Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Sorry for late reply.
So I'm testing SIMPLE auth on RHDS LDAP. Setup was made manually
with modifying values in db:
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId')
When trying to search for a user in webadmin (with admin@internal
login), I noticed that engine tries to bind to user, defined in
db, but the username is modified with
("uid='usernameFromDB',ou=People,dc=domain,dc=tld"). Looks like
this is hardcoded. Am I missing some other settings in db? Can
this be modified? Otherwise this would require changes in ldap
structure which is in our case impossible.
The ear didn't deploy when username in db included commas (when
trying to add username like 'cn=xx,ou=system,dc...').
On 02/28/2013 01:32 PM, Roy Golan
wrote:
On
02/28/2013 11:04 AM, Jure Kranjc wrote:
I was also testing simple auth without
success. Our ldap doesn't support kerberos so we're stuck.
Engine log doesn't report anything, and the server log shows:
2013-02-28 09:53:52,850 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment
"engine.ear" was rolled back with failure message {"JBAS014671:
Failed services" =
{"jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START"
= "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"engine.ear\".\"engine-bll.jar\".component.UsersDomainsCacheManagerService.START:
Failed to start service"}}
We're using 3.1 on CentOS, rpms from dev.centos.org repo.
lets debug kerberos:
vi /var/lib/jboss/jboss-as/bin/run.conf
add this at the bottom
JAVA_OPTS="$JAVA_OPTS -Dsun.security.krb5.debug=true"
restart jboss
Its weird that the ear didn't deploy. Please paste engine.log and
server.log
On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
Hi Eduardo,
We mainly focus on supporting Kerberos authentication at the
moment
Can you switch to kerberos authentication?
- Original Message -
From: "Eduardo Ramos"
edua...@freedominterface.org
To: users@ovirt.org
Sent: Wednesday, February 27, 2013 11:04:17 PM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That
is my
db:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id | option_name | option_value
| version
---+++-
63 | DomainName | ovirt
|
general
8 | AdUserName |
ovirt:admin
|
general
113 | LDAPProviderTypes |
ovirt:ipa
|
general
112 | LdapServers |
ovirt:172.16.21.240
|
general
110 | LDAPSecurityAuthentication |
ovirt:SIMPLE
|
general
9 | AdUse
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi Eduardo,
We mainly focus on supporting Kerberos authentication at the moment
Can you switch to kerberos authentication?
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: users@ovirt.org
Sent: Wednesday, February 27, 2013 11:04:17 PM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my
db:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id |option_name | option_value
| version
---+++-
63 | DomainName | ovirt
| general
8 | AdUserName |
ovirt:admin|
general
113 | LDAPProviderTypes |
ovirt:ipa |
general
112 | LdapServers|
ovirt:172.16.21.240|
general
110 | LDAPSecurityAuthentication |
ovirt:SIMPLE |
general
9 | AdUserPassword |
ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
general
(7 rows)
As you can see, my ldap server and domain are internal. That's my
ldap
user object:
# admin, Users, Accounts, inpe.br
dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
givenName: Admin
sn: istrator
uid: admin
userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
uidNumber: 1001
gidNumber: 502
homeDirectory: /home/users/admin
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
(ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
that
the login name , password and path are correct.
2012-12-10 10:07:00,321 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-8) Failed ldap search server
ldap://172.16.21.240:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr
To: Oved Ourfalli ov...@redhat.com
Cc: Itamar Heim ih...@redhat.com, users@ovirt.org
Sent: Tuesday, December 4, 2012 10:35:34 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
- Original Message -
From: Itamar Heim ih...@redhat.com To: Oved Ourfalli
ov...@redhat.com Cc: users@ovirt.org , Thierry Kauffmann
thierry.kauffm...@univ-montp2.fr Sent: Tuesday, December 4,
2012
1:47:52 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To:
cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org
Sent:
Saturday, December 1, 2012 5:56:14 PM
Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for
authentication
WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage
groups
in Ovirt.
