subject:"\[Users\] Ovirt 3.1 and Samba4 AD"

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Charlie

Oved, totally agree about externalizing the configuration.  Also I
like Roy Golan's recommendation of a wiki design page, because I can
probably offer more in the design phase than the actual coding phase.
I know the OpenLDAP schema interface rather well, and I have my own
OID so I can define globally useful oVirt schema for you if you'd like
to go that route.

You guys are always very helpful and encouraging, which is why this
project moves so fast.

--Charlie

On Wed, Nov 14, 2012 at 11:41 AM, Oved Ourfalli  wrote:
>
>
> - Original Message -
>> From: "Oved Ourfalli" 
>> To: "Jiri Belka" , medieval...@gmail.com
>> Cc: users@ovirt.org
>> Sent: Wednesday, November 14, 2012 3:50:45 PM
>> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
>>
>>
>>
>> - Original Message -
>> > From: "Jiri Belka" 
>> > To: users@ovirt.org
>> > Sent: Wednesday, November 14, 2012 9:30:39 AM
>> > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
>> >
>> > On 11/13/2012 09:40 PM, Charlie wrote:
>> > > I would like to help oVirt gain compatibility with
>> > > standards-based
>> > > services like OpenLDAP, but the code's in a language I haven't
>> > > used
>> > > and a version control system I haven't used and the wiki has no
>> > > LDAP
>> > > interaction design documents (other than the sources themselves)
>> > > and
>> > > I've got very limited free time, all of which makes it hard to
>> > > contribute.
>> >
>> > +1
>> >
>>
>> We do have some wiki pages that can be useful to set up a development
>> environment, like:
>> http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
>> http://wiki.ovirt.org/wiki/Building_oVirt_engine
>>
>> Architecture page:
>> http://wiki.ovirt.org/wiki/Architecture
>>
>> And specifically, there is a wiki page on the LDAP infrastructure,
>> that can give a clue on what entities we have there, and how to work
>> with them:
>> http://wiki.ovirt.org/wiki/DomainInfrastructure
>>
>
> When looking at OpenLDAP before I remember the issue was that we didn't have 
> any standard schema to work with, that had all the different attributes we 
> need.
> Currently, we require to authenticate to a Kerberos server. Also, the 
> configuration of the different provider queries is done inside the source 
> code, and not configured externally.
> So, IMO the best way to add a new OpenLDAP provider is first to externalize 
> this configuration, so that anyone can tweak it out according to his schema.
>
> I hope the wiki pages above can give a clue on the infrastructure, but we 
> would be more than happy to help guiding you about that.
> The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan 
> (rgo...@redhat.com), and myself, which did the latest work on this 
> infrastructure, so we would be more than happy to help on IRC, E-mails, phone 
> calls, and etc.
>
> Another relevant mailing list is engine-de...@ovirt.org, where most engine 
> developers are, so that's the best place to get guidance regarding git, 
> gerrit, java, and every development matter.
>
> Oved
>> > --
>> >
>> > Jiri Belka
>> > jbe...@redhat.com
>> > ___
>> > Users mailing list
>> > Users@ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Charlie

The domainInfrastructure wiki page is helpful.  The examples are
great.  It has enough information to understand how oVirt formats an
LDAP filter string, for example, which is very important.  The
constant use of the word "domain" is confusing, though.

People outside the Microsoft world don't know that Microsoft
documentation uses three different definitions of domain, sometimes in
the same document.  Most people will probably just assume you mean an
IANA domain.

I've worked with LDAP for over ten years, and I read the oVirt
domainInfrastructure page three or four times but I still couldn't
figure out why it kept talking about domains and LDAP at the same time
until I took a week of AD classes and studied a couple of O'Reilly AD
books.

For example, when the oVirt wiki talks about "root DSE for domain" it
doesn't make sense to anyone who isn't already familiar with AD.  A
rootDSE describes the configuration of a DSA instance (LDAP server
daemon) as defined in RFC4512 section 5.1, and doesn't have anything
to do with domains.  The word domain does not occur in RFC4512 or
RFC2251 at all.  The page doesn't explain why oVirt needs a domain and
a root DSE to have any special relationship.  ISPs load information
for hundreds of IANA domains under a single root DSE and it's not a
problem; I've done five domains in one DSA under one root DSE.

If there was an oVirt wiki page called LDAP or
DirectoryInfrastructure, that page could explain if domains really
need to be part of oVirt, and if so which kind of domain, and then
link the current domainInfrastructure page.  Or it could link a
separate page for each directory supported by oVirt, and the current
domainInfrastructure page could become an activeDirectory page and
retain all the AD-specific language.

