[Users] OpenLDAP Simple Authentication in Ovirt Engine

Eduardo Ramos eduardo at freedominterface.org
Wed Feb 27 16:04:17 EST 2013


Anyone has made success with that?


On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
> Hi dudes!
>
> I was following the model below, but without success. That is my db:
>
>
> engine=# select * from vdc_options where option_name in 
> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
>  option_id |        option_name | option_value                        
> | version
> -----------+----------------------------+------------------------------------------------------------+--------- 
>
>         63 | DomainName                 | ovirt 
>                                                      | general
>          8 | AdUserName                 | 
> ovirt:admin                                                | general
>        113 | LDAPProviderTypes          | 
> ovirt:ipa                                                  | general
>        112 | LdapServers                | 
> ovirt:172.16.21.240                                        | general
>        110 | LDAPSecurityAuthentication | 
> ovirt:SIMPLE                                               | general
>          9 | AdUserPassword             | 
> ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= | general
> (7 rows)
>
> As you can see, my ldap server and domain are internal. That's my ldap 
> user object:
>
> # admin, Users, Accounts, inpe.br
> dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
> givenName: Admin
> sn: istrator
> uid: admin
> userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
> uidNumber: 1001
> gidNumber: 502
> homeDirectory: /home/users/admin
> loginShell: /bin/sh
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> cn: admin
>
> But the log aways returns:
>
> 2012-12-10 10:07:00,317 ERROR 
> [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler] 
> (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check that 
> the login name , password and path are correct.
> 2012-12-10 10:07:00,321 ERROR 
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] 
> (ajp--0.0.0.0-8009-8) Failed ldap search server 
> ldap://172.16.21.240:389 due to 
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We 
> should not try the next server: 
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
>
> Am I doing the right way?
>
> On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
>>
>> ----- Original Message -----
>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>>> To: "Oved Ourfalli" <ovedo at redhat.com>
>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
>>> Sent: Tuesday, December 4, 2012 10:35:34 AM
>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>
>>>
>>> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
>>>
>>>
>>> ----- Original Message -----
>>>
>>> From: "Itamar Heim" <iheim at redhat.com> To: "Oved Ourfalli"
>>> <ovedo at redhat.com> Cc: users at ovirt.org , "Thierry Kauffmann"
>>> <thierry.kauffmann at univ-montp2.fr> Sent: Tuesday, December 4, 2012
>>> 1:47:52 AM
>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>
>>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
>>>
>>> ----- Original Message -----
>>>
>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr> To:
>>> "cristi falcas" <cristi.falcas at gmail.com> Cc: users at ovirt.org Sent:
>>> Saturday, December 1, 2012 5:56:14 PM
>>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
>>>
>>> Until now, I could only use the default user admin at internal.
>>>
>>> Our Directory at the University is OpenLDAP. We use it for
>>> authentication
>>> WITHOUT Kerberos : Simple authentication.
>>>
>>> I wonder how to use this backend to authenticate users and manage
>>> groups
>>> in Ovirt.
>>>
>>> Has anyone already set this up ?
>>> How to configure Ovirt to use Simple Authentication (No Kerberos).
>>>
>>> Cheers,
>>>
>>> -- 
>>> Thierry Kauffmann
>>> Chef du Service Informatique // Facult? des Sciences // Universit?
>>> de
>>> Montpellier 2
>>>
>>>     [image: SIF - Service Informatique de la Facult? des Sciences]
>>>     <http://sif.info-ufr.univ-montp2.fr/> [image:
>>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
>>> Service
>>> informatique de la Facult? des Sciences (SIF)
>>> Universit? de Montpellier 2
>>>    CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
>>>
>>> T?l : 04 67 14 31 58
>>> email : thierry.kauffmann at univ-montp2.fr web :
>>> http://sif.info-ufr.univ-montp2.fr/
>>> http://www.fdsweb.univ-montp2.fr/
>>> _______________________________________________
>>> Users mailing list Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users Hi,
>>>
>>> This is a response from an older thread from Yair Zaslavsky:
>>>
>>> " there is no code allowing to add simple-authentication domains
>>> to
>>> Manage-Domains.
>>> In the past we did have the ability to do that, but there are
>>> several
>>> problematic issues."
>>>
>>> Best regards, Hi,
>>>
>>> correct-me if I am wrong but this wiki page (
>>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
>>>
>>>
>>>
>>>
>>>
>>>       1. Authenticating Active Directory, IPA and RHDS using either
>>>       simple or gssapi authentication
>>>       2. Querying the directory using the LDAP protocol
>>>       3. Auto deducing the LDAP provider type
>>>       4. Easily adding new LDAP provider types
