[Users] OpenLDAP Simple Authentication in Ovirt Engine
Yair Zaslavsky
yzaslavs at redhat.com
Thu Feb 28 08:33:02 UTC 2013
Hi Eduardo,
We mainly focus on supporting Kerberos authentication at the moment
Can you switch to kerberos authentication?
----- Original Message -----
> From: "Eduardo Ramos" <eduardo at freedominterface.org>
> To: users at ovirt.org
> Sent: Wednesday, February 27, 2013 11:04:17 PM
> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>
> Anyone has made success with that?
>
>
> On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
> > Hi dudes!
> >
> > I was following the model below, but without success. That is my
> > db:
> >
> >
> > engine=# select * from vdc_options where option_name in
> > ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
> > option_id | option_name | option_value
> > | version
> > -----------+----------------------------+------------------------------------------------------------+---------
> >
> > 63 | DomainName | ovirt
> > | general
> > 8 | AdUserName |
> > ovirt:admin |
> > general
> > 113 | LDAPProviderTypes |
> > ovirt:ipa |
> > general
> > 112 | LdapServers |
> > ovirt:172.16.21.240 |
> > general
> > 110 | LDAPSecurityAuthentication |
> > ovirt:SIMPLE |
> > general
> > 9 | AdUserPassword |
> > ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
> > general
> > (7 rows)
> >
> > As you can see, my ldap server and domain are internal. That's my
> > ldap
> > user object:
> >
> > # admin, Users, Accounts, inpe.br
> > dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
> > givenName: Admin
> > sn: istrator
> > uid: admin
> > userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
> > uidNumber: 1001
> > gidNumber: 502
> > homeDirectory: /home/users/admin
> > loginShell: /bin/sh
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: top
> > cn: admin
> >
> > But the log aways returns:
> >
> > 2012-12-10 10:07:00,317 ERROR
> > [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
> > (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
> > that
> > the login name , password and path are correct.
> > 2012-12-10 10:07:00,321 ERROR
> > [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> > (ajp--0.0.0.0-8009-8) Failed ldap search server
> > ldap://172.16.21.240:389 due to
> > org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
> > We
> > should not try the next server:
> > org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
> >
> > Am I doing the right way?
> >
> > On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
> >>
> >> ----- Original Message -----
> >>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
> >>> To: "Oved Ourfalli" <ovedo at redhat.com>
> >>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
> >>> Sent: Tuesday, December 4, 2012 10:35:34 AM
> >>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
> >>> Engine
> >>>
> >>>
> >>> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
> >>>
> >>>
> >>> ----- Original Message -----
> >>>
> >>> From: "Itamar Heim" <iheim at redhat.com> To: "Oved Ourfalli"
> >>> <ovedo at redhat.com> Cc: users at ovirt.org , "Thierry Kauffmann"
> >>> <thierry.kauffmann at univ-montp2.fr> Sent: Tuesday, December 4,
> >>> 2012
> >>> 1:47:52 AM
> >>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
> >>> Engine
> >>>
> >>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
> >>>
> >>> ----- Original Message -----
> >>>
> >>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr> To:
> >>> "cristi falcas" <cristi.falcas at gmail.com> Cc: users at ovirt.org
> >>> Sent:
> >>> Saturday, December 1, 2012 5:56:14 PM
> >>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
> >>>
> >>> Until now, I could only use the default user admin at internal.
> >>>
> >>> Our Directory at the University is OpenLDAP. We use it for
> >>> authentication
> >>> WITHOUT Kerberos : Simple authentication.
> >>>
> >>> I wonder how to use this backend to authenticate users and manage
> >>> groups
> >>> in Ovirt.
> >>>
> >>> Has anyone already set this up ?
> >>> How to configure Ovirt to use Simple Authentication (No
> >>> Kerberos).
> >>>
> >>> Cheers,
> >>>
> >>> --
> >>> Thierry Kauffmann
> >>> Chef du Service Informatique // Facult? des Sciences //
> >>> Universit?
> >>> de
> >>> Montpellier 2
> >>>
> >>> [image: SIF - Service Informatique de la Facult? des
> >>> Sciences]
> >>> <http://sif.info-ufr.univ-montp2.fr/> [image:
> >>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
> >>> Service
> >>> informatique de la Facult? des Sciences (SIF)
> >>> Universit? de Montpellier 2
> >>> CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
> >>>
> >>> T?l : 04 67 14 31 58
> >>> email : thierry.kauffmann at univ-montp2.fr web :
> >>> http://sif.info-ufr.univ-montp2.fr/
> >>> http://www.fdsweb.univ-montp2.fr/
> >>> _______________________________________________
> >>> Users mailing list Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users Hi,
> >>>
> >>> This is a response from an older thread from Yair Zaslavsky:
> >>>
> >>> " there is no code allowing to add simple-authentication domains
> >>> to
> >>> Manage-Domains.
> >>> In the past we did have the ability to do that, but there are
> >>> several
> >>> problematic issues."
> >>>
> >>> Best regards, Hi,
> >>>
> >>> correct-me if I am wrong but this wiki page (
> >>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> 1. Authenticating Active Directory, IPA and RHDS using
> >>> either
> >>> simple or gssapi authentication
> >>> 2. Querying the directory using the LDAP protocol
> >>> 3. Auto deducing the LDAP provider type
> >>> 4. Easily adding new LDAP provider types
> >>> 5. Easily adding new query types
> >>>
> >>> So what ? We supported simple authentication in the past, but it
> >>> is
> >>> no longer
> >>> supported, that's why you can't set that using the manage domains
> >>> utility.
