[ovirt-users] AAA LDAP Authentication

Alon Bar-Lev alonbl at redhat.com
Tue May 5 21:54:46 UTC 2015


blank suggests that there is initialization error.

please attach (do not paste) the ldap profile, extension properties and engine.log.

I may need debug log as well, but lets start with this.

----- Original Message -----
> From: "David Smith" <dsmith at mypchelp.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Wednesday, May 6, 2015 12:49:09 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
> 
> I added that to the end, since there wasn't any reference on it as to where
> to put it;
> I restarted the engine and didn't notice any changes, the namespace still
> reads the same as before, and no users show up
> Note that in the field to the right of namespace it's blank, whereby with
> "internal" or our other pre-aaa ldap config it shows "*" and can be changed
> to a username as a filter, in this case it doesn't allow me to enter
> anything
> 
> On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> 
> >
> > I beginning to understand... although I cannot figure out how login works
> > while search not.
> >
> > Anyway, try to add this to your profile:
> >
> > sequence-init.init.900-local-init-vars = local-init-vars
> > sequence.local-init-vars.010.description = override name space
> > sequence.local-init-vars.010.type = var-set
> > sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
> > sequence.local-init-vars.010.var-set.value =
> > cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > sequence.local-init-vars.020.description = apply filter to users
> > sequence.local-init-vars.020.type = var-set
> > sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
> > sequence.local-init-vars.020.var-set.value =
> > ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
> > sequence.local-init-vars.030.description = apply filter to groups
> > sequence.local-init-vars.030.type = var-set
> > sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
> > sequence.local-init-vars.030.var-set.value =
> > ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
> >
> >
> > ----- Original Message -----
> > > From: "David Smith" <dsmith at mypchelp.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: "users" <users at ovirt.org>
> > > Sent: Wednesday, May 6, 2015 12:17:59 AM
> > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > >
> > > I can log into ovirt, I can see the profile, it doesn't throw any errors.
> > > However, it doesn't display any users. This is because the automatic
> > rootDN
> > > is wrong.
> > > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search
> > base
> > > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
> > > Hence my desire to configure rootDN
> > >
> > > Then, I also want to filter based on the above (sorry the traffic part
> > was
> > > a comment from testlink, the line should be)
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> > > That filter is was makes sure the results only show users in the specific
> > > group I want to give access to.
> > >
> > > Thanks,
> > > David
> > >
> > > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > So your configuration is working, just you want to filter users?
> > > >
> > > > I do not follow what organization filter is.
> > > >
> > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
> > e.g.
> > > > > '(organizationname=*Traffic)'
> > > >
> > > > It looks to me that you want to narrow the results based on specific
> > > > attribute value.
> > > >
> > > > But first you should confirm that all is working for you, only then we
> > can
> > > > start customize the provider to meet your special needs.
> > > >
> > > > Thanks,
> > > > Alon.
> > > >
> > > > ----- Original Message -----
> > > > > From: "David Smith" <dsmith at mypchelp.com>
> > > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > Cc: "users" <users at ovirt.org>
> > > > > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > > > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > > > >
> > > > > Hi Alon,
> > > > >
> > > > > Thanks for the quick reply.
> > > > > openldap works fine; I use it with testlink (as shown in the example
> > > > > config). We're not using active directory; Just LDAP. The example
> > config
> > > > I
> > > > > provided is fully inclusive of all configuration required for
> > "testlink"
> > > > to
> > > > > use LDAP, I also have jenkins and mantis configured using the same
> > > > > parameters (although their terminology on where to enter the
> > parameters
> > > > is
> > > > > varied, they use all the same information)
> > > > >
> > > > > The rootDSE is being determined automatically; however for my use
> > it's
> > > > > wrong and needs to be provided manually. Again, I have no control
> > over
> > > > > this. It's a company-wide configuration that won't be changed just
> > for
> > > > me.
> > > > >
> > > > > How would I be able to specify the organization filter line if I
> > added
> > > > some
> > > > > other include directive of whatever driver? I don't even understand
> > what
