Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:09:18 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alonbl@ redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance security.
it is the same as if you just set the user's password to the hash.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt
without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK
08198180
Fax
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:30:30 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but
it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should
not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance
security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely
right. It has been such a long
habit... But it does help when people intercept the traffic.
No it is not... exactly the opposite... if the hash is sent it is actually
weaker than password, as it has lower diversity.
If you wish you can enable digest-MD5 and use SASL, but still you must store
the plain password at client side.
Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Using plain protocol will always be weaker than using TLS, even if you use
digest-MD5, kerberos or any other challenge-response mechanism.
As the password must be kept at client side no mater what protocol you use,
using TLS and simple bind is the minimum you can have.
I believe that TLS + simple bind is sufficient for most usages for a user
that has no special access to information.
From my experience enabling SASL does have its issues, but you may want to
check it out if you do not trust TLS, but even if you use SASL, better to use
it over TLS.
Alon
Thanks for clarifying! So I was thought wrong all these years ago ;-)
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
mailto:alo...@redhat.com
1. install ovirt-engine-extension-aaa-ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
ovirt.engine.extension.name http://ovirt.engine.extension.name/ =
din-intranet-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
ovirt.engine.extension.name http://ovirt.engine.extension.name/ =
din-intranet-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
http://ovirt.engine.aaa.authn.profile.name/ = din.intranet
ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
4. create /etc/ovirt-engine/aaa/din.intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password =, but it
fails to authenticate while plain text works fine.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration:
vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet
pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems? As we have ipa we don't want
local login enabled, but in emergency situations we might need to turn
it on quickly.
Kind regards,
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:30:30 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but
it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should
not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance
security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely
right. It has been such a long
habit... But it does help when people intercept the traffic.
No it is not... exactly the opposite... if the hash is sent it is actually
weaker than password, as it has lower diversity.
If you wish you can enable digest-MD5 and use SASL, but still you must store
the plain password at client side.
Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Using plain protocol will always be weaker than using TLS, even if you use
digest-MD5, kerberos or any other challenge-response mechanism.
As the password must be kept at client side no mater what protocol you use,
using TLS and simple bind is the minimum you can have.
I believe that TLS + simple bind is sufficient for most usages for a user that
has no special access to information.
From my experience enabling SASL does have its issues, but you may want to
check it out if you do not trust TLS, but even if you use SASL, better to use
it over TLS.
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 01:13 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:09:18 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alonbl@ redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely right. It has been such a long
habit... But it does help when people intercept the traffic. Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this means
that if I get the server database I can authenticate to any user without
knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message - From: Marcelo Donato don...@din.uem.br To: Alon Bar-Lev alo...@redhat.com Sent: Friday, October 31, 2014 3:02:03 PM Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa FreeIpa and oVirt, working together. Thanks However it was necessary to reset the admin password of oVirt. I do not understand how it is related, not sure I follow. The local admin aka admin@internal is different user that is not related to any other setting. At the moment my oVirt not have an active datacenter. The portal user can not log in. See log below. 2014-10-31 10:44:12,600 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User l3m01 failed to log in. 2014-10-31 10:44:12,606 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-8) CanDoAction of action LoginUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION For user login it takes an active datacenter? Not sure what is active data center, however user can login into the webadmin if he has SuperUser role or can manage other resources. Are you sure you provide correct permissions? -- Ao encaminhar esta mensagem, por favor: 1. Apague o meu e-mail e o meu nome. 2. Apague também os endereços dos amigos antes de reenviar 3. Use Cco ou Bcc para enviar mensagens! Dificulte a disseminação de vírus e spam. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
1. install ovirt-engine-extension-aaa-ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
4. create /etc/ovirt-engine/aaa/din.intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
--
Ao encaminhar esta mensagem, por favor:
1. Apague o meu e-mail e o meu nome.
2. Apague também os endereços dos amigos antes de reenviar
3. Use Cco ou Bcc para enviar mensagens!
Dificulte a disseminação de vírus e spam.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] oVirt 3.5 and FreeIpa
Below are the details of my installation, both without firewall and selinux
disabled.
### IPA SERVER
Hostname: ipa1.din.intranet
IP Addr: 10.30.0.25
Release: CentOS release 6.6 (Final) x86_64
## oVirt Engine Version: 3.5.0.1-1.el6
Hostname: sequoia.din.intranet
IP Addr: 10.30.0.27
Release: CentOS release 6.6 (Final) x86_64
##
[root@sequoia ~]# host -t SRV _ldap._tcp.din.intranet
_ldap._tcp.din.intranet has SRV record 0 100 389 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kerberos._tcp.din.intranet
_kerberos._tcp.din.intranet has SRV record 0 100 88 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kerberos._udp.din.intranet
_kerberos._udp.din.intranet has SRV record 0 100 88 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kpasswd._udp.din.intranet
_kpasswd._udp.din.intranet has SRV record 0 100 464 ipa1.din.intranet.