> >>> It may work well in some providers (in the past we supported that
> >>> for active directory, so I guess it would work there). I don't
> >>> think
> >>> we removed SIMPLE from the engine, we just don't
> >>> recommend
> >>> using it, since it doesn't encrypt user/password on the network
> >>> (it
> >>> is
> >>> sometime useful for debugging). We indeed didn't remove the
> >>> engine
> >>> code. We just blocked it from the utility.
> >>> Once you have a configured oVirt domain, you can set the
> >>> LDAPSecurityAuthentication configuration parameter (in the
> >>> vdc_options table), to use simple, by putting a value of:
> >>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
> >>>
> >>> but, if you want to add a new domain with it then you would need
> >>> to
> >>> add it manually (can give a detailed explanation on how, if
> >>> relevant). Yes, I would like to know how to add directly a domain
> >>> which is not GSSAPI controlled.
> >>>
> >> The vdc_options table is a table containing the configuration
> >> values
> >> of the engine. Among those, there are directory-related
> >> configuration
> >> values:
> >>
> >> engine=# select * from vdc_options where option_name in
> >> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
> >> option_id | option_name |
> >> option_value | version
> >> -----------+----------------------------+-------------------------------------------------+---------
> >>
> >> 9 | AdUserName |
> >> domain1:user1,domain2:user2 | general
> >> 10 | AdUserPassword |
> >> domain1:password1,domain2:password2 | general
> >> 114 | LdapServers |
> >> deomain1:ldap_server_address1,domain2:ldap_server_address2 |
> >> general
> >> 64 | DomainName |
> >> domain1,domain2 | general
> >> 112 | LDAPSecurityAuthentication |
> >> domain1:GSSAPI,domain2:SIMPLE | general
> >> 115 | LDAPProviderTypes |
> >> domain1:activeDirectory,domain2:ipa | general
> >>
> >> AdUserName is the user that will be used to query the directory.
> >> AdUserPassword is the password that will be used to query the
> >> directory.
> >> LdapServers - the LDAP server that will be used (only one is
> >> allowed
> >> in this configuration. This configuration is optional. If empty,
> >> we
> >> will check the DNS for LDAP SRV records for the relevant domain).
> >> DomainName - the names of the domains
> >> LDAPSecurityAuthentication - SIMPLE/GSSAPI
> >> LDAPProviderTypes - the provider type
> >> (activeDirectory/ipa/rhds/itds)
> >>
> >> All the entries above are per-domain, in the format
> >> domain1:value1,
> >> domain2:value2 and etc....
> >>
> >> If manually adding a GSSAPI domain, you also need to supply a
> >> krb5.conf file, and put it in the ENGINE_ETC path. If adding a
> >> SIMPLE
> >> domain that isn't neccesary.
> >>
> >> We haven't worked with simple domain for a while now, so hopefully
> >> it
> >> will work for you as expected.
> >>
> >> Let me know if you have further questions.
> >>
> >> Oved
> >>>
> >>>
> >>> By default we work GSSAPI (I think the config option is empty by
> >>> default which is equivalent to working GSSAPI).
> >>> If/When we would need to support that again it shouldn't be a
> >>> major
> >>> effort to add the code... the testing with the different
> >>> providers
> >>> will be the hard part.
> >>>
> >>> Oved
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> We also don't auto deduce the LDAP provider type anymore, as
> >>> changes in the providers caused some issues with it.
> >>>
> >>> I'll edit the wiki accordingly (btw, I remember removing it from
> >>> the wiki... so it is weird that it is still there...).
> >>>
> >>> Oved
> >>>
> >>> --
> >>> signature-TK Thierry Kauffmann
> >>> Chef du Service Informatique // Faculté des Sciences //
> >>> Université
> >>> de
> >>> Montpellier 2
> >>>
> >>>
> >>> SIF - Service Informatique de la Faculté
> >>> des Sciences UM2 -
> >>> Université de Montpellier 2 Service
> >>> informatique de
> >>> la Faculté des Sciences (SIF)
> >>> Université de Montpellier 2
> >>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> >>>
> >>> Tél : 04 67 14 31 58
> >>> email : thierry.kauffmann at univ-montp2.fr web :
> >>> http://sif.info-ufr.univ-montp2.fr/
> >>> http://www.fdsweb.univ-montp2.fr/
> >>> _______________________________________________
> >>> Users mailing list Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>> _______________________________________________
> >>> Users mailing list Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>> _______________________________________________
> >>> Users mailing list Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>>
> >>> --
> >>> signature-TK Thierry Kauffmann
> >>> Chef du Service Informatique // Faculté des Sciences //
> >>> Université de
> >>> Montpellier 2
> >>>
> >>>
> >>> SIF - Service Informatique de la Faculté
> >>> des Sciences UM2 -
> >>> Université de Montpellier 2 Service
> >>> informatique de
> >>> la Faculté des Sciences (SIF)
> >>> Université de Montpellier 2
> >>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
> >>>
> >>> Tél : 04 67 14 31 58
> >>> email : thierry.kauffmann at univ-montp2.fr
> >>> web : http://sif.info-ufr.univ-montp2.fr/
> >>> http://www.fdsweb.univ-montp2.fr/
> >>>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list