[Users] OpenLDAP Simple Authentication in Ovirt Engine
Roy Golan
rgolan at redhat.com
Thu Feb 28 12:32:22 UTC 2013
On 02/28/2013 11:04 AM, Jure Kranjc wrote:
> I was also testing simple auth without success. Our ldap doesn't
> support kerberos so we're stuck. Engine log doesn't report anything,
> and the server log shows:
>
> 2013-02-28 09:53:52,850 INFO [org.jboss.as.server]
> (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment
> "engine.ear" was rolled back with failure message {"JBAS014671: Failed
> services" =>
> {"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START"
> => "org.jboss.msc.service.StartException in service
> jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START:
> Failed to start service"}}
>
> We're using 3.1 on CentOS, rpms from dev.centos.org repo.
>
lets debug kerberos:
vi /var/lib/jboss/jboss-as/bin/run.conf
add this at the bottom
JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true"
restart jboss
Its weird that the ear didn't deploy. Please paste engine.log and server.log
>
> On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
>> Hi Eduardo,
>> We mainly focus on supporting Kerberos authentication at the moment
>> Can you switch to kerberos authentication?
>>
>>
>>
>> ----- Original Message -----
>>> From: "Eduardo Ramos" <eduardo at freedominterface.org>
>>> To: users at ovirt.org
>>> Sent: Wednesday, February 27, 2013 11:04:17 PM
>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>
>>> Anyone has made success with that?
>>>
>>>
>>> On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
>>>> Hi dudes!
>>>>
>>>> I was following the model below, but without success. That is my
>>>> db:
>>>>
>>>>
>>>> engine=# select * from vdc_options where option_name in
>>>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
>>>>
>>>> option_id | option_name | option_value
>>>> | version
>>>> -----------+----------------------------+------------------------------------------------------------+---------
>>>>
>>>>
>>>> 63 | DomainName | ovirt
>>>> | general
>>>> 8 | AdUserName |
>>>> ovirt:admin |
>>>> general
>>>> 113 | LDAPProviderTypes |
>>>> ovirt:ipa |
>>>> general
>>>> 112 | LdapServers |
>>>> ovirt:172.16.21.240 |
>>>> general
>>>> 110 | LDAPSecurityAuthentication |
>>>> ovirt:SIMPLE |
>>>> general
>>>> 9 | AdUserPassword |
>>>> ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
>>>> general
>>>> (7 rows)
>>>>
>>>> As you can see, my ldap server and domain are internal. That's my
>>>> ldap
>>>> user object:
>>>>
>>>> # admin, Users, Accounts, inpe.br
>>>> dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
>>>> givenName: Admin
>>>> sn: istrator
>>>> uid: admin
>>>> userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
>>>> uidNumber: 1001
>>>> gidNumber: 502
>>>> homeDirectory: /home/users/admin
>>>> loginShell: /bin/sh
>>>> objectClass: inetOrgPerson
>>>> objectClass: posixAccount
>>>> objectClass: top
>>>> cn: admin
>>>>
>>>> But the log aways returns:
>>>>
>>>> 2012-12-10 10:07:00,317 ERROR
>>>> [org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
>>>> (ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
>>>> that
>>>> the login name , password and path are correct.
>>>> 2012-12-10 10:07:00,321 ERROR
>>>> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>>>> (ajp--0.0.0.0-8009-8) Failed ldap search server
>>>> ldap://172.16.21.240:389 due to
>>>> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
>>>> We
>>>> should not try the next server:
>>>> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
>>>>
>>>> Am I doing the right way?
>>>>
>>>> On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr>
>>>>>> To: "Oved Ourfalli" <ovedo at redhat.com>
>>>>>> Cc: "Itamar Heim" <iheim at redhat.com>, users at ovirt.org
>>>>>> Sent: Tuesday, December 4, 2012 10:35:34 AM
>>>>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
>>>>>> Engine
>>>>>>
>>>>>>
>>>>>> Le 04/12/2012 09:09, Oved Ourfalli a écrit :
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>
>>>>>> From: "Itamar Heim" <iheim at redhat.com> To: "Oved Ourfalli"
>>>>>> <ovedo at redhat.com> Cc: users at ovirt.org , "Thierry Kauffmann"
>>>>>> <thierry.kauffmann at univ-montp2.fr> Sent: Tuesday, December 4,
>>>>>> 2012
>>>>>> 1:47:52 AM
>>>>>> Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
>>>>>> Engine
>>>>>>
>>>>>> On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>
>>>>>> From: "Thierry Kauffmann" <thierry.kauffmann at univ-montp2.fr> To:
>>>>>> "cristi falcas" <cristi.falcas at gmail.com> Cc: users at ovirt.org
>>>>>> Sent:
>>>>>> Saturday, December 1, 2012 5:56:14 PM
>>>>>> Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am currently testing Ovirt 3.1 standalone on Fedora 17.
