[ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join

Cristian Mammoli c.mammoli at apra.it
Fri Oct 30 19:48:04 UTC 2015


As long as I user engine-manage-domains SSO with spice client worked fine:
User logins in the user portal, clicks on a vm and get logged in the 
windows vm

With ovirt-engine-extension-aaa-ldap, configured with 
ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says 
I tried t login with an invalid username or password.

After enabling audit logs in the vm I see that the spice clients tries 
to login as

user at domain-authz

I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in
"/etc/ovirt-engine/extensions.d/domain.net-authz.properties"

and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in
"/etc/ovirt-engine/extensions.d/domain-authn.properties"

And now SSO works fine

Is it the correct way to go??

Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
> What do you mean?
> Maybe the password delegation into the virtual machine?
> If engine does not know the password, it cannot delegate it to virtual machine.
> Solution is described here[1], so far no resources were allocated.
>
> [1] http://www.ovirt.org/Features/SSO
>
> ----- Original Message -----
>> From: "Cristian Mammoli" <c.mammoli at apra.it>
>> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: "users" <users at ovirt.org>
>> Sent: Friday, October 30, 2015 9:33:02 PM
>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
>>
>> It works fine, but it kills SSO as user...
>>
>> Poking in the windows logs I see a failed login as:
>>
>> myuser at mydomain.tld-authz !!
>>
>> Il 27/10/2015 11:51, Shahar Havivi ha scritto:
>>> On 27.10.15 05:25, Alon Bar-Lev wrote:
>>>> yes, you should probably only customize: $JoinDomain$,
>>>> $DomainAdminPassword$, $DomainAdmin$
>>>> maybe, not sure: $JoinDomain$, $MachineObjectOU$
>>>> the rest should be the same as any other.
>>> Please make sure that the file is the full sysprep file such as you can
>>> find
>>> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file.
>>> You can leave the variables such as $OrgName$ which will be replaces (exept
>>> from the variables that Alon mentioned which where the original problem).
>>>
>>>> ----- Original Message -----
>>>>> From: "Cristian Mammoli" <c.mammoli at apra.it>
>>>>> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev"
>>>>> <alonbl at redhat.com>
>>>>> Cc: "users" <users at ovirt.org>
>>>>> Sent: Tuesday, October 27, 2015 11:19:02 AM
>>>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
>>>>> domain join
>>>>>
>>>>> So just pasting there the contents of a modified
>>>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should
>>>>> work right?
>>>>>
>>>>> The variables like '![CDATA[$OrgName$' will be replaced?
>>>>>
>>>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto:
>>>>>> On 26.10.15 06:23, Alon Bar-Lev wrote:
>>>>>>> Hi,
>>>>>>> The usage of the engine-manage-domain user to anything else but ldap
>>>>>>> searches is something that is unexpected and insecure.
>>>>>>> As a solution, you may either paste a modified sysprep file into the
>>>>>>> pool
>>>>>>> at UI or set up a different osinfo profile with modified sysprep file,
>>>>>>> this modified sysprep file can contain the credentials of the user that
>>>>>>> is being used for joining the domain.
>>>>>>> CCing Shahar which may assist farther.
>>>>>> Hi,
>>>>>> You can paste a modified sysprep file to "new Pool"->"Initial
>>>>>> run"->"Custom
>>>>>> Script"
>>>>>> As Alon mentioned.
>>>>> --
>>>>> Mammoli Cristian
>>>>> System administrator
>>>>> T. +39 0731 22911
>>>>> Via Brodolini 6 | 60035 Jesi (an)
>>>>>
>>>>>
>> --
>> Mammoli Cristian
>> System administrator
>> T. +39 0731 22911
>> Via Brodolini 6 | 60035 Jesi (an)
>>
>>

-- 
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)




More information about the Users mailing list