[ovirt-users] adding machine to openldap + kerberos with a keytab

Alon Bar-Lev alonbl at redhat.com
Thu Sep 11 07:45:34 UTC 2014


Hi,

We are doing significant rework within the authentication and authorization slot, most will be available in 3.5.

In nut shell, there are two packages:

ovirt-engine-extension-aaa-ldap - provider of authentication and authorization using ldap protocol.
ovirt-engine-extnesion-aaa-misc - for misc support (see documentation).

Integrating with ldap now does not require using kerberos, a preferred way is to use the ldap protocol using startTLS and basic authentication, as in this mode most ldap implementations returns valid result codes out of failures.

GSSAPI is still supported, although I recommend to avoid, but if you insist... you can probably use keytab, I did not test this... but it should be available using, if it works, please tell me :)

---
pool.default.auth.gssapi.useTicketCache = true
pool.default.auth.gssapi.ticketCachePath = <path-to-keytab>
---

As per single signon with apache, please refer to "APACHE SSO CONFIGURATION" within[1].

Any feedback will be appreciated.

Regards,
Alon Bar-Lev

ovirt-engine-extension-aaa-ldap documentation
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
[3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.unboundid-ldapsdk;hb=HEAD
ovirt-engine-extension-aaa-misc documentation
[4] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.http;hb=HEAD
[5] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.mapping;hb=HEAD



More information about the Users mailing list