>>>>>>
>>>>>> Until now, I could only use the default user admin at internal.
>>>>>>
>>>>>> Our Directory at the University is OpenLDAP. We use it for
>>>>>> authentication
>>>>>> WITHOUT Kerberos : Simple authentication.
>>>>>>
>>>>>> I wonder how to use this backend to authenticate users and manage
>>>>>> groups
>>>>>> in Ovirt.
>>>>>>
>>>>>> Has anyone already set this up ?
>>>>>> How to configure Ovirt to use Simple Authentication (No
>>>>>> Kerberos).
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> --
>>>>>> Thierry Kauffmann
>>>>>> Chef du Service Informatique // Facult? des Sciences //
>>>>>> Universit?
>>>>>> de
>>>>>> Montpellier 2
>>>>>>
>>>>>> [image: SIF - Service Informatique de la Facult? des
>>>>>> Sciences]
>>>>>> <http://sif.info-ufr.univ-montp2.fr/> [image:
>>>>>> UM2 - Universit? de Montpellier 2] <http://www.univ-montp2.fr/>
>>>>>> Service
>>>>>> informatique de la Facult? des Sciences (SIF)
>>>>>> Universit? de Montpellier 2
>>>>>> CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
>>>>>>
>>>>>> T?l : 04 67 14 31 58
>>>>>> email : thierry.kauffmann at univ-montp2.fr web :
>>>>>> http://sif.info-ufr.univ-montp2.fr/
>>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>>> _______________________________________________
>>>>>> Users mailing list Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users Hi,
>>>>>>
>>>>>> This is a response from an older thread from Yair Zaslavsky:
>>>>>>
>>>>>> " there is no code allowing to add simple-authentication domains
>>>>>> to
>>>>>> Manage-Domains.
>>>>>> In the past we did have the ability to do that, but there are
>>>>>> several
>>>>>> problematic issues."
>>>>>>
>>>>>> Best regards, Hi,
>>>>>>
>>>>>> correct-me if I am wrong but this wiki page (
>>>>>> http://www.ovirt.org/DomainInfrastructure ) states clearly :
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 1. Authenticating Active Directory, IPA and RHDS using
>>>>>> either
>>>>>> simple or gssapi authentication
>>>>>> 2. Querying the directory using the LDAP protocol
>>>>>> 3. Auto deducing the LDAP provider type
>>>>>> 4. Easily adding new LDAP provider types
>>>>>> 5. Easily adding new query types
>>>>>>
>>>>>> So what ? We supported simple authentication in the past, but it
>>>>>> is
>>>>>> no longer
>>>>>> supported, that's why you can't set that using the manage domains
>>>>>> utility.
>>>>>> It may work well in some providers (in the past we supported that
>>>>>> for active directory, so I guess it would work there). I don't
>>>>>> think
>>>>>> we removed SIMPLE from the engine, we just don't
>>>>>> recommend
>>>>>> using it, since it doesn't encrypt user/password on the network
>>>>>> (it
>>>>>> is
>>>>>> sometime useful for debugging). We indeed didn't remove the
>>>>>> engine
>>>>>> code. We just blocked it from the utility.
>>>>>> Once you have a configured oVirt domain, you can set the
>>>>>> LDAPSecurityAuthentication configuration parameter (in the
>>>>>> vdc_options table), to use simple, by putting a value of:
>>>>>> domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc....
>>>>>>
>>>>>> but, if you want to add a new domain with it then you would need
>>>>>> to
>>>>>> add it manually (can give a detailed explanation on how, if
>>>>>> relevant). Yes, I would like to know how to add directly a domain
>>>>>> which is not GSSAPI controlled.
