[Users] Adding Authentication mechanism to oVirt

Thierry Kauffmann thierry.kauffmann at univ-montp2.fr
Tue Dec 11 07:00:14 UTC 2012


Le 10/12/2012 23:11, Alon Bar-Lev a écrit :
>
> ----- Original Message -----
>> From: "Yaniv Kaul" <ykaul at redhat.com>
>> To: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>> Cc: users at ovirt.org
>> Sent: Monday, December 10, 2012 11:58:30 PM
>> Subject: Re: [Users] Adding Authentication mechanism to oVirt
>>
>>
>>
>> Wasn't it going to be deprecated?
>> http://tools.ietf.org/html/rfc6331
> Every IETF can be depreciated using better implementation... :)
> For now we need to support this for AD and maybe others.
> It is much lighter than using SSL.
>   
>> I do think the right way is SSL (LDAPS) support. Most LDAP servers
>> (but Active Directory out of the box) support it.
>> Y.
> We need to support all approaches SIMPLE, SASL(MD5-Digest), LDAPS, StartTLS, and maybe keep SASL(GSSAPI).
>
> I already wrote a sample to use all, I will share this soon with a quick design of what needed to be implemented in this regard.
>
> Alon.
>  

Doesn't oVirt already support SIMPLE over SSL (that is LDAPS and StartTLS) ?

>> Hi,
>>
>> Ovirt presently supports only GSSAPI and SIMPLE authentication
>> against an LDAP server. The latter is far to weak to be used in a
>> production environment. The first is only offered as an external
>> authentication mechanism in many LDAP servers.
>>
>> I suggest adding DIGEST-MD5 support to oVirt which is a secured way
>> of authenticating to an LDAP server and which is a required
>> authentication mechanism in LDAPv3 specification. (see
>> http://www.ietf.org/rfc/rfc2829.txt paragraph 4.2).
>>
>> This would make it possible to access every LDAP servers securely
>> without the need to implement the GSSAPI mechanism.
>>
>> I also actively suggest to add support for the OpenLDAP Directory
>> server. It is a widely used LDAP server (and the one we use at our
>> University by the way...).
>>
>> Are there developers wishing to implement such support (DIGEST-MD5
>> and OpenLDAP) ?
>>
>> Or please tell me what I should do to start implementing it ?
>>
>> Cheers,
>>
>> Thierry
>>
>>
>>
>> --
>> signature-TK Thierry Kauffmann
>> Chef du Service Informatique // Faculté des Sciences // Université de
>> Montpellier 2
>>
>>
>> 	SIF - Service Informatique de la Faculté
>>                   des Sciences	UM2 -
>>                   Université de Montpellier 2	Service informatique de
>>                   la Faculté des Sciences (SIF)
>> Université de Montpellier 2
>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>
>> Tél : 04 67 14 31 58
>> email : thierry.kauffmann at univ-montp2.fr
>> web : http://sif.info-ufr.univ-montp2.fr/
>> http://www.fdsweb.univ-montp2.fr/
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>


-- 
signature-TK Thierry Kauffmann
Chef du Service Informatique // Faculté des Sciences // Université de
Montpellier 2

SIF - Service Informatique de la Faculté des Sciences
<http://sif.info-ufr.univ-montp2.fr/> 	UM2 - Université de Montpellier 2
<http://www.univ-montp2.fr/> 	Service informatique de la Faculté des
Sciences (SIF)
Université de Montpellier 2
CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5

Tél : 04 67 14 31 58
email : thierry.kauffmann at univ-montp2.fr
<mailto:thierry.kauffmann at univ-montp2.fr>
web : http://sif.info-ufr.univ-montp2.fr/ 
http://www.fdsweb.univ-montp2.fr/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121211/e7ce2b77/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sif.png
Type: image/png
Size: 11755 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121211/e7ce2b77/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: um2.png
Type: image/png
Size: 29129 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121211/e7ce2b77/attachment-0003.png>


More information about the Users mailing list