[ovirt-users] Active Directory (LDAP) user auth is slow

Karli Sjöberg karli.sjoberg at slu.se
Thu Mar 24 15:13:26 UTC 2016


Sorry about the thread-breakage, OWA...
________________________________________
Från: Ondra Machacek <omachace at redhat.com>
Skickat: den 24 mars 2016 15:08
Till: Karli Sjöberg
Kopia: Martin Perina; Will Dennis; users
Ämne: Re: [ovirt-users] Active Directory (LDAP) user auth is slow

On 03/24/2016 03:02 PM, Karli Sjöberg wrote:
>
> Den 24 mars 2016 13:49 skrev Ondra Machacek <omachace at redhat.com>:
>  >
>  > Hi,
>  >
>  > if you remove user, then also permissions of that user to vms will be
>  > removed.
>  > And yes, you will have to add all those permissions back to users from
>  > new profile.
>  >
>  > But, you can try migration tool[1], to migrate all users to new AAA
> profile.
>  > If you have any problem with it, you can ask.
>
> Ehm, how do you install it? (el6)

yum install -y
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/download/ovirt-engine-kerbldap-migration-1.0.4/ovirt-engine-kerbldap-migration-1.0.4-1.el6ev.noarch.rpm

That worked, plus the migration, but can´t log in since our domain is called like 'baz.foo.bar' but our users´s userPrincipalName are just 'user at foo.bar'. How do you configure that with aaa?

/K

>
> /K
>
>  >
>  > Ondra
>  >
>  > [1]
>  >
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
>  >
>  > On 03/24/2016 01:06 PM, Will Dennis wrote:
>  > > In the RHEV Admin Guide that Martin mentioned, it says:
>  > >
>  > > "Log in to the Administration Portal, and remove all users and
> groups related to the old profile. Users defined in the removed domain
> will no longer be able to authenticate with the Red Hat Enterprise
> Virtualization Manager. The entries for the affected users will remain
> defined in the Red Hat Enterprise Virtualization Manager until they are
> explicitly removed from the Administration Portal.”
>  > >
>  > > I have some VMs running under some AD domain users; if I remove the
> users from the system as above, will I need to remove them from the VM
> permissions, or is that cleaned up as well? And I guess I’ll need to
> manually re-add the perms back after the new directory config is in
> place? Please advise.
>  > >
>  > > Thanks,
>  > > Will
>  > >
>  > > On Mar 21, 2016, at 4:29 AM, Martin Perina
> <mperina at redhat.com<mailto:mperina at redhat.com>> wrote:
>  > >
>  > >
>  > >
>  > > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David
> <didi at redhat.com<mailto:didi at redhat.com>> wrote:
>  > > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis
> <wdennis at nec-labs.com<mailto:wdennis at nec-labs.com>> wrote:
>  > >> Hi all,
>  > >>
>  > >> I have enabled Active Directory authentication for the users in
> oVirt (via engine-manage-domains command using --provider=ad) and,
> although it works, it takes about ~50 sec’s to process a login. I have
> other OSS software that utilizes AD auth, and there is no such lag when
> processing logins, so I’m guessing it’s a problem with the oVirt
> implementation… Any way to debug why the auth process is taking so long?
>  > >
>  > > This is an old, unmaintained component. You should use the new
> aaa-ldap one.
>  > > Search the list archives for "aaa-ldap" and/or read the README file
> in the
>  > > sources [1]. Best,
>  > >
>  > > [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
>  > >
>  > > ​You could also take a look at RHEV 3.6 Administration Guide,
> chapter 13 Users and Roles [2]
>  > > where you can find detailed steps for common configurations.
>  > >
>  > > Martin Perina
>  > >
>  > > [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
>  > > ​
>  > >
>  > >
>  > >>
>  > >> Will
>  > >> _______________________________________________
>  > >> Users mailing list
>  > >> Users at ovirt.org<mailto:Users at ovirt.org>
>  > >> http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > >
>  > > --
>  > > Didi
>  > > _______________________________________________
>  > > Users mailing list
>  > > Users at ovirt.org<mailto:Users at ovirt.org>
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > > _______________________________________________
>  > > Users mailing list
>  > > Users at ovirt.org
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > _______________________________________________
>  > Users mailing list
>  > Users at ovirt.org
>  > http://lists.ovirt.org/mailman/listinfo/users
>


More information about the Users mailing list