>>>>>>
>>>>> The vdc_options table is a table containing the configuration
>>>>> values
>>>>> of the engine. Among those, there are directory-related
>>>>> configuration
>>>>> values:
>>>>>
>>>>> engine=# select * from vdc_options where option_name in
>>>>> ('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
>>>>>
>>>>> option_id | option_name |
>>>>> option_value | version
>>>>> -----------+----------------------------+-------------------------------------------------+---------
>>>>>
>>>>>
>>>>> 9 | AdUserName |
>>>>> domain1:user1,domain2:user2 | general
>>>>> 10 | AdUserPassword |
>>>>> domain1:password1,domain2:password2 | general
>>>>> 114 | LdapServers |
>>>>> deomain1:ldap_server_address1,domain2:ldap_server_address2 |
>>>>> general
>>>>> 64 | DomainName |
>>>>> domain1,domain2 | general
>>>>> 112 | LDAPSecurityAuthentication |
>>>>> domain1:GSSAPI,domain2:SIMPLE | general
>>>>> 115 | LDAPProviderTypes |
>>>>> domain1:activeDirectory,domain2:ipa | general
>>>>>
>>>>> AdUserName is the user that will be used to query the directory.
>>>>> AdUserPassword is the password that will be used to query the
>>>>> directory.
>>>>> LdapServers - the LDAP server that will be used (only one is
>>>>> allowed
>>>>> in this configuration. This configuration is optional. If empty,
>>>>> we
>>>>> will check the DNS for LDAP SRV records for the relevant domain).
>>>>> DomainName - the names of the domains
>>>>> LDAPSecurityAuthentication - SIMPLE/GSSAPI
>>>>> LDAPProviderTypes - the provider type
>>>>> (activeDirectory/ipa/rhds/itds)
>>>>>
>>>>> All the entries above are per-domain, in the format
>>>>> domain1:value1,
>>>>> domain2:value2 and etc....
>>>>>
>>>>> If manually adding a GSSAPI domain, you also need to supply a
>>>>> krb5.conf file, and put it in the ENGINE_ETC path. If adding a
>>>>> SIMPLE
>>>>> domain that isn't neccesary.
>>>>>
>>>>> We haven't worked with simple domain for a while now, so hopefully
>>>>> it
>>>>> will work for you as expected.
>>>>>
>>>>> Let me know if you have further questions.
>>>>>
>>>>> Oved
>>>>>>
>>>>>> By default we work GSSAPI (I think the config option is empty by
>>>>>> default which is equivalent to working GSSAPI).
>>>>>> If/When we would need to support that again it shouldn't be a
>>>>>> major
>>>>>> effort to add the code... the testing with the different
>>>>>> providers
>>>>>> will be the hard part.
>>>>>>
>>>>>> Oved
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> We also don't auto deduce the LDAP provider type anymore, as
>>>>>> changes in the providers caused some issues with it.
>>>>>>
>>>>>> I'll edit the wiki accordingly (btw, I remember removing it from
>>>>>> the wiki... so it is weird that it is still there...).
>>>>>>
>>>>>> Oved
>>>>>>
>>>>>> --
>>>>>> signature-TK Thierry Kauffmann
>>>>>> Chef du Service Informatique // Faculté des Sciences //
>>>>>> Université
>>>>>> de
>>>>>> Montpellier 2
>>>>>>
>>>>>>
>>>>>> SIF - Service Informatique de la Faculté
>>>>>> des Sciences UM2 -
>>>>>> Université de Montpellier 2 Service
>>>>>> informatique de
>>>>>> la Faculté des Sciences (SIF)
>>>>>> Université de Montpellier 2
>>>>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>>>>
>>>>>> Tél : 04 67 14 31 58
>>>>>> email : thierry.kauffmann at univ-montp2.fr web :
>>>>>> http://sif.info-ufr.univ-montp2.fr/
>>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>>> _______________________________________________
>>>>>> Users mailing list Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>> _______________________________________________
>>>>>> Users mailing list Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>> _______________________________________________
>>>>>> Users mailing list Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>> --
>>>>>> signature-TK Thierry Kauffmann
>>>>>> Chef du Service Informatique // Faculté des Sciences //
>>>>>> Université de
>>>>>> Montpellier 2
>>>>>>
>>>>>>
>>>>>> SIF - Service Informatique de la Faculté
>>>>>> des Sciences UM2 -
>>>>>> Université de Montpellier 2 Service
>>>>>> informatique de
>>>>>> la Faculté des Sciences (SIF)
>>>>>> Université de Montpellier 2
>>>>>> CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5
>>>>>>
>>>>>> Tél : 04 67 14 31 58
>>>>>> email : thierry.kauffmann at univ-montp2.fr
>>>>>> web : http://sif.info-ufr.univ-montp2.fr/
>>>>>> http://www.fdsweb.univ-montp2.fr/
>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list