[ovirt-users] oVirt 3.5 and FreeIpa

Thu Jan 22 11:41:40 UTC 2015

On 10/31/2014 02:47 PM, Marcelo Donato wrote:
>
> Below the solution. Resolved  By "Alon Bar-Lev" <alonbl at redhat.com
> <mailto:alonbl at redhat.com>>
>
>
> 1. install  ovirt-engine-extension-aaa-ldap, it is available in
> ovirt-3.5-snapshots repository.
>
> 2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name/> =
> din-intranet-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
>
> 3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name/> =
> din-intranet-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name/> = din.intranet
> ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
>
> 4. create /etc/ovirt-engine/aaa/din.intranet.properties
>
> include = <ipa.properties>
>
> vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
> vars.password = 123456
> vars.server = ipa1.din.intranet
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> 5. restart engine.
>
>
> Thanks a lot Alon.

Thanks for this, saved me some time!

Just a couple of addtions, please hash the password with SSHA (I really
hate plain text admin passwords...)
I tried putting an {SSHA} encoded password in "vars.password =", but it
fails to authenticate while plain text works fine.

For people with multiple ipa replica's I you guess you need to use:

Round robin configuration:

	vars.server1 = ipa1.din.intranet
		  vars.server2 = ipa2.din.intranet

	pool.default.serverset.type = round-robin
    	pool.default.serverset.round-robin.1.server = ${global:vars.server1}
    	pool.default.serverset.round-robin.2.server = ${global:vars.server2}

instead of

    vars.server = ipa1.din.intranet
    pool.default.serverset.single.server = ${global:vars.server}

But I still have to test that as our second replica is down at the moment.

Also can we get rid of the internal admin or better just disable
internal authenticationt without problems? As we have ipa we don't want
local login enabled, but in emergency situations we might need to turn
it on quickly.

Kind regards,

Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts 

----------------

	Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
 	Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

----------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150122/0b563885/attachment-0001.html>