[ovirt-users] Adding domain to oVirt to 3.5 issue

Alon Bar-Lev alonbl at redhat.com
Wed Dec 10 10:57:14 UTC 2014 


----- Original Message -----
> From: "Juan Jose" <jj197005 at gmail.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Yair Zaslavsky" <yzaslavs at redhat.com>
> Sent: Wednesday, December 10, 2014 12:30:34 PM
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> 
> Hello Alon and Yair,
> 
> Many thanks for your help, finally It works properly. My problem, after
> last Alon indications was that my user "Juanjo" was defined with SuperUser
> role in the previous domain configuration. I have loggen in with admin user
> from internal and I have removed old configuration and I have configured my
> user "Juanjo" with all administrators roles in folder "Permission" and I
> can log in in administration portal without problems and it works properly.
> 
> My final configuration I have is an emulated *AD based on Samba 4* and the
> final configuration files are:

Good!
So samba is not emulating active directory entirely :)
But good to know it is working.
Please also checkout group membership.

> ovirt-engine-extension-aaa-ldap.noarch
> 1.0.1-0.0.master.20141209141731.git0437701.el6

this fix for samba ad will be released in 1.0.1.

> 
> */etc/ovirt-engine/extensions.d/siee-local-authn.properties*:
> 
> ovirt.engine.extension.name = siee-local-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = siee
> ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
> 
> */etc/ovirt-engine/extensions.d/siee-local-authz.properties*:
> 
> ovirt.engine.extension.name = siee-local-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
> 
> */etc/ovirt-engine/aaa/siee.properties*:
> 
> include = <ad.properties>
> 
> #
> # Active directory domain name.
> #
> vars.domain = siee.local
> 
> #
> # Search user and its password.
> #
> vars.user = searcher@${global:vars.domain}
> vars.password = xxxx
> 
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
> 
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> # Uncomment if using custom DNS
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> = ${global:vars.dns}
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.domain}.jks
> #pool.default.ssl.truststore.password = changeit

You should enable SSL for production use... as you do not want passwords to be transmitted in clear.
Not sure how you install ssl on the samba ldap... but once you do, follow the README instructions[1]

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141

> 
> */etc/krb5.conf*:

You are not using kerberos, so there is no reason to configure it for setup to work.

> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = SIEE.LOCAL
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = no
>  default_tkt_enctypes = arcfour-hmac-md5
>  udp_preference_limit = 1
> 
> #[realms]
> 
> #[domain_realm]
> # .siee.local = SIEE.LOCAL
> # siee.local = SIEE.LOCAL
> 
> 
> Many thanks again to everybody,
> 
> Juanjo.
> 
> On Tue, Dec 9, 2014 at 5:31 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Juan Jose" <jj197005 at gmail.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>, "Yair Zaslavsky" <
> > yzaslavs at redhat.com>
> > > Sent: Tuesday, December 9, 2014 5:42:56 PM
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > >
> > > Hello Alon,
> > >
> > > In my firsts e-mails I had already said that I have an emulation of AD
> > > based on Samba 4. I have tested the last version ov
> > > ovirt-engine-extension-aaa-ldap package and I think the problem is the
> > same
> > > although the error is "User is not authorized to perform this action".
> > >
> > > I attach the enginle.log.
> >
> > USER_NOT_AUTHORIZED_TO_PERFORM_ACTION means user is not superuser or can
> > manage objects as far as I know.
> >
> > I see siee0 at siee.local is trying to login which is CN=siee0
> > siee0,CN=Users,DC=siee,DC=local
> >
> > Login succeeds.
> >
> > I do not see any groups it belongs to.
> >
> > Are you sure you added this user role within the webadmin or that user
> > belongs to groups that were added to engine with such roles?
> >
> > >
> > > In case that the new oVirt version 3.5 doesn't work with an AD emulation
> > > based on Samba 4, is it possible to do user authentication with an
> > OpenLDAP
> > > directly with this 3.5 version?, if it is so, could you give me the link
> > to
> > > the documentation to configure OpenLDAP authentication?
> >
> > Sure, just use the
> > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple copy recursive
> > into /etc/ovirt-engine, then modify /etc/ovirt-engine/aaa/ldap1.properties
> > set vars.server, vars.user, vars.password.
> >
> > Until 3.5.1 you should also
> > /etc/ovirt-engine/extensions.d/domain1*.properties and replace ../aaa to
> > /etc/ovirt-engine/aaa
> >
> >
> > > Many thanks in advanced,
> > >
> > > Juanjo.
> > >
> > > On Tue, Dec 9, 2014 at 3:16 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > To: "Juan Jose" <jj197005 at gmail.com>
> > > > > Cc: "users" <users at ovirt.org>
> > > > > Sent: Tuesday, December 9, 2014 3:59:33 PM
> > > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > > > >
> > > > > We start over...
> > > > >
> > > > > This is not active directory... it is samba.
> > > > >
> > > > > Attribute(name=vendorName, values={'Samba Team (http://samba.org)'})
> > > > >
> > > > > Only now I realized this, maybe you mentioned it earlier not sure.
> > > > >
> > > > > Of course this was never tested, so probably not working.
> > > > >
> > > > > I see that samba does not return a list of extended operations, I
> > will
> > > > > workaround this and we can see what's else differ from active
> > directory.
> > > >
> > > > Can you please checkout the following rpm[1]?
> > > >
> > > > [1]
> > > >
> > http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_master_create-rpms-el6-x86_64_merged/
> > > >
> > >
> >
>

More information about the Users mailing list