[Users] LDAP

Oved Ourfalli ovedo at redhat.com
Thu Feb 23 07:42:31 UTC 2012 


----- Original Message -----
> From: "Itamar Heim" <iheim at redhat.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: users at ovirt.org
> Sent: Thursday, February 23, 2012 9:37:43 AM
> Subject: Re: [Users] LDAP
> 
> On 02/23/2012 09:33 AM, Yair Zaslavsky wrote:
> > On 02/23/2012 09:20 AM, Itamar Heim wrote:
> >> On 02/22/2012 11:02 PM, Nathan Stratton wrote:
> >>>
> >>> On Wed, 22 Feb 2012, Oved Ourfalli wrote:
> >>>
> >>>> Hey,
> >>>>
> >>>> This error usually happens where there is no krb5.conf file, or
> >>>> there
> >>>> is one, but your domain isn't in that.
> >>>> The krb5.conf file should be located in
> >>>> $JBOSS_HOME/standalone/configuration directory.
> >>>
> >>> Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
> >>>
> >>> BTW, why can't we just use LDAP???
> >>
> >> well, this goes to history, as ovirt was ported from a C# solution
> >> focused that evolved to server virtualization from VDI (virtual
> >> desktops).
> >> virtual desktops were mostly windows.
> >> so integration with AD was a must, and was based on kerberos (in
> >> C#)
> >> java port first supported backward compatibility.
> >> nothing prevents adding LDAP support, but it probably requires
> >> supporting multiple LDAP redundant servers and SSL.
> >>
> >> btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if
> >> you
> >> change the authentication type to "SIMPLE".
> >> but it is never discussed as a deployment option, as it is not
> >> secure.
> >
> > But what about schema differentiation?
> 
> well, SIMPLE would work only for schemes which are already supported.
> I'm just saying for testing purpose 389ds without kerberos may work
> as
> well in SIMPLE mode.
> same for other LDAP providers, should patches for detecting their
> type
> and supporting their scheme (btw, we say scheme, but we use very few
> fields from it for someone to work on this and support other
> providers)

btw, the feature was tested with RHDS, and not 389ds. They are indeed based on the same schema so it should work, but it wasn't tested, so there might be some tweaks needed to make it work.


> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list