Has anyone already set this up ?
How to configure Ovirt to use Simple Authentication (No
Kerberos).
Cheers,
--
Thierry Kauffmann
Chef du Service Informatique // Facult? des Sciences //
Universit?
de
Montpellier 2
[image: SIF - Service Informatique de la Facult? des
Sciences]
http://sif.info-ufr.univ-montp2.fr/ [image:
UM2 - Universit? de Montpellier 2] http://www.univ-montp2.fr/
Service
informatique de la Facult? des Sciences (SIF)
Universit? de Montpellier 2
CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58
email : thierry.kauffm...@univ-montp2.fr web :
http://sif.info-ufr.univ-montp2.fr/
http://www.fdsweb.univ-montp2.fr/
___
Users mailing list Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
I was also testing simple auth without success. Our ldap doesn't support
kerberos so we're stuck. Engine log doesn't report anything, and the
server log shows:
2013-02-28 09:53:52,850 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment
engine.ear was rolled back with failure message {JBAS014671: Failed
services =
{jboss.deployment.subunit.\engine.ear\.\engine-bll.jar\.component.UsersDomainsCacheManagerService.START
= org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\engine.ear\.\engine-bll.jar\.component.UsersDomainsCacheManagerService.START:
Failed to start service}}
We're using 3.1 on CentOS, rpms from dev.centos.org repo.
On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
Hi Eduardo,
We mainly focus on supporting Kerberos authentication at the moment
Can you switch to kerberos authentication?
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: users@ovirt.org
Sent: Wednesday, February 27, 2013 11:04:17 PM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my
db:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id |option_name | option_value
| version
---+++-
63 | DomainName | ovirt
| general
8 | AdUserName |
ovirt:admin|
general
113 | LDAPProviderTypes |
ovirt:ipa |
general
112 | LdapServers|
ovirt:172.16.21.240|
general
110 | LDAPSecurityAuthentication |
ovirt:SIMPLE |
general
9 | AdUserPassword |
ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
general
(7 rows)
As you can see, my ldap server and domain are internal. That's my
ldap
user object:
# admin, Users, Accounts, inpe.br
dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
givenName: Admin
sn: istrator
uid: admin
userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
uidNumber: 1001
gidNumber: 502
homeDirectory: /home/users/admin
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
(ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
that
the login name , password and path are correct.
2012-12-10 10:07:00,321 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-8) Failed ldap search server
ldap://172.16.21.240:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr
To: Oved Ourfalli ov...@redhat.com
Cc: Itamar Heim ih...@redhat.com, users@ovirt.org
Sent: Tuesday, December 4, 2012 10:35:34 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
- Original Message -
From: Itamar Heim ih...@redhat.com To: Oved Ourfalli
ov...@redhat.com Cc: users@ovirt.org , Thierry Kauffmann
thierry.kauffm...@univ-montp2.fr Sent: Tuesday, December 4,
2012
1:47:52 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To:
cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org
Sent:
Saturday, December 1, 2012 5:56:14 PM
Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for
authentication
WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage
groups
in Ovirt.
Has anyone already set this up ?
How to configure Ovirt to use Simple Authentication (No
Kerberos).
Cheers,
--
Thierry Kauffmann
Chef du Service Informatique // Facult? des Sciences //
Universit?
de
Montpellier 2
[image: SIF - Service Informatique de la Facult? des
Sciences]
http://sif.info-ufr.univ-montp2.fr/ [image:
UM2 - Universit? de
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 02/28/2013 11:04 AM, Jure Kranjc wrote:
I was also testing simple auth without success. Our ldap doesn't
support kerberos so we're stuck. Engine log doesn't report anything,
and the server log shows:
2013-02-28 09:53:52,850 INFO [org.jboss.as.server]
(DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment
engine.ear was rolled back with failure message {JBAS014671: Failed
services =
{jboss.deployment.subunit.\engine.ear\.\engine-bll.jar\.component.UsersDomainsCacheManagerService.START
= org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\engine.ear\.\engine-bll.jar\.component.UsersDomainsCacheManagerService.START:
Failed to start service}}
We're using 3.1 on CentOS, rpms from dev.centos.org repo.
