.
> >>
> >> Until now, I could only use the default user admin at internal.
> >>
> >> Our Directory at the University is OpenLDAP. We use it for
> >> authentication
> >> WITHOUT Kerberos : Simple authentication.
> >>
> >> I wonder how to use this backend to authenticate users and manage
> >> groups
> >> in Ovirt.
> >>
> >> Has anyone already set this up ?
> >> How to configure Ovirt to use Simple Authentication (No Kerberos).
> >>
> >> Cheers,
> >>
> >> --
> >> Thierry Kauffmann
> >> Chef du Service Informatique // Facult? des Sciences // Universit?
> >> de
> >> Montpellier 2
> >>
> >>    [image: SIF - Service Informatique de la Facult? des Sciences]
> >>    <http://sif.info-ufr.univ-montp2.fr/> [image:
> >> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
> >> Service
> >> informatique de la Facult? des Sciences (SIF)
> >> Universit? de Montpellier 2
> >>   CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
> >>
> >> T?l : 04 67 14 31 58
> >> email : thierry.kauffmann at univ-montp2.fr web :
> >> http://sif.info-ufr.univ-montp2.fr/
> >> http://www.fdsweb.univ-montp2.fr/
> >> _______________________________________________
> >> Users mailing list Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users Hi,
> >>
> >> This is a response from an older thread from Yair Zaslavsky:
> >>
> >> " there is no code allowing to add simple-authentication domains
> >> to
> >> Manage-Domains.
> >> In the past we did have the ability to do that, but there are
> >> several
> >> problematic issues."
> >>
> >> Best regards, Hi,
> >>
> >> correct-me if I am wrong but this wiki page (
> >> http://www.ovirt.org/DomainInfrastructure ) states clearly :
> >>
> >>
> >>
> >>
> >>
> >>      1. Authenticating Active Directory, IPA and RHDS using either
> >>      simple or gssapi authentication
> >>      2. Querying the directory using the LDAP protocol
> >>      3. Auto deducing the LDAP provider type
> >>      4. Easily adding new LDAP provider types
> >>      5. Easily adding new query types
> >>
> >> So what ?
> >>
> > We supported simple authentication in the past, but it is no longer
> > supported, that's why you can't set that using the manage domains
> > utility.
> > It may work well in some providers (in the past we supported that
> > for active directory, so I guess it would work there).
> 
> I don't think we removed SIMPLE from the engine, we just don't
> recommend
> using it, since it doesn't encrypt user/password on the network (it
> is
> sometime useful for debugging).
> 
We indeed didn't remove the engine code. We just blocked it from the utility.
Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of:
domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....

but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant).

By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI).
If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.

Oved

> >
> > We also don't auto deduce the LDAP provider type anymore, as
> > changes in the providers caused some issues with it.
> >
> > I'll edit the wiki accordingly (btw, I remember removing it from
> > the wiki... so it is weird that it is still there...).
> >
> > Oved
> >
> >>
> >> --
> >> signature-TK Thierry Kauffmann
> >> Chef du Service Informatique // Faculté des Sciences // Université
> >> de
> >> Montpellier 2
> >>
> >>
> >> 	SIF - Service Informatique de la Faculté
> >>                    des Sciences	UM2 -
> >>                    Université de Montpellier 2	Service
> >>                    informatique de
> >>                    la Faculté des Sciences (SIF)
> >> Université de Montpellier 2
> >> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> >>
> >> Tél : 04 67 14 31 58
> >> email : thierry.kauffmann at univ-montp2.fr
> >> web : http://sif.info-ufr.univ-montp2.fr/
> >> http://www.fdsweb.univ-montp2.fr/
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list