[ovirt-users] [ATN] LDAP Users please read

Alon Bar-Lev alonbl at redhat.com
Thu Aug 6 07:34:15 EDT 2015



----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "users" <users at ovirt.org>
> Sent: Thursday, August 6, 2015 1:24:23 PM
> Subject: Re: [ovirt-users] [ATN] LDAP Users please read
> 
> Hello Alon,
> 
> On 04.08.2015 09:56, Alon Bar-Lev wrote:
> > Hello LDAP Users,
> >
> > If you migrated from 3.4 or if you used engine-managed-domains to add LDAP
> > support into engine - this message is for you.
> >
> > In 3.5 we introduced a new LDAP provider[1][2], it is superset of the
> > previous implementation, highlights includes:
> >   * Better response times.
> >   * Simplicity, Use of LDAP protocol only - kerberos is no longer needed.
> >   * More LDAP implementations are supported.
> >   * Flexible configuration, can be customized on site to support special
> >   setups.
> >   * Supportability, better logs and feedbacks to enable remote support.
> >   * Variety of fallback policies, examples: srvrecord, failover,
> >   round-robin and more.
> >   * Active Directory: supports multiple domain in forest.
> >
> > In 3.5 the previous LDAP provider is marked as legacy, users' issues will
> > be resolved by migration to the new provider.
> >
> > Upgrade to 4.0 will not be possible if legacy provider is being used.
> >
> > The new provider is working without any issue for quite some time, we would
> > like to eliminate the remaining usage of the legacy provider as soon as
> > possible.
> >
> > A tool was created[3] to automate the process, it should perform everything
> > in safe and automatic process, while enables customization if such
> > required. The one prerequisite that we could not automate easily is
> > obtaining the CA certificate used by the LDAP server to communicate using
> > SSL/TLS, you should acquire this manually and provide it as parameter.
> >
> > We (Ondra CCed and I) will help anyone that is experiencing issues with the
> > process, please do not delay migration to the point it becomes emergency.
> >
> > Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere.
> >
> > Regards,
> > Alon Bar-Lev.
> >
> > [1] http://www.ovirt.org/Features/AAA
> > [2]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> 
> Sorry for the ignorance on my part,
> 
> but I tried one more and could not find any qualified docs/howtos on the
> new AAA feature.
> 
> This readme is the only thing witch comes close so far, but running
> Engine 3.5.3 at least my installation is missing
> 
> /usr/share/ovirt-engine-extension-aaa-ldap*/examples
> 
> Does the tool run without them?

The new provider is distributed as standalone and optional package, please install ovirt-engine-extension-aaa-ldap and you will be set up.

> As for my part, I only need engine authentication domains; I used:
> engine-manage-domains add --domain ...
> 
> Should I migrate to the new provider?

Yes, this is exactly the reason why I sent this message, all 3.5 installations should migrate to the new provider so we can provide better service and support.

I will be happy to assist.

Regards,
Alon

> Thanks;
> 
> > [3]
> > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> --
> Daniel Helgenberger
> m box bewegtbild GmbH
> 
> P: +49/30/2408781-22
> F: +49/30/2408781-10
> 
> ACKERSTR. 19
> D-10115 BERLIN
> 
> 
> www.m-box.de  www.monkeymen.tv
> 
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> 


More information about the Users mailing list