[Users] OpenLDAP Simple Authentication in Ovirt Engine

Oved Ourfalli ovedo at redhat.com
Tue Dec 4 09:07:14 UTC 2012



----- Original Message -----
> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> Sent: Tuesday, December 4, 2012 10:35:34 AM
> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> 
> 
> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
> 
> 
> ----- Original Message -----
> 
> From: "Itamar Heim" <iheim at redhat.com> To: "Oved Ourfalli"
> <ovedo at redhat.com> Cc: users at ovirt.org , "Thierry Kauffmann"
> <thierry.kauffmann at univ-montp2.fr> Sent: Tuesday, December 4, 2012
> 1:47:52 AM
> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> 
> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
> 
> ----- Original Message -----
> 
> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr> To:
> "cristi falcas" <cristi.falcas at gmail.com> Cc: users at ovirt.org Sent:
> Saturday, December 1, 2012 5:56:14 PM
> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> 
> 
> 
> 
> 
> 
> Hi,
> 
> I am currently testing Ovirt 3.1 standalone on Fedora 17.
> 
> Until now, I could only use the default user admin at internal.
> 
> Our Directory at the University is OpenLDAP. We use it for
> authentication
> WITHOUT Kerberos : Simple authentication.
> 
> I wonder how to use this backend to authenticate users and manage
> groups
> in Ovirt.
> 
> Has anyone already set this up ?
> How to configure Ovirt to use Simple Authentication (No Kerberos).
> 
> Cheers,
> 
> --
> Thierry Kauffmann
> Chef du Service Informatique // Facult? des Sciences // Universit?
> de
> Montpellier 2
> 
>    [image: SIF - Service Informatique de la Facult? des Sciences]
>    <http://sif.info-ufr.univ-montp2.fr/> [image:
> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
> Service
> informatique de la Facult? des Sciences (SIF)
> Universit? de Montpellier 2
>   CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
> 
> T?l : 04 67 14 31 58
> email : thierry.kauffmann at univ-montp2.fr web :
> http://sif.info-ufr.univ-montp2.fr/
> http://www.fdsweb.univ-montp2.fr/
> _______________________________________________
> Users mailing list Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users Hi,
> 
> This is a response from an older thread from Yair Zaslavsky:
> 
> " there is no code allowing to add simple-authentication domains
> to
> Manage-Domains.
> In the past we did have the ability to do that, but there are
> several
> problematic issues."
> 
> Best regards, Hi,
> 
> correct-me if I am wrong but this wiki page (
> http://www.ovirt.org/DomainInfrastructure ) states clearly :
> 
> 
> 
> 
> 
>      1. Authenticating Active Directory, IPA and RHDS using either
>      simple or gssapi authentication
>      2. Querying the directory using the LDAP protocol
>      3. Auto deducing the LDAP provider type
>      4. Easily adding new LDAP provider types
>      5. Easily adding new query types
> 
> So what ? We supported simple authentication in the past, but it is
> no longer
> supported, that's why you can't set that using the manage domains
> utility.
> It may work well in some providers (in the past we supported that
> for active directory, so I guess it would work there). I don't think
> we removed SIMPLE from the engine, we just don't
> recommend
> using it, since it doesn't encrypt user/password on the network (it
> is
> sometime useful for debugging). We indeed didn't remove the engine
> code. We just blocked it from the utility.
> Once you have a configured oVirt domain, you can set the
> LDAPSecurityAuthentication configuration parameter (in the
> vdc_options table), to use simple, by putting a value of:
> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
> 
> but, if you want to add a new domain with it then you would need to
> add it manually (can give a detailed explanation on how, if
> relevant). Yes, I would like to know how to add directly a domain
> which is not GSSAPI controlled.
> 

The vdc_options table is a table containing the configuration values of the engine. Among those, there are directory-related configuration values:

engine=# select * from vdc_options where option_name in ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
 option_id |        option_name         |                  option_value                   | version
-----------+----------------------------+-------------------------------------------------+---------
         9 | AdUserName                 | domain1:user1,domain2:user2                     | general
        10 | AdUserPassword             | domain1:password1,domain2:password2             | general
       114 | LdapServers                | deomain1:ldap_server_address1,domain2:ldap_server_address2 | general
        64 | DomainName                 | domain1,domain2                                 | general
       112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE                   | general
       115 | LDAPProviderTypes          | domain1:activeDirectory,domain2:ipa             | general

AdUserName is the user that will be used to query the directory.
AdUserPassword is the password that will be used to query the directory.
LdapServers - the LDAP server that will be used (only one is allowed in this configuration. This configuration is optional. If empty, we will check the DNS for LDAP SRV records for the relevant domain).
DomainName - the names of the domains
LDAPSecurityAuthentication - SIMPLE/GSSAPI
LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)

All the entries above are per-domain, in the format domain1:value1, domain2:value2 and etc....

If manually adding a GSSAPI domain, you also need to supply a krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE domain that isn't neccesary.

We haven't worked with simple domain for a while now, so hopefully it will work for you as expected.

Let me know if you have further questions.

Oved
> 
> 
> 
> By default we work GSSAPI (I think the config option is empty by
> default which is equivalent to working GSSAPI).
> If/When we would need to support that again it shouldn't be a major
> effort to add the code... the testing with the different providers
> will be the hard part.
> 
> Oved
> 
> 
> 
> 
> 
> 
> 
> We also don't auto deduce the LDAP provider type anymore, as
> changes in the providers caused some issues with it.
> 
> I'll edit the wiki accordingly (btw, I remember removing it from
> the wiki... so it is weird that it is still there...).
> 
> Oved
> 
> --
> signature-TK Thierry Kauffmann
> Chef du Service Informatique // Faculté des Sciences // Université
> de
> Montpellier 2
> 
> 
> 	SIF - Service Informatique de la Faculté
>                    des Sciences	UM2 -
>                    Université de Montpellier 2	Service
>                    informatique de
>                    la Faculté des Sciences (SIF)
> Université de Montpellier 2
> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> 
> Tél : 04 67 14 31 58
> email : thierry.kauffmann at univ-montp2.fr web :
> http://sif.info-ufr.univ-montp2.fr/
> http://www.fdsweb.univ-montp2.fr/
> _______________________________________________
> Users mailing list Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> --
> signature-TK Thierry Kauffmann
> Chef du Service Informatique // Faculté des Sciences // Université de
> Montpellier 2
> 
> 
> 	SIF - Service Informatique de la Faculté
>                   des Sciences	UM2 -
>                   Université de Montpellier 2	Service informatique de
>                   la Faculté des Sciences (SIF)
> Université de Montpellier 2
> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> 
> Tél : 04 67 14 31 58
> email : thierry.kauffmann at univ-montp2.fr
> web : http://sif.info-ufr.univ-montp2.fr/
> http://www.fdsweb.univ-montp2.fr/
> 



More information about the Users mailing list