[ovirt-users] adding machine to openldap + kerberos with a keytab
Alon Bar-Lev
alonbl at redhat.com
Thu Sep 11 07:45:34 UTC 2014
Hi,
We are doing significant rework within the authentication and authorization slot, most will be available in 3.5.
In nut shell, there are two packages:
ovirt-engine-extension-aaa-ldap - provider of authentication and authorization using ldap protocol.
ovirt-engine-extnesion-aaa-misc - for misc support (see documentation).
Integrating with ldap now does not require using kerberos, a preferred way is to use the ldap protocol using startTLS and basic authentication, as in this mode most ldap implementations returns valid result codes out of failures.
GSSAPI is still supported, although I recommend to avoid, but if you insist... you can probably use keytab, I did not test this... but it should be available using, if it works, please tell me :)
---
pool.default.auth.gssapi.useTicketCache = true
pool.default.auth.gssapi.ticketCachePath = <path-to-keytab>
---
As per single signon with apache, please refer to "APACHE SSO CONFIGURATION" within[1].
Any feedback will be appreciated.
Regards,
Alon Bar-Lev
ovirt-engine-extension-aaa-ldap documentation
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
[3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.unboundid-ldapsdk;hb=HEAD
ovirt-engine-extension-aaa-misc documentation
[4] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.http;hb=HEAD
[5] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.mapping;hb=HEAD
More information about the Users
mailing list