[ovirt-users] AAA LDAP Authentication

David Smith dsmith at mypchelp.com
Tue May 5 21:01:28 UTC 2015


Hi Alon,

Thanks for the quick reply.
openldap works fine; I use it with testlink (as shown in the example
config). We're not using active directory; Just LDAP. The example config I
provided is fully inclusive of all configuration required for "testlink" to
use LDAP, I also have jenkins and mantis configured using the same
parameters (although their terminology on where to enter the parameters is
varied, they use all the same information)

The rootDSE is being determined automatically; however for my use it's
wrong and needs to be provided manually. Again, I have no control over
this. It's a company-wide configuration that won't be changed just for me.

How would I be able to specify the organization filter line if I added some
other include directive of whatever driver? I don't even understand what
you're saying, exactly. Not all ovirt users/managers are programming
experts.

I use LDAPS because thats what my company supports. StartTLS is NOT
supported (as I stated).  Silly on their part, right?

Thanks,
David

On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

> Hello,
>
> Resources includes sysadmin documentation[1], integrator documentation[2],
> overview[3], examples[4].
>
> You did not specify what LDAP vendor it is.
>
> I can guess your directory is Active Directory, hence all you need to do
> is follow the "QUICK START"[5].
>
> The rootDSE is determined automatically, all you need is to provide a
> valid user and password.
>
> What you are missing in your configuration is the include directive of the
> proper driver.
> Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
> flexible and should be used unless there is an issue.
>
> Alon
>
> [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> [2]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
> [3] http://www.ovirt.org/Features/AAA
> [4]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
> [5]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
>
> ----- Original Message -----
> > From: "David Smith" <dsmith at mypchelp.com>
> > To: "users" <users at ovirt.org>
> > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > Subject: [ovirt-users] AAA LDAP Authentication
> >
> > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
> serious
> > detail in documentation, the rest is java-programmer-oriented docs only
> that
> > I can find;
> >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> >
> > Here's a sample config (sanitized) that I need to adapt to ovirt; *I
> HAVE NO
> > control over the LDAP server.
> >
> > So far I've managed to figure out through search after search to use
> LDAPS
> > (TLS isn't an option, thanks!)
> > Two parts I can't figure out; setting rootDN and setting the organization
> > filter-- members of that particular organization should have access to
> > ovirt, and none others.
> >
> > vars.server = directory.ft.com
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > vars.password = Ft######
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.serverset.single.port = 636
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # enable SSL
> > pool.default.ssl.enable = true
> > #pool.default.ssl.insecure = false
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.server}.jks
> > pool.default.ssl.truststore.password = changeit
> >
> >
> > example config from testlink
> > $tlCfg->authentication['method'] = 'LDAP';
> >
> > /** LDAP authentication credentials */
> > $tlCfg->authentication['ldap_server'] = 'ldaps:// directory.ft.com ';
> > $tlCfg->authentication['ldap_port'] = '636';
> > $tlCfg->authentication['ldap_version'] = '3';
> > $tlCfg->authentication['ldap_root_dn'] =
> > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > $tlCfg->authentication['ldap_bind_dn'] =
> > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
> > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls
> > $tlCfg->authentication['ldap_organization'] =
> > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> > '(organizationname=*Traffic)'
> > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
> 'sAMAccountName' for
> > Active Directory
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150505/3316cc53/attachment-0001.html>


More information about the Users mailing list