[ovirt-users] [ATN] LDAP Users please read

Jason Keltz jas at cse.yorku.ca
Thu Aug 6 16:47:26 UTC 2015


On 04.08.2015 09:56, Alon Bar-Lev wrote:
>> Hello LDAP Users,
>>
>> If you migrated from 3.4 or if you used engine-managed-domains to add LDAP support into engine - this message is for you.
>>
>> In 3.5 we introduced a new LDAP provider[1][2], it is superset of the previous implementation, highlights includes:
>>    * Better response times.
>>    * Simplicity, Use of LDAP protocol only - kerberos is no longer needed.
>>    * More LDAP implementations are supported.
>>    * Flexible configuration, can be customized on site to support special setups.
>>    * Supportability, better logs and feedbacks to enable remote support.
>>    * Variety of fallback policies, examples: srvrecord, failover, round-robin and more.
>>    * Active Directory: supports multiple domain in forest.
>>
>> In 3.5 the previous LDAP provider is marked as legacy, users' issues will be resolved by migration to the new provider.
>>
>> Upgrade to 4.0 will not be possible if legacy provider is being used.
>>
>> The new provider is working without any issue for quite some time, we would like to eliminate the remaining usage of the legacy provider as soon as possible.
>>
>> A tool was created[3] to automate the process, it should perform everything in safe and automatic process, while enables customization if such required. The one prerequisite that we could not automate easily is obtaining the CA certificate used by the LDAP server to communicate using SSL/TLS, you should acquire this manually and provide it as parameter.
>>
>> We (Ondra CCed and I) will help anyone that is experiencing issues with the process, please do not delay migration to the point it becomes emergency.
>>
>> Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere.
>>
>> Regards,
>> Alon Bar-Lev.
>>
>> [1] http://www.ovirt.org/Features/AAA
>> [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
Sorry Alon..

I'm puzzled.  I setup RHEL IPA server to act as an authentication 
front-end for my ovirt installation.  It also acts as an IPA server for 
all the servers involved in my ovirt installation.

I enabled my engine installation to authenticate with my IPA server like 
this:
> engine# engine-manage-domains  add --domain=EECS.YORKU.CA --provider=ipa --user=ovirtadmin
Your new system refers to only LDAP, and not Kerberos, other than saying 
that it "obsoletes the legacy Kerberos/LDAP implementation".   Will 
Kerberos support now be obsolete?  Since I've already invested the time 
to get engine working with IPA and Kerberos, I don't really see the 
point in changing things now, but I'd also rather deal with this now, 
rather than down the line when I want to upgrade and find that my 
existing installation is no longer compatible.    Sooo -- does this 
change still affect my current installation? Should I migrate? What do I 
migrate to? and How?

Thanks!

Jason.





More information about the Users mailing list