[Users] Adding Authentication mechanism to oVirt

Alon Bar-Lev alonbl at redhat.com
Mon Dec 10 22:11:01 UTC 2012



----- Original Message -----
> From: "Yaniv Kaul" <ykaul at redhat.com>
> To: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> Cc: users at ovirt.org
> Sent: Monday, December 10, 2012 11:58:30 PM
> Subject: Re: [Users] Adding Authentication mechanism to oVirt
> 
> 
> 
> Wasn't it going to be deprecated?
> http://tools.ietf.org/html/rfc6331

Every IETF can be depreciated using better implementation... :)
For now we need to support this for AD and maybe others.
It is much lighter than using SSL.
  
> I do think the right way is SSL (LDAPS) support. Most LDAP servers
> (but Active Directory out of the box) support it.
> Y.

We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS, and maybe keep SASL(GSSAPI).

I already wrote a sample to use all, I will share this soon with a quick design of what needed to be implemented in this regard.

Alon.
 
> 
> Hi,
> 
> Ovirt presently supports only GSSAPI and SIMPLE authentication
> against an LDAP server. The latter is far to weak to be used in a
> production environment. The first is only offered as an external
> authentication mechanism in many LDAP servers.
> 
> I suggest adding DIGEST-MD5 support to oVirt which is a secured way
> of authenticating to an LDAP server and which is a required
> authentication mechanism in LDAPv3 specification. (see
> http://www.ietf.org/rfc/rfc2829.txt paragraph 4.2).
> 
> This would make it possible to access every LDAP servers securely
> without the need to implement the GSSAPI mechanism.
> 
> I also actively suggest to add support for the OpenLDAP Directory
> server. It is a widely used LDAP server (and the one we use at our
> University by the way...).
> 
> Are there developers wishing to implement such support (DIGEST-MD5
> and OpenLDAP) ?
> 
> Or please tell me what I should do to start implementing it ?
> 
> Cheers,
> 
> Thierry
> 
> 
> 
> --
> signature-TK Thierry Kauffmann
> Chef du Service Informatique // Faculté des Sciences // Université de
> Montpellier 2
> 
> 
> 	SIF - Service Informatique de la Faculté
>                   des Sciences	UM2 -
>                   Université de Montpellier 2	Service informatique de
>                   la Faculté des Sciences (SIF)
> Université de Montpellier 2
> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> 
> Tél : 04 67 14 31 58
> email : thierry.kauffmann at univ-montp2.fr
> web : http://sif.info-ufr.univ-montp2.fr/
> http://www.fdsweb.univ-montp2.fr/
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


More information about the Users mailing list