--Charlie

On Wed, Nov 14, 2012 at 8:50 AM, Oved Ourfalli  wrote:
>
>
> - Original Message -
>> From: "Jiri Belka" 
>> To: users@ovirt.org
>> Sent: Wednesday, November 14, 2012 9:30:39 AM
>> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
>>
>> On 11/13/2012 09:40 PM, Charlie wrote:
>> > I would like to help oVirt gain compatibility with standards-based
>> > services like OpenLDAP, but the code's in a language I haven't used
>> > and a version control system I haven't used and the wiki has no
>> > LDAP
>> > interaction design documents (other than the sources themselves)
>> > and
>> > I've got very limited free time, all of which makes it hard to
>> > contribute.
>>
>> +1
>>
>
> We do have some wiki pages that can be useful to set up a development 
> environment, like:
> http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
> http://wiki.ovirt.org/wiki/Building_oVirt_engine
>
> Architecture page:
> http://wiki.ovirt.org/wiki/Architecture
>
> And specifically, there is a wiki page on the LDAP infrastructure, that can 
> give a clue on what entities we have there, and how to work with them:
> http://wiki.ovirt.org/wiki/DomainInfrastructure
>
>> --
>>
>> Jiri Belka
>> jbe...@redhat.com
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Oved Ourfalli

- Original Message -
> From: "Oved Ourfalli" 
> To: "Jiri Belka" , medieval...@gmail.com
> Cc: users@ovirt.org
> Sent: Wednesday, November 14, 2012 3:50:45 PM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> 
> 
> - Original Message -
> > From: "Jiri Belka" 
> > To: users@ovirt.org
> > Sent: Wednesday, November 14, 2012 9:30:39 AM
> > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> > 
> > On 11/13/2012 09:40 PM, Charlie wrote:
> > > I would like to help oVirt gain compatibility with
> > > standards-based
> > > services like OpenLDAP, but the code's in a language I haven't
> > > used
> > > and a version control system I haven't used and the wiki has no
> > > LDAP
> > > interaction design documents (other than the sources themselves)
> > > and
> > > I've got very limited free time, all of which makes it hard to
> > > contribute.
> > 
> > +1
> > 
> 
> We do have some wiki pages that can be useful to set up a development
> environment, like:
> http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
> http://wiki.ovirt.org/wiki/Building_oVirt_engine
> 
> Architecture page:
> http://wiki.ovirt.org/wiki/Architecture
> 
> And specifically, there is a wiki page on the LDAP infrastructure,
> that can give a clue on what entities we have there, and how to work
> with them:
> http://wiki.ovirt.org/wiki/DomainInfrastructure
> 

When looking at OpenLDAP before I remember the issue was that we didn't have 
any standard schema to work with, that had all the different attributes we need.
Currently, we require to authenticate to a Kerberos server. Also, the 
configuration of the different provider queries is done inside the source code, 
and not configured externally.
So, IMO the best way to add a new OpenLDAP provider is first to externalize 
this configuration, so that anyone can tweak it out according to his schema.

I hope the wiki pages above can give a clue on the infrastructure, but we would 
be more than happy to help guiding you about that.
The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan 
(rgo...@redhat.com), and myself, which did the latest work on this 
infrastructure, so we would be more than happy to help on IRC, E-mails, phone 
calls, and etc.

Another relevant mailing list is engine-de...@ovirt.org, where most engine 
developers are, so that's the best place to get guidance regarding git, gerrit, 
java, and every development matter.

Oved
> > --
> > 
> > Jiri Belka
> > jbe...@redhat.com
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Oved Ourfalli



- Original Message -
> From: "Jiri Belka" 
> To: users@ovirt.org
> Sent: Wednesday, November 14, 2012 9:30:39 AM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> On 11/13/2012 09:40 PM, Charlie wrote:
> > I would like to help oVirt gain compatibility with standards-based
> > services like OpenLDAP, but the code's in a language I haven't used
> > and a version control system I haven't used and the wiki has no
> > LDAP
> > interaction design documents (other than the sources themselves)
> > and
> > I've got very limited free time, all of which makes it hard to
> > contribute.
> 
> +1
> 

We do have some wiki pages that can be useful to set up a development 
environment, like:
http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
http://wiki.ovirt.org/wiki/Building_oVirt_engine

Architecture page:
http://wiki.ovirt.org/wiki/Architecture

And specifically, there is a wiki page on the LDAP infrastructure, that can 
give a clue on what entities we have there, and how to work with them:
http://wiki.ovirt.org/wiki/DomainInfrastructure

> --
> 
> Jiri Belka
> jbe...@redhat.com
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Jiri Belka


On 11/13/2012 09:40 PM, Charlie wrote:

I would like to help oVirt gain compatibility with standards-based
services like OpenLDAP, but the code's in a language I haven't used
and a version control system I haven't used and the wiki has no LDAP
interaction design documents (other than the sources themselves) and
I've got very limited free time, all of which makes it hard to
contribute.


