[Users] OpenLDAP Simple Authentication in Ovirt Engine

Jure Kranjc jure.kranjc at arnes.si
Thu Feb 28 09:04:43 UTC 2013


I was also testing simple auth without success. Our ldap doesn't support 
kerberos so we're stuck. Engine log doesn't report anything, and the 
server log shows:

2013-02-28 09:53:52,850 INFO  [org.jboss.as.server] 
(DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment 
"engine.ear" was rolled back with failure message {"JBAS014671: Failed 
services" => 
{"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START" 
=> "org.jboss.msc.service.StartException in service 
jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START: 
Failed to start service"}}

We're using 3.1 on CentOS, rpms from dev.centos.org repo.


On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
> Hi Eduardo,
> We mainly focus on supporting Kerberos authentication at the moment
> Can you switch to kerberos authentication?
>
>
>
> ----- Original Message -----
>> From: "Eduardo Ramos" <eduardo at freedominterface.org>
>> To: users at ovirt.org
>> Sent: Wednesday, February 27, 2013 11:04:17 PM
>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>
>> Anyone has made success with that?
>>
>>
>> On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
>>> Hi dudes!
>>>
>>> I was following the model below, but without success. That is my
>>> db:
>>>
>>>
>>> engine=# select * from vdc_options where option_name in
>>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
>>>   option_id |        option_name | option_value
>>> | version
>>> -----------+----------------------------+------------------------------------------------------------+---------
>>>
>>>          63 | DomainName                 | ovirt
>>>                                                       | general
>>>           8 | AdUserName                 |
>>> ovirt:admin                                                |
>>> general
>>>         113 | LDAPProviderTypes          |
>>> ovirt:ipa                                                  |
>>> general
>>>         112 | LdapServers                |
>>> ovirt:172.16.21.240                                        |
>>> general
>>>         110 | LDAPSecurityAuthentication |
>>> ovirt:SIMPLE                                               |
>>> general
>>>           9 | AdUserPassword             |
>>> ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
>>> general
>>> (7 rows)
>>>
>>> As you can see, my ldap server and domain are internal. That's my
>>> ldap
>>> user object:
>>>
>>> # admin, Users, Accounts, inpe.br
>>> dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
>>> givenName: Admin
>>> sn: istrator
>>> uid: admin
>>> userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
>>> uidNumber: 1001
>>> gidNumber: 502
>>> homeDirectory: /home/users/admin
>>> loginShell: /bin/sh
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: top
>>> cn: admin
>>>
>>> But the log aways returns:
>>>
>>> 2012-12-10 10:07:00,317 ERROR
>>> [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
>>> (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
>>> that
>>> the login name , password and path are correct.
>>> 2012-12-10 10:07:00,321 ERROR
>>> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>>> (ajp--0.0.0.0-8009-8) Failed ldap search server
>>> ldap://172.16.21.240:389 due to
>>> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
>>> We
>>> should not try the next server:
>>> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
>>>
>>> Am I doing the right way?
>>>
>>> On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
>>>> ----- Original Message -----
>>>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>>>>> To: "Oved Ourfalli" <ovedo at redhat.com>
>>>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
>>>>> Sent: Tuesday, December 4, 2012 10:35:34 AM
>>>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
>>>>> Engine
>>>>>
>>>>>
>>>>> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>> From: "Itamar Heim" <iheim at redhat.com> To: "Oved Ourfalli"
>>>>> <ovedo at redhat.com> Cc: users at ovirt.org , "Thierry Kauffmann"
>>>>> <thierry.kauffmann at univ-montp2.fr> Sent: Tuesday, December 4,