lets debug kerberos:
vi /var/lib/jboss/jboss-as/bin/run.conf
add this at the bottom
JAVA_OPTS=$JAVA_OPTS -Dsun.security.krb5.debug=true
restart jboss
Its weird that the ear didn't deploy. Please paste engine.log and server.log
On 02/28/2013 09:33 AM, Yair Zaslavsky wrote:
Hi Eduardo,
We mainly focus on supporting Kerberos authentication at the moment
Can you switch to kerberos authentication?
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: users@ovirt.org
Sent: Wednesday, February 27, 2013 11:04:17 PM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Anyone has made success with that?
On 12/10/2012 10:18 AM, Eduardo Ramos wrote:
Hi dudes!
I was following the model below, but without success. That is my
db:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword','AdUserId');
option_id |option_name | option_value
| version
---+++-
63 | DomainName | ovirt
| general
8 | AdUserName |
ovirt:admin|
general
113 | LDAPProviderTypes |
ovirt:ipa |
general
112 | LdapServers|
ovirt:172.16.21.240|
general
110 | LDAPSecurityAuthentication |
ovirt:SIMPLE |
general
9 | AdUserPassword |
ovirt:e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg= |
general
(7 rows)
As you can see, my ldap server and domain are internal. That's my
ldap
user object:
# admin, Users, Accounts, inpe.br
dn: cn=admin,cn=Users,cn=Accounts,dc=ovirt
givenName: Admin
sn: istrator
uid: admin
userPassword:: e1NTSEF9aENLaXVoNUQzOXV0S1A0QlBZa3J4WVBaM2doUjNMNFg=
uidNumber: 1001
gidNumber: 502
homeDirectory: /home/users/admin
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: admin
But the log aways returns:
2012-12-10 10:07:00,317 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapSearchExceptionHandler]
(ajp--0.0.0.0-8009-11) Ldap authentication failed. Please check
that
the login name , password and path are correct.
2012-12-10 10:07:00,321 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-8) Failed ldap search server
ldap://172.16.21.240:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
Am I doing the right way?
On 12/04/2012 07:07 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr
To: Oved Ourfalli ov...@redhat.com
Cc: Itamar Heim ih...@redhat.com, users@ovirt.org
Sent: Tuesday, December 4, 2012 10:35:34 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
- Original Message -
From: Itamar Heim ih...@redhat.com To: Oved Ourfalli
ov...@redhat.com Cc: users@ovirt.org , Thierry Kauffmann
thierry.kauffm...@univ-montp2.fr Sent: Tuesday, December 4,
2012
1:47:52 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt
Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To:
cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org
Sent:
Saturday, December 1, 2012 5:56:14 PM
Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for
authentication
WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage
groups
in Ovirt.
Has anyone already set this up ?