+1

--

Jiri Belka
jbe...@redhat.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Yair Zaslavsky



- Original Message -
> From: "Alon Bar-Lev" 
> To: "Charlie" 
> Cc: "users" 
> Sent: Tuesday, November 13, 2012 10:46:37 PM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> 
> 
> - Original Message -
> > From: "Charlie" 
> > To: "Itamar Heim" 
> > Cc: "users" 
> > Sent: Tuesday, November 13, 2012 10:40:34 PM
> > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> > 
> > FreeIPA is a microsoft "clone" solution.  It is an emulator for AD,
> > much like Samba4 is.  Neither of them is based on Open Standards,
> > although both are Open Source.  This is a very important
> > distinction.
> > 
> > In our test RHEVM environment, only closed-source, proprietary
> > Microsoft Active Directory could provide a fully functional user
> > provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
> > but after a couple of weeks the bosses got tired of the slow
> > progress,
> > threw up their hands and told us to just use Microsoft.  This
> > situation led directly to the replacement of half a dozen
> > production
> > Red Hat servers with Microsoft Hyper-V hosted Windows servers.
> > Essentially, this one shortcoming (inability to use OpenLDAP as an
> > AAA
> > source) ended up driving the abandonment of Open Source in our
> > enterprise.  We're currently in the process of replacing all our
> > FOSS
> > infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
> > nothing I can do to stop that.
> > 
> > http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29
> > 
> > It's very unfortunate.  Law of unintended consequences I guess.  I
> > would like to help oVirt gain compatibility with standards-based
> > services like OpenLDAP, but the code's in a language I haven't used
> > and a version control system I haven't used and the wiki has no
> > LDAP
> > interaction design documents (other than the sources themselves)
> > and
> > I've got very limited free time, all of which makes it hard to
> > contribute.
> > 
> > I hope that didn't sound too much like whining.  I don't blame
> > anyone
> > outside my organization for my organization's bad decisions, I'm
> > just
> > pointing out that giving your userbase no option other than to
> > implement proprietary Directory models may have unintended
> > consequences in the field.  Why spend a lot of money pretending to
> > be
> > Microsoft when you can be Microsoft for the same or less money?
> 
> Not at all.
> I feel the same, we really need to support openldap without krb and
> with krb.

+10 here (not to say we really need to extract all our query/attribute mapping 
logic in such way we can further ease integration with new ldap proiders).

> 
> Alon.
> 
> > --Charlie
> > 
> > >> I know it, but is very interesting the idea to avoid Microsoft
> > >> solutions
> > >> and move to OpenSource Enviroment.
> > >
> > >
> > > we do support a few other directory solutions (like freeIPA and
> > > 389ds).
> > > 389ds needs a kerberos enhancement.
> > >
> > 
> > Kerberos should be optional.  Many organizations don't need the
> > extra
> > complexity, LDAP STARTTLS or LDAPS gives them all the security they
> > need.
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Alejandro

2012/11/13 Yair Zaslavsky 

> There is a reason why we query for userPrincipalName so it has to include
> this information.
>
>
From
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/the-user-principle-name-and-you.aspx
:

"The user principal name is not a required attribute (that is, Active
Directory does not require it to be set). The new user wizard in ADU&C
makes you set it - but you can go in and delete it from the Account
Properties page later, and when you are creating users programmatically
(such as via scripting), it doesn't need to be specified at all."

Which is the reason to make searchs with a not required attribute?