>>>>> 2012
>>>>> 1:47:52 AM
>>>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
>>>>> Engine
>>>>>
>>>>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr> To:
>>>>> "cristi falcas" <cristi.falcas at gmail.com> Cc: users at ovirt.org
>>>>> Sent:
>>>>> Saturday, December 1, 2012 5:56:14 PM
>>>>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
>>>>>
>>>>> Until now, I could only use the default user admin at internal.
>>>>>
>>>>> Our Directory at the University is OpenLDAP. We use it for
>>>>> authentication
>>>>> WITHOUT Kerberos : Simple authentication.
>>>>>
>>>>> I wonder how to use this backend to authenticate users and manage
>>>>> groups
>>>>> in Ovirt.
>>>>>
>>>>> Has anyone already set this up ?
>>>>> How to configure Ovirt to use Simple Authentication (No
>>>>> Kerberos).
>>>>>
>>>>> Cheers,
>>>>>
>>>>> --
>>>>> Thierry Kauffmann
>>>>> Chef du Service Informatique // Facult? des Sciences //
>>>>> Universit?
>>>>> de
>>>>> Montpellier 2
>>>>>
>>>>>      [image: SIF - Service Informatique de la Facult? des
>>>>>      Sciences]
>>>>>      <http://sif.info-ufr.univ-montp2.fr/> [image:
>>>>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
>>>>> Service
>>>>> informatique de la Facult? des Sciences (SIF)
>>>>> Universit? de Montpellier 2
>>>>>     CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
>>>>>
>>>>> T?l : 04 67 14 31 58
>>>>> email : thierry.kauffmann at univ-montp2.fr web :
>>>>> http://sif.info-ufr.univ-montp2.fr/
>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>> _______________________________________________
>>>>> Users mailing list Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users Hi,
>>>>>
>>>>> This is a response from an older thread from Yair Zaslavsky:
>>>>>
>>>>> " there is no code allowing to add simple-authentication domains
>>>>> to
>>>>> Manage-Domains.
>>>>> In the past we did have the ability to do that, but there are
>>>>> several
>>>>> problematic issues."
>>>>>
>>>>> Best regards, Hi,
>>>>>
>>>>> correct-me if I am wrong but this wiki page (
>>>>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>        1. Authenticating Active Directory, IPA and RHDS using
>>>>>        either
>>>>>        simple or gssapi authentication
>>>>>        2. Querying the directory using the LDAP protocol
>>>>>        3. Auto deducing the LDAP provider type
>>>>>        4. Easily adding new LDAP provider types
>>>>>        5. Easily adding new query types
>>>>>
>>>>> So what ? We supported simple authentication in the past, but it
>>>>> is
>>>>> no longer
>>>>> supported, that's why you can't set that using the manage domains
>>>>> utility.
>>>>> It may work well in some providers (in the past we supported that
>>>>> for active directory, so I guess it would work there). I don't
>>>>> think
>>>>> we removed SIMPLE from the engine, we just don't
>>>>> recommend
>>>>> using it, since it doesn't encrypt user/password on the network
>>>>> (it
>>>>> is
>>>>> sometime useful for debugging). We indeed didn't remove the
>>>>> engine
>>>>> code. We just blocked it from the utility.
>>>>> Once you have a configured oVirt domain, you can set the
>>>>> LDAPSecurityAuthentication configuration parameter (in the
>>>>> vdc_options table), to use simple, by putting a value of:
>>>>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
>>>>>
>>>>> but, if you want to add a new domain with it then you would need
>>>>> to
>>>>> add it manually (can give a detailed explanation on how, if
>>>>> relevant). Yes, I would like to know how to add directly a domain
>>>>> which is not GSSAPI controlled.
>>>>>
>>>> The vdc_options table is a table containing the configuration
>>>> values
>>>> of the engine. Among those, there are directory-related
>>>> configuration
>>>> values:
>>>>
>>>> engine=# select * from vdc_options where option_name in
>>>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
>>>>    option_id |        option_name         |
>>>> option_value                   | version
>>>> -----------+----------------------------+-------------------------------------------------+---------
>>>>
>>>>            9 | AdUserName                 |