How to configure Ovirt to use Simple
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/11/2012 09:19 PM, Charlie wrote: True LDAP does not require a password encryption method and is perfectly happy with cleartext storage and use. In practice, one uses a secure channel (LDAPS or Starttls or encrypted network) and most LDAP servers (such as OpenLDAP) will allow several different kinds of password encryption. An application, though, should not ever deal with this issue. The password should be validated by doing a BIND operation, and the application should not do any READ operations on the userPassword value at any time, only authenticate operations. Let the LDAP server manage authentication. Groups are harder. You cannot rely on the presence of a memberOf attribute, unfortunately, and schema are contextually meaningless, so you need a way for the directory administrator to tell the client code how groups are being stored in the server. Thierry gives one example, another is groupOfNames using a member attribute containing DNs of members. Those are the two most common methods, but there are more. Charlie - Alon wrote a suggestion[1] for the first step of simplifying the kerberos requirement. another phase would be needed to make it configurable for various providers. any help on implementing the first step is welcome. Thanks, Itamar [1] http://lists.ovirt.org/pipermail/engine-devel/2012-December/003257.html --Charlie On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann thierry.kauffm...@univ-montp2.fr wrote: Le 04/12/2012 00:51, Itamar Heim a écrit : On 11/30/2012 12:30 PM, Thierry Kauffmann wrote: Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using? thanks, Itamar Hi, the password is transmitted by the client encrypted (hashed) to the openldap server. We use the standard schemes delivered by openldap : core, cosine, nis, inetorgperson and samba A normal user dn is : uid=username,ou=Users,dc=example,dc=com A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com Group members are a list of values for the attribute memberUid of a group dn. regards, Thierry I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences http://sif.info-ufr.univ-montp2.fr/ UM2 - Université de Montpellier 2 http://www.univ-montp2.fr/ Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr mailto:thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
True LDAP does not require a password encryption method and is perfectly happy with cleartext storage and use. In practice, one uses a secure channel (LDAPS or Starttls or encrypted network) and most LDAP servers (such as OpenLDAP) will allow several different kinds of password encryption. An application, though, should not ever deal with this issue. The password should be validated by doing a BIND operation, and the application should not do any READ operations on the userPassword value at any time, only authenticate operations. Let the LDAP server manage authentication. Groups are harder. You cannot rely on the presence of a memberOf attribute, unfortunately, and schema are contextually meaningless, so you need a way for the directory administrator to tell the client code how groups are being stored in the server. Thierry gives one example, another is groupOfNames using a member attribute containing DNs of members. Those are the two most common methods, but there are more. --Charlie On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann thierry.kauffm...@univ-montp2.fr wrote: Le 04/12/2012 00:51, Itamar Heim a écrit : On 11/30/2012 12:30 PM, Thierry Kauffmann wrote: Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using? thanks, Itamar Hi, the password is transmitted by the client encrypted (hashed) to the openldap server. We use the standard schemes delivered by openldap : core, cosine, nis, inetorgperson and samba A normal user dn is : uid=username,ou=Users,dc=example,dc=com A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com Group members are a list of values for the attribute memberUid of a group dn. regards, Thierry I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences http://sif.info-ufr.univ-montp2.fr/ UM2 - Université de Montpellier 2 http://www.univ-montp2.fr/ Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr mailto:thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
- Original Message - From: Itamar Heim ih...@redhat.com To: Oved Ourfalli ov...@redhat.com Cc: users@ovirt.org, Thierry Kauffmann thierry.kauffm...@univ-montp2.fr Sent: Tuesday, December 4, 2012 1:47:52 AM Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine On 12/02/2012 08:10 AM, Oved Ourfalli wrote: - Original Message - From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To: cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2 [image: SIF - Service Informatique de la Facult? des Sciences] http://sif.info-ufr.univ-montp2.fr/ [image: UM2 - Universit? de Montpellier 2] http://www.univ-montp2.fr/ Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5 T?l : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi, This is a response from an older thread from Yair Zaslavsky: there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. Best regards, Hi, correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly : 1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We indeed didn't remove the engine code. We just blocked it from the utility. Once you have a configured oVirt domain, you can set the LDAPSecurityAuthentication configuration parameter (in the vdc_options table), to use simple, by putting a value of: domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc but, if you want to add a new domain with it then you would need to add it manually (can give a detailed explanation on how, if relevant). By default we work GSSAPI (I think the config option is empty by default which is equivalent to working GSSAPI). If/When we would need to support that again it shouldn't be a major effort to add the code... the testing with the different providers will be the hard part. Oved We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it. I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...). Oved -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des SciencesUM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr
To: Oved Ourfalli ov...@redhat.com
Cc: Itamar Heim ih...@redhat.com, users@ovirt.org
Sent: Tuesday, December 4, 2012 10:35:34 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Le 04/12/2012 09:09, Oved Ourfalli a écrit :
- Original Message -
From: Itamar Heim ih...@redhat.com To: Oved Ourfalli
ov...@redhat.com Cc: users@ovirt.org , Thierry Kauffmann
thierry.kauffm...@univ-montp2.fr Sent: Tuesday, December 4, 2012
1:47:52 AM
Subject: Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote:
- Original Message -
From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To:
cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org Sent:
Saturday, December 1, 2012 5:56:14 PM
Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine
Hi,
I am currently testing Ovirt 3.1 standalone on Fedora 17.