> > > > > you're saying, exactly. Not all ovirt users/managers are programming
> > > > > experts.
> > > > >
> > > > > I use LDAPS because thats what my company supports. StartTLS is NOT
> > > > > supported (as I stated).  Silly on their part, right?
> > > > >
> > > > > Thanks,
> > > > > David
> > > > >
> > > > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev <alonbl at redhat.com>
> > wrote:
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > Resources includes sysadmin documentation[1], integrator
> > > > documentation[2],
> > > > > > overview[3], examples[4].
> > > > > >
> > > > > > You did not specify what LDAP vendor it is.
> > > > > >
> > > > > > I can guess your directory is Active Directory, hence all you need
> > to
> > > > do
> > > > > > is follow the "QUICK START"[5].
> > > > > >
> > > > > > The rootDSE is determined automatically, all you need is to
> > provide a
> > > > > > valid user and password.
> > > > > >
> > > > > > What you are missing in your configuration is the include
> > directive of
> > > > the
> > > > > > proper driver.
> > > > > > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is
> > more
> > > > > > flexible and should be used unless there is an issue.
> > > > > >
> > > > > > Alon
> > > > > >
> > > > > > [1]
> > > > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> > > > > > [2]
> > > > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
> > > > > > [3] http://www.ovirt.org/Features/AAA
> > > > > > [4]
> > > > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
> > > > > > [5]
> > > > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "David Smith" <dsmith at mypchelp.com>
> > > > > > > To: "users" <users at ovirt.org>
> > > > > > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > > > > > Subject: [ovirt-users] AAA LDAP Authentication
> > > > > > >
> > > > > > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking
> > some
> > > > > > serious
> > > > > > > detail in documentation, the rest is java-programmer-oriented
> > docs
> > > > only
> > > > > > that
> > > > > > > I can find;
> > > > > > >
> > > > > > >
> > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > > > > > >
> > > > > > > Here's a sample config (sanitized) that I need to adapt to
> > ovirt; *I
> > > > > > HAVE NO
> > > > > > > control over the LDAP server.
> > > > > > >
> > > > > > > So far I've managed to figure out through search after search to
> > use
> > > > > > LDAPS
> > > > > > > (TLS isn't an option, thanks!)
> > > > > > > Two parts I can't figure out; setting rootDN and setting the
> > > > organization
> > > > > > > filter-- members of that particular organization should have
> > access
> > > > to
> > > > > > > ovirt, and none others.
> > > > > > >
> > > > > > > vars.server = directory.ft.com
> > > > > > >
> > > > > > > #
> > > > > > > # Search user and its password.
> > > > > > > #
> > > > > > > vars.user =
> > > > uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > > > > > vars.password = Ft######
> > > > > > >
> > > > > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > > > > pool.default.serverset.single.port = 636
> > > > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > > > > pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> > > > > > > pool.default.auth.simple.password = ${global:vars.password}
> > > > > > >
> > > > > > > # enable SSL
> > > > > > > pool.default.ssl.enable = true
> > > > > > > #pool.default.ssl.insecure = false
> > > > > > >
> > > > > > > # Create keystore, import certificate chain and uncomment
> > > > > > > # if using ssl/tls.
> > > > > > > #pool.default.ssl.startTLS = true
> > > > > > > pool.default.ssl.truststore.file =
> > > > > > > ${local:_basedir}/${global:vars.server}.jks
> > > > > > > pool.default.ssl.truststore.password = changeit
> > > > > > >
> > > > > > >
> > > > > > > example config from testlink
> > > > > > > $tlCfg->authentication['method'] = 'LDAP';
> > > > > > >
> > > > > > > /** LDAP authentication credentials */
> > > > > > > $tlCfg->authentication['ldap_server'] = 'ldaps://
> > directory.ft.com
> > > > ';
> > > > > > > $tlCfg->authentication['ldap_port'] = '636';
> > > > > > > $tlCfg->authentication['ldap_version'] = '3';
> > > > > > > $tlCfg->authentication['ldap_root_dn'] =
> > > > > > > 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > > > $tlCfg->authentication['ldap_bind_dn'] =
> > > > > > > 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> > > > > > > $tlCfg->authentication['ldap_bind_passwd'] = 'Ft######';
> > > > > > > $tlCfg->authentication['ldap_tls'] = false; // true -> use tls
> > > > > > > $tlCfg->authentication['ldap_organization'] =
> > > > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> > //
> > > > e.g.
> > > > > > > '(organizationname=*Traffic)'
> > > > > > > $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use
> > > > > > 'sAMAccountName' for
> > > > > > > Active Directory
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Users mailing list
> > > > > > > Users at ovirt.org
> > > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 



More information about the Users mailing list