Thanks


-- 
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Alon Bar-Lev



- Original Message -
> From: "Charlie" 
> To: "Itamar Heim" 
> Cc: "users" 
> Sent: Tuesday, November 13, 2012 10:40:34 PM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> FreeIPA is a microsoft "clone" solution.  It is an emulator for AD,
> much like Samba4 is.  Neither of them is based on Open Standards,
> although both are Open Source.  This is a very important distinction.
> 
> In our test RHEVM environment, only closed-source, proprietary
> Microsoft Active Directory could provide a fully functional user
> provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
> but after a couple of weeks the bosses got tired of the slow
> progress,
> threw up their hands and told us to just use Microsoft.  This
> situation led directly to the replacement of half a dozen production
> Red Hat servers with Microsoft Hyper-V hosted Windows servers.
> Essentially, this one shortcoming (inability to use OpenLDAP as an
> AAA
> source) ended up driving the abandonment of Open Source in our
> enterprise.  We're currently in the process of replacing all our FOSS
> infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
> nothing I can do to stop that.
> 
> http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29
> 
> It's very unfortunate.  Law of unintended consequences I guess.  I
> would like to help oVirt gain compatibility with standards-based
> services like OpenLDAP, but the code's in a language I haven't used
> and a version control system I haven't used and the wiki has no LDAP
> interaction design documents (other than the sources themselves) and
> I've got very limited free time, all of which makes it hard to
> contribute.
> 
> I hope that didn't sound too much like whining.  I don't blame anyone
> outside my organization for my organization's bad decisions, I'm just
> pointing out that giving your userbase no option other than to
> implement proprietary Directory models may have unintended
> consequences in the field.  Why spend a lot of money pretending to be
> Microsoft when you can be Microsoft for the same or less money?

Not at all.
I feel the same, we really need to support openldap without krb and with krb.

Alon.

> --Charlie
> 
> >> I know it, but is very interesting the idea to avoid Microsoft
> >> solutions
> >> and move to OpenSource Enviroment.
> >
> >
> > we do support a few other directory solutions (like freeIPA and
> > 389ds).
> > 389ds needs a kerberos enhancement.
> >
> 
> Kerberos should be optional.  Many organizations don't need the extra
> complexity, LDAP STARTTLS or LDAPS gives them all the security they
> need.
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Charlie

FreeIPA is a microsoft "clone" solution.  It is an emulator for AD,
much like Samba4 is.  Neither of them is based on Open Standards,
although both are Open Source.  This is a very important distinction.

In our test RHEVM environment, only closed-source, proprietary
Microsoft Active Directory could provide a fully functional user
provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
but after a couple of weeks the bosses got tired of the slow progress,
threw up their hands and told us to just use Microsoft.  This
situation led directly to the replacement of half a dozen production
Red Hat servers with Microsoft Hyper-V hosted Windows servers.
Essentially, this one shortcoming (inability to use OpenLDAP as an AAA
source) ended up driving the abandonment of Open Source in our
enterprise.  We're currently in the process of replacing all our FOSS
infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
nothing I can do to stop that.

http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29

It's very unfortunate.  Law of unintended consequences I guess.  I
would like to help oVirt gain compatibility with standards-based
services like OpenLDAP, but the code's in a language I haven't used
and a version control system I haven't used and the wiki has no LDAP
interaction design documents (other than the sources themselves) and
I've got very limited free time, all of which makes it hard to
contribute.

I hope that didn't sound too much like whining.  I don't blame anyone
outside my organization for my organization's bad decisions, I'm just
pointing out that giving your userbase no option other than to
implement proprietary Directory models may have unintended
consequences in the field.  Why spend a lot of money pretending to be
Microsoft when you can be Microsoft for the same or less money?

--Charlie

>> I know it, but is very interesting the idea to avoid Microsoft solutions
>> and move to OpenSource Enviroment.
>
>
> we do support a few other directory solutions (like freeIPA and 389ds).
> 389ds needs a kerberos enhancement.
>

Kerberos should be optional.  Many organizations don't need the extra
complexity, LDAP STARTTLS or LDAPS gives them all the security they
need.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Yair Zaslavsky




On 11/13/2012 05:55 PM, Alejandro wrote:




2012/11/13 Yair Zaslavsky mailto:yzasl...@redhat.com>>

Hi ALejandro,
Officially we're not supporting Sambra4rc5, but I talked with Alon
Bar-Lev (CC'ed) and he explained me Sambra4rc5 is 2003 AD compliant.


Hi Yair
I know it, but is very interesting the idea to avoid Microsoft solutions
and move to OpenSource Enviroment.

+1 on that.



I am not sure why you had to add the cn part, can you elaborate?



I find the problem, isn't the cn, only when the user has a
userPrincipalName is find by ovirt.

That's true, this is how we run the query of get user by name.




Probably will be a problem in migration from samba3 to samba4, will
quest in samba4 technical list.


Thanks for that, keep us posted, you raised an interesting issue here!



Thanks



--
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com 


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Itamar Heim


On 11/13/2012 05:55 PM, Alejandro wrote:




2012/11/13 Yair Zaslavsky mailto:yzasl...@redhat.com>>

Hi ALejandro,
Officially we're not supporting Sambra4rc5, but I talked with Alon
Bar-Lev (CC'ed) and he explained me Sambra4rc5 is 2003 AD compliant.


