[Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

Charlie medievalist at gmail.com
Thu Dec 6 20:35:14 UTC 2012 

Supporting non-Kerberos LDAP with simple authentication and no DNS
integration would significantly decrease the work required for people
like Dennis.  Instead of having to set up Kerberos and DNS and an LDAP
provider that integrates with both, he could just set up a very simple
LDAP server and use a physically secured network or SSL with
self-signed keys to protect his authentication traffic.

There are already LDAP servers that use simple backends, including an
OpenLDAP variant that uses /etc/passwd and /etc/shadow instead of a
db.  If the requirement for Kerberos and DNS directory integration
were removed, and simple authentication worked, you would be able to
support pretty much anything out there in the linux/unix world.

That way oVirt wouldn't have to reinvent any wheels, and people like
Dennis would have significantly less costly and time-consuming
rebuilding of their networks to do before being able to implement
oVirt.

--Charlie

On Wed, Dec 5, 2012 at 4:52 AM, Itamar Heim <iheim at redhat.com> wrote:
> On 12/05/2012 11:50 AM, Roy Golan wrote:
>>
>> On 12/05/2012 11:01 AM, Yair Zaslavsky wrote:
>>>
>>>
>>> ----- Original Message -----
>>>>
>>>> From: "Dennis Böck" <dennis at webdienstleistungen.com>
>>>> To: "Itamar Heim" <iheim at redhat.com>
>>>> Cc: "users at oVirt.org" <users at ovirt.org>
>>>> Sent: Wednesday, December 5, 2012 10:48:58 AM
>>>> Subject: Re: [Users] Manage users without Red Hat Directory Server or
>>>> IBM Tivoli Directory Server?
>>>>
>>>> Dear Itamar,
>>>>
>>>> we (German Air Navigation Services) would like to use oVirt for
>>>> testing our air traffic applications.
>>>> In our air traffic application system, there is no directory service,
>>>> since we don't need one. Consequently our test system has no
>>>> directory service too.
>>>> We differentiate only between root-users (manage the OS), air traffic
>>>> application operational-users and air traffic application
>>>> technical-users.
>>>> For three kinds of users a directory service would mean too much
>>>> overhead.
>>>> oVirt is complex enough, therefore it would be advantegous to have a
>>>> simple user-management without the need to install/configure/run a
>>>> directory service infrastructure.
>>>>
>>>> Best regards
>>>> Dennis
>>>
>>> Hi Dennis,
>>>  From what you're describing - you have to populate oVirt somehow with
>>> 3 groups -
>>> root-users, air trafdfic application operational-users and air traffic
>>> application technical-users.
>>>
>>> Not sure if you have technical developers at your organization, but at
>>> past we developed an internal broker [1] which is not
>>> Ldap/Directory-Service based.
>>> We have future thoughts about supporting not just directory services.
>>> But for now - perhaps the quickest thing for you guys (if you have a
>>> technical team of developers) is to write your own broker, similar to
>>> the internal broker).
>>> I actually saw a non ldap broker that was implemented based on the way
>>> the internal broker was implemented.
>>> But I really think you should reconsider your decision NOT to use ldap
>>> directory-service
>>>
>>>
>>> [1] - Internal broker - the piece of code responsible for the
>>> admin at interal user
>>>
>>>
>>> Yair
>>
>> I feel that we do need a plain and simple user management broker (could
>> be file based similar to jboss user/group properties). Dennis concerns
>> about the time/money to invest in an up & running
>> installation with few groups seems just.
>>
>> we can make /etc/ovirt-engine/user-management/users.properties and
>> group.properties
>>
>> users.properties:
>>
>>   #key could be considered as the DN
>>
>>   user1.name=Dennis
>>   user1.id={UUID}
>>   user1.groupids={admins group id},{others}
>>   user1.pass=plaintext
>>
>> group properties:
>>
>>   admins.id={UUID}
>>   admins.desc=some description
>
>
> there are enough implementations for these things, we don't need to invent
> our own.
>
>
>>
>>
>>>> ________________________________________
>>>> Von: Itamar Heim [iheim at redhat.com]
>>>> Gesendet: Dienstag, 4. Dezember 2012 00:44
>>>> An: Dennis Böck
>>>> Cc: users at oVirt.org
>>>> Betreff: Re: [Users] Manage users without Red Hat Directory Server or
>>>> IBM Tivoli Directory Server?
>>>>
>>>> On 12/03/2012 08:51 AM, Dennis Böck wrote:
>>>>>
>>>>> Dear oVirt-Community,
>>>>>
>>>>> how can I add a new User? If I click “Add” under the “Users”-Tag of
>>>>> the
>>>>> web interface, I cannot create a new user. If I start a search,
>>>>> only the
>>>>> user “admin” is displayed.
>>>>>
>>>>> Is it maybe not possible to create users out of oVirt?
>>>>>
>>>>> Even users which I added locally (on the fedora host which runs the
>>>>> ovirt engine) are not displayed.
>>>>>
>>>>> Can you only manage users if oVirt is connected to a Red Hat
>>>>> Directory
>>>>> Server or IBM Tivoli Directory Server?
>>>>>
>>>> can you please explain the use case where there is no existing
>>>> directory
>>>> to handle group membership and authentication?
>>>>
>>>> thanks,
>>>>      Itamar
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

More information about the Users mailing list