[ovirt-users] LDAP Authentication

Daniel Helgenberger daniel.helgenberger at m-box.de
Tue Sep 22 15:14:50 UTC 2015


Hello Budur,

I've done this recently. Alon, no offense, but the docs are not quite strait forward...

Requirements:
 - LDAP server (obviously) - called here ldap.mydomain.com
 - LDAP bind account - called here ldap at mydomain.com, password 'Passw at rd'
 - At least one existing account in ladp, called user at mydomain.com

Please note, the most common issue will be DNS.

I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)

1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)
2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):
  # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ -x \
      -D 'ldap at mydomain.com' -w Passw at rd -b ''  '(userPrincipalName=user at mydomian.com)' cn userPrincipalName

  If this command does not return details of the user, do debug your ldap and continue once this works. Example:

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (userPrincipalName=user at mydomain.com)
# requesting: cn userPrincipalName
# with pagedResults control: size=1024
#

# Some Name, some-ou, mydomain.com
dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
cn: Some Name
userPrincipalName: user at mydomain.com

# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
pagedresults: cookie=

# numResponses: 2
# numEntries: 1


3. Copy the examples as mentioned from the readme.
4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.
5. There, set:

  vars.domain = ldap.mydomain.com
  vars.user = ldap@${global:vars.domain}
  vars.password = Passw at rd

6. Restart ovirt engine service
7. Log in as admin at einternal and add user rights and roles from the new provider

Hope this helps.

On 22.09.2015 16:46, Budur Nagaraju wrote:
> 
> below are the three files which I have modified.
> 
> 
> [root at cstlb2 extensions.d]# cat profile1-authn.properties
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> 
> = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> 
> 
> [root at cstlb2 extensions.d]# ls
> profile1-authn.properties  profile1-authz.properties
> [root at cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> [root at cstlb2 extensions.d]#
> 
> 
> 
> [root at cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root at cstlb2 aaa]# ls
> ldap1.properties
> [root at cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = <openldap.properties>
> #include = <389ds.properties>
> #include = <rhds.properties>
> #include = <ipa.properties>
> #include = <iplanet.properties>
> #include = <rfc2307.properties>
> #include = <rfc2307-openldap.properties>
> 
> #
> # Server
> #
> vars.server = my.abc.net <http://my.abc.net>
> 
> #
> # Search user and its password.
> #
> vars.user = 
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root at cstlb2 aaa]#
> 
> 
> 
> 
> 
> 
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl at redhat.com 
> <mailto:alonbl at redhat.com>> wrote:
> 
> 
> 
>     ----- Original Message -----
>     > From: "Budur Nagaraju" <nbudoor at gmail.com <mailto:nbudoor at gmail.com>>
>     > To: "Alon Bar-Lev" <alonbl at redhat.com <mailto:alonbl at redhat.com>>
>     > Cc:users at ovirt.org <mailto:users at ovirt.org>
>     > Sent: Tuesday, September 22, 2015 5:35:16 PM
>     > Subject: Re: [ovirt-users] LDAP Authentication
>     >
>     > its too complicated ,you have any script or video ?
> 
>     in 3.6 we have a setup script.
>     for now:
> 
>     cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> 
>     this is written in the README.
> 
>     then customize files at /etc/ovirt-engine/extnesions.d/*
>     /etc/ovirt-engine/aaa/* to match your setup
> 
>     >
>     >
>     > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl at redhat.com <mailto:alonbl at redhat.com>> wrote:
>     >
>     > >
>     > >
>     > > ----- Original Message -----
>     > > > From: "Budur Nagaraju" <nbudoor at gmail.com <mailto:nbudoor at gmail.com>>
>     > > > To: "Alon Bar-Lev" <alonbl at redhat.com <mailto:alonbl at redhat.com>>
>     > > > Cc:users at ovirt.org <mailto:users at ovirt.org>
>     > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>     > > > Subject: Re: [ovirt-users] LDAP Authentication
>     > > >
>     > > > HI Alon,
>     > > >
>     > > > Below is the configuration which I have done ,but unable to search the
>     > > > users in UI
>     > > > can you pls help me ?
>     > >
>     > > you need three files, see the
>     > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>     > >
>     > > >
>     > > >
>     > > > [root at cstlb2 aaa]# cat ldap1.properties
>     > > > #
>     > > > # Select one
>     > > > #
>     > > > include = <openldap.properties>
>     > > > #include = <389ds.properties>
>     > > > #include = <rhds.properties>
>     > > > #include = <ipa.properties>
>     > > > #include = <iplanet.properties>
>     > > > #include = <rfc2307.properties>
>     > > > #include = <rfc2307-openldap.properties>
>     > > >
>     > > > #
>     > > > # Server
>     > > > #
>     > > > vars.server =my.abc.net <http://my.abc.net>
>     > > >
>     > > > #
>     > > > # Search user and its password.
>     > > > #
>     > > > vars.user =
>     > > >
>     > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>     > > > vars.password = company1
>     > > >
>     > > > pool.default.serverset.single.server = ${global:vars.server}
>     > > > pool.default.auth.simple.bindDN = ${global:vars.user}
>     > > > pool.default.auth.simple.password = ${global:vars.password}
>     > > >
>     > > > # Create keystore, import certificate chain and uncomment
>     > > > # if using ssl/tls.
>     > > > #pool.default.ssl.startTLS = true
>     > > > #pool.default.ssl.truststore.file =
>     > > > ${local:_basedir}/${global:vars.server}.jks
>     > > > #pool.default.ssl.truststore.password = changeit
>     > > > [root at cstlb2 aaa]#
>     > > >
>     > > >
>     > > >
>     > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl at redhat.com <mailto:alonbl at redhat.com>> wrote:
>     > > >
>     > > > >
>     > > > >
>     > > > > ----- Original Message -----
>     > > > > > From: "Budur Nagaraju" <nbudoor at gmail.com <mailto:nbudoor at gmail.com>>
>     > > > > > To:users at ovirt.org <mailto:users at ovirt.org>
>     > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
>     > > > > > Subject: [ovirt-users] LDAP Authentication
>     > > > > >
>     > > > > > HI All,
>     > > > > >
>     > > > > > Can someone help me in configuring LDAP authentication for Ovirt ?
>     > > > >
>     > > > > Please review:
>     > > > >http://www.ovirt.org/Features/AAA
>     > > > >
>     > > > >
>     > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>     > > > >
>     > > >
>     > >
>     >
> 
> 

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767



More information about the Users mailing list