Hi Yair
I know it, but is very interesting the idea to avoid Microsoft solutions
and move to OpenSource Enviroment.


we do support a few other directory solutions (like freeIPA and 389ds).
389ds needs a kerberos enhancement.




I am not sure why you had to add the cn part, can you elaborate?



I find the problem, isn't the cn, only when the user has a
userPrincipalName is find by ovirt.


Probably will be a problem in migration from samba3 to samba4, will
quest in samba4 technical list.

Thanks



--
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com 



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Alejandro

2012/11/13 Yair Zaslavsky 

> Hi ALejandro,
> Officially we're not supporting Sambra4rc5, but I talked with Alon Bar-Lev
> (CC'ed) and he explained me Sambra4rc5 is 2003 AD compliant.
>
>
Hi Yair
I know it, but is very interesting the idea to avoid Microsoft solutions
and move to OpenSource Enviroment.


> I am not sure why you had to add the cn part, can you elaborate?
>


I find the problem, isn't the cn, only when the user has a
userPrincipalName is find by ovirt.


Probably will be a problem in migration from samba3 to samba4, will quest
in samba4 technical list.

Thanks



-- 
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Yair Zaslavsky


Hi ALejandro,
Officially we're not supporting Sambra4rc5, but I talked with Alon 
Bar-Lev (CC'ed) and he explained me Sambra4rc5 is 2003 AD compliant.



On 11/13/2012 03:53 PM, Alejandro wrote:

I'm triing to use Samba4rc5 like autenticator for Ovirt 3.1.0-3.26

First problem is Ovirt is user usernameprincipal  (login@domain in place
of login) to autenticate with Samba4, But samba4 don't use it.

I use
engine-manage-domains -action=add -domain=DOMAINFQDN -user=LOGIN
-provider=ActiveDirectory -interactive -addPermissions
And the result is:

No user in Directory was found for LOGIN@DOMAINFQDN. Trying next LDAP
server in list
Failure while testing domain DOMAINFQDN. Details: No user information
was found for user


And the Samba4 give me:
filter=(&(sAMAccountType=805306368)(userPrincipalName=LOGIN@DOMAINFQDN))

But no userPrincipalName is configured in any user.


Actual Solution: I add a userPrincipalName LOGIN@DOMAINFQDN in the LOGIN
account (using a ldap tool) and add the ovirt machine to the domain.


Not sure I fully understood your solution - does this mean you added 
this, was this added to the user objects on your ldap server?
There is a reason why we query for userPrincipalName so it has to 
include this information.




After restart the ovirt engine I go to the UserPortal.

I find now other problem, the user isn't search by the Common Name (cn),
a example of search
filter=(&(sAMAccountType=805306368)(|(givenname=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN)))

must be
filter=(&(sAMAccountType=805306368)(|(givenname=TESTLOGIN)(cn=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN)))


I am not sure why you had to add the cn part, can you elaborate?




Thanks for all

--
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com 



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Alejandro

I'm triing to use Samba4rc5 like autenticator for Ovirt 3.1.0-3.26

First problem is Ovirt is user usernameprincipal  (login@domain in place of
login) to autenticate with Samba4, But samba4 don't use it.

I use
engine-manage-domains -action=add -domain=DOMAINFQDN -user=LOGIN
-provider=ActiveDirectory -interactive -addPermissions
And the result is:

No user in Directory was found for LOGIN@DOMAINFQDN. Trying next LDAP
server in list
Failure while testing domain DOMAINFQDN. Details: No user information was
found for user


And the Samba4 give me:
filter=(&(sAMAccountType=805306368)(userPrincipalName=LOGIN@DOMAINFQDN))

But no userPrincipalName is configured in any user.


Actual Solution: I add a userPrincipalName LOGIN@DOMAINFQDN in the LOGIN
account (using a ldap tool) and add the ovirt machine to the domain.

After restart the ovirt engine I go to the UserPortal.

I find now other problem, the user isn't search by the Common Name (cn), a
example of search
filter=(&(sAMAccountType=805306368)(|(givenname=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN)))

must be
filter=(&(sAMAccountType=805306368)(|(givenname=TESTLOGIN)(cn=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN)))


Thanks for all

-- 
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blain...@jabberes.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

Re: [Users] Ovirt 3.1 and Samba4 AD

[Users] Ovirt 3.1 and Samba4 AD

14 matches

Site Navigation

Mail list logo

Footer information