[Users] OpenLDAP Simple Authentication in Ovirt Engine

Thierry Kauffmann thierry.kauffmann at univ-montp2.fr
Tue Dec 4 08:35:34 UTC 2012


Le 04/12/2012 09:09, Oved Ourfalli a écrit :
>
> ----- Original Message -----
>> From: "Itamar Heim" <iheim at redhat.com>
>> To: "Oved Ourfalli" <ovedo at redhat.com>
>> Cc: users at ovirt.org, "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>> Sent: Tuesday, December 4, 2012 1:47:52 AM
>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>
>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>>>> To: "cristi falcas" <cristi.falcas at gmail.com>
>>>> Cc: users at ovirt.org
>>>> Sent: Saturday, December 1, 2012 5:56:14 PM
>>>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
>>>>
>>>> Until now, I could only use the default user admin at internal.
>>>>
>>>> Our Directory at the University is OpenLDAP. We use it for
>>>> authentication
>>>> WITHOUT Kerberos : Simple authentication.
>>>>
>>>> I wonder how to use this backend to authenticate users and manage
>>>> groups
>>>> in Ovirt.
>>>>
>>>> Has anyone already set this up ?
>>>> How to configure Ovirt to use Simple Authentication (No Kerberos).
>>>>
>>>> Cheers,
>>>>
>>>> --
>>>> Thierry Kauffmann
>>>> Chef du Service Informatique // Facult? des Sciences // Universit?
>>>> de
>>>> Montpellier 2
>>>>
>>>>    [image: SIF - Service Informatique de la Facult? des Sciences]
>>>>    <http://sif.info-ufr.univ-montp2.fr/> [image:
>>>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
>>>> Service
>>>> informatique de la Facult? des Sciences (SIF)
>>>> Universit? de Montpellier 2
>>>>   CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
>>>>
>>>> T?l : 04 67 14 31 58
>>>> email : thierry.kauffmann at univ-montp2.fr web :
>>>> http://sif.info-ufr.univ-montp2.fr/
>>>> http://www.fdsweb.univ-montp2.fr/
>>>> _______________________________________________
>>>> Users mailing list Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users Hi,
>>>>
>>>> This is a response from an older thread from Yair Zaslavsky:
>>>>
>>>> " there is no code allowing to add simple-authentication domains
>>>> to
>>>> Manage-Domains.
>>>> In the past we did have the ability to do that, but there are
>>>> several
>>>> problematic issues."
>>>>
>>>> Best regards, Hi,
>>>>
>>>> correct-me if I am wrong but this wiki page (
>>>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>      1. Authenticating Active Directory, IPA and RHDS using either
>>>>      simple or gssapi authentication
>>>>      2. Querying the directory using the LDAP protocol
>>>>      3. Auto deducing the LDAP provider type
>>>>      4. Easily adding new LDAP provider types
>>>>      5. Easily adding new query types
>>>>
>>>> So what ?
>>>>
>>> We supported simple authentication in the past, but it is no longer
>>> supported, that's why you can't set that using the manage domains
>>> utility.
>>> It may work well in some providers (in the past we supported that
>>> for active directory, so I guess it would work there).
>> I don't think we removed SIMPLE from the engine, we just don't
>> recommend
>> using it, since it doesn't encrypt user/password on the network (it
>> is
>> sometime useful for debugging).
>>
> We indeed didn't remove the engine code. We just blocked it from the utility.
> Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of:
> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
>
> but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant).
Yes, I would like to know how to add directly a domain which is not
GSSAPI controlled.


> By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI).
> If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part.
>
> Oved


>>> We also don't auto deduce the LDAP provider type anymore, as
>>> changes in the providers caused some issues with it.
>>>
>>> I'll edit the wiki accordingly (btw, I remember removing it from
>>> the wiki... so it is weird that it is still there...).
>>>
>>> Oved
>>>
>>>> --
>>>> signature-TK Thierry Kauffmann
>>>> Chef du Service Informatique // Faculté des Sciences // Université
>>>> de
>>>> Montpellier 2
>>>>
>>>>
>>>> 	SIF - Service Informatique de la Faculté
>>>>                    des Sciences	UM2 -
>>>>                    Université de Montpellier 2	Service
>>>>                    informatique de
>>>>                    la Faculté des Sciences (SIF)
>>>> Université de Montpellier 2
>>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>>
>>>> Tél : 04 67 14 31 58
>>>> email : thierry.kauffmann at univ-montp2.fr
>>>> web : http://sif.info-ufr.univ-montp2.fr/
>>>> http://www.fdsweb.univ-montp2.fr/
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>


-- 
signature-TK Thierry Kauffmann
Chef du Service Informatique // Faculté des Sciences // Université de
Montpellier 2

SIF - Service Informatique de la Faculté des Sciences
<http://sif.info-ufr.univ-montp2.fr/> 	UM2 - Université de Montpellier 2
<http://www.univ-montp2.fr/> 	Service informatique de la Faculté des
Sciences (SIF)
Université de Montpellier 2
CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5

Tél : 04 67 14 31 58
email : thierry.kauffmann at univ-montp2.fr
<mailto:thierry.kauffmann at univ-montp2.fr>
web : http://sif.info-ufr.univ-montp2.fr/ 
http://www.fdsweb.univ-montp2.fr/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121204/f3811a12/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sif.png
Type: image/png
Size: 11755 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121204/f3811a12/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: um2.png
Type: image/png
Size: 29129 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121204/f3811a12/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: thierry_kauffmann.vcf
Type: text/x-vcard
Size: 366 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121204/f3811a12/attachment-0001.vcf>


More information about the Users mailing list