[Users] Adding Authentication mechanism to oVirt
Alon Bar-Lev
alonbl at redhat.com
Mon Dec 10 22:11:01 UTC 2012
----- Original Message -----
> From: "Yaniv Kaul" <ykaul at redhat.com>
> To: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> Cc: users at ovirt.org
> Sent: Monday, December 10, 2012 11:58:30 PM
> Subject: Re: [Users] Adding Authentication mechanism to oVirt
>
>
>
> Wasn't it going to be deprecated?
> http://tools.ietf.org/html/rfc6331
Every IETF can be depreciated using better implementation... :)
For now we need to support this for AD and maybe others.
It is much lighter than using SSL.
> I do think the right way is SSL (LDAPS) support. Most LDAP servers
> (but Active Directory out of the box) support it.
> Y.
We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS, and maybe keep SASL(GSSAPI).
I already wrote a sample to use all, I will share this soon with a quick design of what needed to be implemented in this regard.
Alon.
>
> Hi,
>
> Ovirt presently supports only GSSAPI and SIMPLE authentication
> against an LDAP server. The latter is far to weak to be used in a
> production environment. The first is only offered as an external
> authentication mechanism in many LDAP servers.
>
> I suggest adding DIGEST-MD5 support to oVirt which is a secured way
> of authenticating to an LDAP server and which is a required
> authentication mechanism in LDAPv3 specification. (see
> http://www.ietf.org/rfc/rfc2829.txt paragraph 4.2).
>
> This would make it possible to access every LDAP servers securely
> without the need to implement the GSSAPI mechanism.
>
> I also actively suggest to add support for the OpenLDAP Directory
> server. It is a widely used LDAP server (and the one we use at our
> University by the way...).
>
> Are there developers wishing to implement such support (DIGEST-MD5
> and OpenLDAP) ?
>
> Or please tell me what I should do to start implementing it ?
>
> Cheers,
>
> Thierry
>
>
>
> --
> signature-TK Thierry Kauffmann
> Chef du Service Informatique // Faculté des Sciences // Université de
> Montpellier 2
>
>
> SIF - Service Informatique de la Faculté
> des Sciences UM2 -
> Université de Montpellier 2 Service informatique de
> la Faculté des Sciences (SIF)
> Université de Montpellier 2
> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>
> Tél : 04 67 14 31 58
> email : thierry.kauffmann at univ-montp2.fr
> web : http://sif.info-ufr.univ-montp2.fr/
> http://www.fdsweb.univ-montp2.fr/
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list