>>>> domain1:user1,domain2:user2                     | general
>>>>           10 | AdUserPassword             |
>>>> domain1:password1,domain2:password2             | general
>>>>          114 | LdapServers                |
>>>> deomain1:ldap_server_address1,domain2:ldap_server_address2 |
>>>> general
>>>>           64 | DomainName                 |
>>>> domain1,domain2                                 | general
>>>>          112 | LDAPSecurityAuthentication |
>>>> domain1:GSSAPI,domain2:SIMPLE                   | general
>>>>          115 | LDAPProviderTypes          |
>>>> domain1:activeDirectory,domain2:ipa             | general
>>>>
>>>> AdUserName is the user that will be used to query the directory.
>>>> AdUserPassword is the password that will be used to query the
>>>> directory.
>>>> LdapServers - the LDAP server that will be used (only one is
>>>> allowed
>>>> in this configuration. This configuration is optional. If empty,
>>>> we
>>>> will check the DNS for LDAP SRV records for the relevant domain).
>>>> DomainName - the names of the domains
>>>> LDAPSecurityAuthentication - SIMPLE/GSSAPI
>>>> LDAPProviderTypes - the provider type
>>>> (activeDirectory/ipa/rhds/itds)
>>>>
>>>> All the entries above are per-domain, in the format
>>>> domain1:value1,
>>>> domain2:value2 and etc....
>>>>
>>>> If manually adding a GSSAPI domain, you also need to supply a
>>>> krb5.conf file, and put it in the ENGINE_ETC path. If adding a
>>>> SIMPLE
>>>> domain that isn't neccesary.
>>>>
>>>> We haven't worked with simple domain for a while now, so hopefully
>>>> it
>>>> will work for you as expected.
>>>>
>>>> Let me know if you have further questions.
>>>>
>>>> Oved
>>>>>
>>>>> By default we work GSSAPI (I think the config option is empty by
>>>>> default which is equivalent to working GSSAPI).
>>>>> If/When we would need to support that again it shouldn't be a
>>>>> major
>>>>> effort to add the code... the testing with the different
>>>>> providers
>>>>> will be the hard part.
>>>>>
>>>>> Oved
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> We also don't auto deduce the LDAP provider type anymore, as
>>>>> changes in the providers caused some issues with it.
>>>>>
>>>>> I'll edit the wiki accordingly (btw, I remember removing it from
>>>>> the wiki... so it is weird that it is still there...).
>>>>>
>>>>> Oved
>>>>>
>>>>> --
>>>>> signature-TK Thierry Kauffmann
>>>>> Chef du Service Informatique // Faculté des Sciences //
>>>>> Université
>>>>> de
>>>>> Montpellier 2
>>>>>
>>>>>
>>>>>      SIF - Service Informatique de la Faculté
>>>>>                      des Sciences    UM2 -
>>>>>                      Université de Montpellier 2    Service
>>>>>                      informatique de
>>>>>                      la Faculté des Sciences (SIF)
>>>>> Université de Montpellier 2
>>>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>>>
>>>>> Tél : 04 67 14 31 58
>>>>> email : thierry.kauffmann at univ-montp2.fr web :
>>>>> http://sif.info-ufr.univ-montp2.fr/
>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>> _______________________________________________
>>>>> Users mailing list Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>> _______________________________________________
>>>>> Users mailing list Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>> _______________________________________________
>>>>> Users mailing list Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>> --
>>>>> signature-TK Thierry Kauffmann
>>>>> Chef du Service Informatique // Faculté des Sciences //
>>>>> Université de
>>>>> Montpellier 2
>>>>>
>>>>>
>>>>>      SIF - Service Informatique de la Faculté
>>>>>                     des Sciences    UM2 -
>>>>>                     Université de Montpellier 2    Service
>>>>> informatique de
>>>>>                     la Faculté des Sciences (SIF)
>>>>> Université de Montpellier 2
>>>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>>>
>>>>> Tél : 04 67 14 31 58
>>>>> email : thierry.kauffmann at univ-montp2.fr
>>>>> web : http://sif.info-ufr.univ-montp2.fr/
>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users





More information about the Users mailing list