Until now, I could only use the default user admin@internal.
Our Directory at the University is OpenLDAP. We use it for
authentication
WITHOUT Kerberos : Simple authentication.
I wonder how to use this backend to authenticate users and manage
groups
in Ovirt.
Has anyone already set this up ?
How to configure Ovirt to use Simple Authentication (No Kerberos).
Cheers,
--
Thierry Kauffmann
Chef du Service Informatique // Facult? des Sciences // Universit?
de
Montpellier 2
[image: SIF - Service Informatique de la Facult? des Sciences]
http://sif.info-ufr.univ-montp2.fr/ [image:
UM2 - Universit? de Montpellier 2] http://www.univ-montp2.fr/
Service
informatique de la Facult? des Sciences (SIF)
Universit? de Montpellier 2
CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5
T?l : 04 67 14 31 58
email : thierry.kauffm...@univ-montp2.fr web :
http://sif.info-ufr.univ-montp2.fr/
http://www.fdsweb.univ-montp2.fr/
___
Users mailing list Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users Hi,
This is a response from an older thread from Yair Zaslavsky:
there is no code allowing to add simple-authentication domains
to
Manage-Domains.
In the past we did have the ability to do that, but there are
several
problematic issues.
Best regards, Hi,
correct-me if I am wrong but this wiki page (
http://www.ovirt.org/DomainInfrastructure ) states clearly :
1. Authenticating Active Directory, IPA and RHDS using either
simple or gssapi authentication
2. Querying the directory using the LDAP protocol
3. Auto deducing the LDAP provider type
4. Easily adding new LDAP provider types
5. Easily adding new query types
So what ? We supported simple authentication in the past, but it is
no longer
supported, that's why you can't set that using the manage domains
utility.
It may work well in some providers (in the past we supported that
for active directory, so I guess it would work there). I don't think
we removed SIMPLE from the engine, we just don't
recommend
using it, since it doesn't encrypt user/password on the network (it
is
sometime useful for debugging). We indeed didn't remove the engine
code. We just blocked it from the utility.
Once you have a configured oVirt domain, you can set the
LDAPSecurityAuthentication configuration parameter (in the
vdc_options table), to use simple, by putting a value of:
domain1:SIMPLE,domain2:GSSAPI,domain3:SIMPLE and etc
but, if you want to add a new domain with it then you would need to
add it manually (can give a detailed explanation on how, if
relevant). Yes, I would like to know how to add directly a domain
which is not GSSAPI controlled.