>>>       5. Easily adding new query types
>>>
>>> So what ? We supported simple authentication in the past, but it is
>>> no longer
>>> supported, that's why you can't set that using the manage domains
>>> utility.
>>> It may work well in some providers (in the past we supported that
>>> for active directory, so I guess it would work there). I don't think
>>> we removed SIMPLE from the engine, we just don't
>>> recommend
>>> using it, since it doesn't encrypt user/password on the network (it
>>> is
>>> sometime useful for debugging). We indeed didn't remove the engine
>>> code. We just blocked it from the utility.
>>> Once you have a configured oVirt domain, you can set the
>>> LDAPSecurityAuthentication configuration parameter (in the
>>> vdc_options table), to use simple, by putting a value of:
>>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
>>>
>>> but, if you want to add a new domain with it then you would need to
>>> add it manually (can give a detailed explanation on how, if
>>> relevant). Yes, I would like to know how to add directly a domain
>>> which is not GSSAPI controlled.
>>>
>> The vdc_options table is a table containing the configuration values 
>> of the engine. Among those, there are directory-related configuration 
>> values:
>>
>> engine=# select * from vdc_options where option_name in 
>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
>>   option_id |        option_name         | 
>> option_value                   | version
>> -----------+----------------------------+-------------------------------------------------+--------- 
>>
>>           9 | AdUserName                 | 
>> domain1:user1,domain2:user2                     | general
>>          10 | AdUserPassword             | 
>> domain1:password1,domain2:password2             | general
>>         114 | LdapServers                | 
>> deomain1:ldap_server_address1,domain2:ldap_server_address2 | general
>>          64 | DomainName                 | 
>> domain1,domain2                                 | general
>>         112 | LDAPSecurityAuthentication | 
>> domain1:GSSAPI,domain2:SIMPLE                   | general
>>         115 | LDAPProviderTypes          | 
>> domain1:activeDirectory,domain2:ipa             | general
>>
>> AdUserName is the user that will be used to query the directory.
>> AdUserPassword is the password that will be used to query the directory.
>> LdapServers - the LDAP server that will be used (only one is allowed 
>> in this configuration. This configuration is optional. If empty, we 
>> will check the DNS for LDAP SRV records for the relevant domain).
>> DomainName - the names of the domains
>> LDAPSecurityAuthentication - SIMPLE/GSSAPI
>> LDAPProviderTypes - the provider type (activeDirectory/ipa/rhds/itds)
>>
>> All the entries above are per-domain, in the format domain1:value1, 
>> domain2:value2 and etc....
>>
>> If manually adding a GSSAPI domain, you also need to supply a 
>> krb5.conf file, and put it in the ENGINE_ETC path. If adding a SIMPLE 
>> domain that isn't neccesary.
>>
>> We haven't worked with simple domain for a while now, so hopefully it 
>> will work for you as expected.
>>
>> Let me know if you have further questions.
>>
>> Oved
>>>
>>>
>>> By default we work GSSAPI (I think the config option is empty by
>>> default which is equivalent to working GSSAPI).
>>> If/When we would need to support that again it shouldn't be a major
>>> effort to add the code... the testing with the different providers
>>> will be the hard part.
>>>
>>> Oved
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> We also don't auto deduce the LDAP provider type anymore, as
>>> changes in the providers caused some issues with it.
>>>
>>> I'll edit the wiki accordingly (btw, I remember removing it from
>>> the wiki... so it is weird that it is still there...).
>>>
>>> Oved
>>>
>>> -- 
>>> signature-TK Thierry Kauffmann
>>> Chef du Service Informatique // Faculté des Sciences // Université
>>> de
>>> Montpellier 2
>>>
>>>
>>>     SIF - Service Informatique de la Faculté
>>>                     des Sciences    UM2 -
>>>                     Université de Montpellier 2    Service
>>>                     informatique de
>>>                     la Faculté des Sciences (SIF)
>>> Université de Montpellier 2
>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>
>>> Tél : 04 67 14 31 58
>>> email : thierry.kauffmann at univ-montp2.fr web :
>>> http://sif.info-ufr.univ-montp2.fr/
>>> http://www.fdsweb.univ-montp2.fr/
>>> _______________________________________________
>>> Users mailing list Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>> -- 
>>> signature-TK Thierry Kauffmann
>>> Chef du Service Informatique // Faculté des Sciences // Université de
>>> Montpellier 2
>>>
>>>
>>>     SIF - Service Informatique de la Faculté
>>>                    des Sciences    UM2 -
>>>                    Université de Montpellier 2    Service 
>>> informatique de
>>>                    la Faculté des Sciences (SIF)
>>> Université de Montpellier 2
>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>
>>> Tél : 04 67 14 31 58
>>> email : thierry.kauffmann at univ-montp2.fr
>>> web : http://sif.info-ufr.univ-montp2.fr/
>>> http://www.fdsweb.univ-montp2.fr/
>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



More information about the Users mailing list