[ovirt-users] oVirt 3.5 and FreeIpa

Jorick Astrego j.astrego at netbulae.eu
Thu Jan 22 12:30:30 UTC 2015


On 01/22/2015 01:13 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jorick Astrego" <j.astrego at netbulae.eu>
>> To: users at ovirt.org
>> Sent: Thursday, January 22, 2015 2:09:18 PM
>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>
>>
>> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Jorick Astrego" <j.astrego@ netbulae.eu >
>>>> To: users@ ovirt.org
>>>> Sent: Thursday, January 22, 2015 1:41:40 PM
>>>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
>>>>
>>>>
>>>> On 10/31/2014 02:47 PM, Marcelo Donato wrote:
>>>>
>>>>
>>>>
>>>>
>>>> Below the solution. Resolved By "Alon Bar-Lev" < alonbl@ redhat.com >
>>>>
>>>>
>>>> 1. install ovirt-engine-extension-aaa- ldap, it is available in
>>>> ovirt-3.5-snapshots repository.
>>>>
>>>> 2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
>>>>
>>>> ovirt.engine.extension.name = din-intranet-authz
>>>> ovirt.engine.extension. bindings.method = jbossmodule
>>>> ovirt.engine.extension. binding.jbossmodule.module =
>>>> org.ovirt.engine-extensions. aaa.ldap
>>>> ovirt.engine.extension. binding.jbossmodule.class =
>>>> org.ovirt.engineextensions. aaa.ldap.AuthzExtension
>>>> ovirt.engine.extension. provides = org.ovirt.engine.api.
>>>> extensions.aaa.Authz
>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
>>>>
>>>> 3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
>>>>
>>>> ovirt.engine.extension.name = din-intranet-authn
>>>> ovirt.engine.extension. bindings.method = jbossmodule
>>>> ovirt.engine.extension. binding.jbossmodule.module =
>>>> org.ovirt.engine-extensions. aaa.ldap
>>>> ovirt.engine.extension. binding.jbossmodule.class =
>>>> org.ovirt.engineextensions. aaa.ldap.AuthnExtension
>>>> ovirt.engine.extension. provides = org.ovirt.engine.api.
>>>> extensions.aaa.Authn
>>>> ovirt.engine.aaa.authn.profile.name = din.intranet
>>>> ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
>>>>
>>>> 4. create /etc/ovirt-engine/aaa/din. intranet.properties
>>>>
>>>> include = <ipa.properties>
>>>>
>>>> vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
>>>> vars.password = 123456
>>>> vars.server = ipa1.din.intranet
>>>>
>>>> pool.default.serverset.single. server = ${global:vars.server}
>>>> pool.default.auth.simple. bindDN = ${global:vars.user}
>>>> pool.default.auth.simple. password = ${global:vars.password}
>>>>
>>>> 5. restart engine.
>>>>
>>>>
>>>> Thanks a lot Alon.
>>>>
>>>>
>>>>
>>>> Thanks for this, saved me some time!
>>>>
>>>> Just a couple of addtions, please hash the password with SSHA (I really
>>>> hate
>>>> plain text admin passwords...)
>>>> I tried putting an {SSHA} encoded password in " vars.password =" , but it
>>>> fails to authenticate while plain text works fine.
>>> I am unsure I understand.
>>> using hash to store password hint at server side makes sense.
>>> but using hash to store password at client side does not makes sens, this
>>> means that if I get the server database I can authenticate to any user
>>> without knowing his password.
>>>
>>> Also, please note that the user you specify within configuration should not
>>> have any special privilege but to query public objects within ldap.
>> I don't like storing plain text in textfiles, so I try to avoid it. Even
>> if it is a read only user there are no "public" objects that I like to
>> expose to anyone. I can query groups, group members, e-mail addresses,
>> krbPasswordExpiration, krbLastPwdChange etc. with this user.
>>
>> So that's why I try to have the bind user password hashed in the
>> properties file.
> as I wrote above, storing hash instead of password does not enhance security.
> it is the same as if you just set the user's password to the hash.

Ah yes, silly me. You are absolutely right. It has been such a long
habit... But it does help when people intercept the traffic. Does the
ldap plugin send it hashed to the ldap server?

I think FreeIPA supports salted sha512 but I'm not entirely sure.

You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.






Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts 

----------------

	Tel: 053 20 30 270 	info at netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
 	Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

----------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150122/f32bd92f/attachment-0001.html>


More information about the Users mailing list