The vdc_options table is a table containing the configuration values of the
engine. Among those, there are directory-related configuration values:
engine=# select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword');
option_id |option_name | option_value
| version
---++-+-
9 | AdUserName | domain1:user1,domain2:user2
| general
10 | AdUserPassword | domain1:password1,domain2:password2
| general
114 | LdapServers|
deomain1:ldap_server_address1,domain2:ldap_server_address2 | general
64 | DomainName | domain1,domain2
| general
112 | LDAPSecurityAuthentication | domain1:GSSAPI,domain2:SIMPLE
| general
115 | LDAPProviderTypes | domain1:activeDirectory,domain2:ipa
| general
AdUserName is the user
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 12/02/2012 08:10 AM, Oved Ourfalli wrote: - Original Message - From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To: cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2 [image: SIF - Service Informatique de la Facult? des Sciences] http://sif.info-ufr.univ-montp2.fr/ [image: UM2 - Universit? de Montpellier 2] http://www.univ-montp2.fr/ Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5 T?l : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi, This is a response from an older thread from Yair Zaslavsky: there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. Best regards, Hi, correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly : 1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). I don't think we removed SIMPLE from the engine, we just don't recommend using it, since it doesn't encrypt user/password on the network (it is sometime useful for debugging). We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it. I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...). Oved -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences UM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On 11/30/2012 12:30 PM, Thierry Kauffmann wrote: Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. just wondering, i'm sure it is encrypted somehow, do you know which way? also, when using openldap, which scheme are you using? thanks, Itamar I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des Sciences http://sif.info-ufr.univ-montp2.fr/ UM2 - Université de Montpellier 2 http://www.univ-montp2.fr/ Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr mailto:thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
- Original Message - From: Thierry Kauffmann thierry.kauffm...@univ-montp2.fr To: cristi falcas cristi.fal...@gmail.com Cc: users@ovirt.org Sent: Saturday, December 1, 2012 5:56:14 PM Subject: [Users] OpenLDAP Simple Authentication in Ovirt Engine Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- Thierry Kauffmann Chef du Service Informatique // Facult? des Sciences // Universit? de Montpellier 2 [image: SIF - Service Informatique de la Facult? des Sciences] http://sif.info-ufr.univ-montp2.fr/ [image: UM2 - Universit? de Montpellier 2] http://www.univ-montp2.fr/ Service informatique de la Facult? des Sciences (SIF) Universit? de Montpellier 2 CC437 // Place Eug?ne Bataillon // 34095 Montpellier Cedex 5 T?l : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi, This is a response from an older thread from Yair Zaslavsky: there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. Best regards, Hi, correct-me if I am wrong but this wiki page ( http://www.ovirt.org/DomainInfrastructure ) states clearly : 1. Authenticating Active Directory, IPA and RHDS using either simple or gssapi authentication 2. Querying the directory using the LDAP protocol 3. Auto deducing the LDAP provider type 4. Easily adding new LDAP provider types 5. Easily adding new query types So what ? We supported simple authentication in the past, but it is no longer supported, that's why you can't set that using the manage domains utility. It may work well in some providers (in the past we supported that for active directory, so I guess it would work there). We also don't auto deduce the LDAP provider type anymore, as changes in the providers caused some issues with it. I'll edit the wiki accordingly (btw, I remember removing it from the wiki... so it is weird that it is still there...). Oved -- signature-TK Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 SIF - Service Informatique de la Faculté des SciencesUM2 - Université de Montpellier 2 Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
On Fri, Nov 30, 2012 at 12:30 PM, Thierry Kauffmann thierry.kauffm...@univ-montp2.fr wrote: Hi, I am currently testing Ovirt 3.1 standalone on Fedora 17. Until now, I could only use the default user admin@internal. Our Directory at the University is OpenLDAP. We use it for authentication WITHOUT Kerberos : Simple authentication. I wonder how to use this backend to authenticate users and manage groups in Ovirt. Has anyone already set this up ? How to configure Ovirt to use Simple Authentication (No Kerberos). Cheers, -- Thierry Kauffmann Chef du Service Informatique // Faculté des Sciences // Université de Montpellier 2 [image: SIF - Service Informatique de la Faculté des Sciences]http://sif.info-ufr.univ-montp2.fr/ [image: UM2 - Université de Montpellier 2] http://www.univ-montp2.fr/ Service informatique de la Faculté des Sciences (SIF) Université de Montpellier 2 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 Tél : 04 67 14 31 58 email : thierry.kauffm...@univ-montp2.fr web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi, This is a response from an older thread from Yair Zaslavsky: there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. Best regards, ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
