[ovirt-users] oVirt 3.5 and FreeIpa
Jorick Astrego
j.astrego at netbulae.eu
Thu Jan 22 11:41:40 UTC 2015
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
>
> Below the solution. Resolved By "Alon Bar-Lev" <alonbl at redhat.com
> <mailto:alonbl at redhat.com>>
>
>
> 1. install ovirt-engine-extension-aaa-ldap, it is available in
> ovirt-3.5-snapshots repository.
>
> 2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name/> =
> din-intranet-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
>
> 3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name/> =
> din-intranet-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name/> = din.intranet
> ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
>
> 4. create /etc/ovirt-engine/aaa/din.intranet.properties
>
> include = <ipa.properties>
>
> vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
> vars.password = 123456
> vars.server = ipa1.din.intranet
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> 5. restart engine.
>
>
> Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate plain text admin passwords...)
I tried putting an {SSHA} encoded password in "vars.password =", but it
fails to authenticate while plain text works fine.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration:
vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet
pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems? As we have ipa we don't want
local login enabled, but in emergency situations we might need to turn
it on quickly.
Kind regards,
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
----------------
Tel: 053 20 30 270 info at netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150122/0b563885/attachment-0001.html>
More information about the Users
mailing list