[Users] LDAP

[Itamar Heim]

On 02/23/2012 09:33 AM, Yair Zaslavsky wrote:
> On 02/23/2012 09:20 AM, Itamar Heim wrote:
>> On 02/22/2012 11:02 PM, Nathan Stratton wrote:
>>>
>>> On Wed, 22 Feb 2012, Oved Ourfalli wrote:
>>>
>>>> Hey,
>>>>
>>>> This error usually happens where there is no krb5.conf file, or there
>>>> is one, but your domain isn't in that.
>>>> The krb5.conf file should be located in
>>>> $JBOSS_HOME/standalone/configuration directory.
>>>
>>> Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
>>>
>>> BTW, why can't we just use LDAP???
>>
>> well, this goes to history, as ovirt was ported from a C# solution
>> focused that evolved to server virtualization from VDI (virtual desktops).
>> virtual desktops were mostly windows.
>> so integration with AD was a must, and was based on kerberos (in C#)
>> java port first supported backward compatibility.
>> nothing prevents adding LDAP support, but it probably requires
>> supporting multiple LDAP redundant servers and SSL.
>>
>> btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if you
>> change the authentication type to "SIMPLE".
>> but it is never discussed as a deployment option, as it is not secure.
>
> But what about schema differentiation?

well, SIMPLE would work only for schemes which are already supported. 
I'm just saying for tetsing purpose 389ds without kerberos may work as 
well in SIMPLE mode.
same for other LDAP providers, should patches for detecting their type 
and supporting their scheme (btw, we say scheme, but we use very few 
fields from it for someone to work on this and support other providers)