[root@sequoia ~]# host -t A ipa1.din.intranet
ipa1.din.intranet has address 10.30.0.25
[root@sequoia ~]# ldapsearch -x -b dc=din, dc=intranet uid=admin
extended LDIF
LDAPv3
base dc=din, dc=intranet with scope subtree
filter: uid=admin
requesting: ALL
admin, users, compat, din.intranet
dn: uid=admin,cn=users,cn=compat,dc=din,dc=intranet
admin, users, accounts, din.intranet
dn: uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
uid: admin
krbPrincipalName: admin@DIN.INTRANET
cn: Administrator
sn: Administrator
uidNumber: 125080
gidNumber: 125080
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
search result
search: 2
result: 0 Success
numResponses: 3
numEntries: 2
[root@sequoia ~]# getent passwd admin
admin:*:125080:125080:Administrator:/home/admin:/bin/bash
[root@sequoia ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DIN.INTRANET
Valid starting ExpiresService principal
10/29/14 15:37:46 10/30/14 15:37:45 krbtgt/DIN.INTRANET@DIN.INTRANET
[root@sequoia ~]# engine-manage-domains add --domain=din.intranet
--provider=ipa --user=admin
Enter password:
Error: exception message: ipa1.din.intranet.
Failure while testing domain din.intranet. Details: Kerberos error. Please
check log for further details.
##
[root@ipa1 ~]# tail -f /var/log/krb5kdc.log
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2007](info): AS_REQ (4 etypes {18
17 16 23}) 10.30.0.27: NEEDED_PREAUTH: host/sequoia.din.uem.br@DIN.INTRANET
for krbtgt/DIN.INTRANET@DIN.INTRANET, Additional pre-authentication required
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2006](info): AS_REQ (4 etypes {18
17 16 23}) 10.30.0.27: ISSUE: authtime 1414603522, etypes {rep=18 tkt=18
ses=18}, host/sequoia.din.uem.br@DIN.INTRANET for
krbtgt/DIN.INTRANET@DIN.INTRANET
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2007](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.30.0.27: ISSUE: authtime 1414603522, etypes {rep=18
tkt=18 ses=18}, host/sequoia.din.uem.br@DIN.INTRANET for
ldap/ipa1.din.intranet@DIN.INTRANET
##
Why engine-manage-domains does not work?
--
Ao encaminhar esta mensagem, por favor:
1. Apague o meu e-mail e o meu nome.
2. Apague também os endereços dos amigos antes de reenviar
3. Use Cco ou Bcc para enviar mensagens!
Dificulte a disseminação de vírus e spam.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
Hi,
Can you please enable snapshots repository and checkout the new ldap
provider[1][2]?
This should be the new support for ldap, and much more efficient than what we
had so far.
Thanks,
Alon
[1] ovirt-engine-extension-aaa-ldap
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
- Original Message -
From: Marcelo Donato don...@din.uem.br
To: users@ovirt.org
Sent: Wednesday, October 29, 2014 7:49:31 PM
Subject: [ovirt-users] oVirt 3.5 and FreeIpa
Below are the details of my installation, both without firewall and selinux
disabled.
### IPA SERVER
Hostname: ipa1.din.intranet
IP Addr: 10.30.0.25
Release: CentOS release 6.6 (Final) x86_64
## oVirt Engine Version: 3.5.0.1-1.el6
Hostname: sequoia.din.intranet
IP Addr: 10.30.0.27
Release: CentOS release 6.6 (Final) x86_64
##
[root@sequoia ~]# host -t SRV _ldap._tcp.din.intranet
_ldap._tcp.din.intranet has SRV record 0 100 389 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kerberos._tcp.din.intranet
_kerberos._tcp.din.intranet has SRV record 0 100 88 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kerberos._udp.din.intranet
_kerberos._udp.din.intranet has SRV record 0 100 88 ipa1.din.intranet.
[root@sequoia ~]# host -t SRV _kpasswd._udp.din.intranet
_kpasswd._udp.din.intranet has SRV record 0 100 464 ipa1.din.intranet.
[root@sequoia ~]# host -t A ipa1.din.intranet
ipa1.din.intranet has address 10.30.0.25
[root@sequoia ~]# ldapsearch -x -b dc=din, dc=intranet uid=admin
extended LDIF
LDAPv3
base dc=din, dc=intranet with scope subtree
filter: uid=admin
requesting: ALL
admin, users, compat, din.intranet
dn: uid=admin,cn=users,cn=compat,dc=din,dc=intranet
admin, users, accounts, din.intranet
dn: uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
uid: admin
krbPrincipalName: admin@DIN.INTRANET
cn: Administrator
sn: Administrator
uidNumber: 125080
gidNumber: 125080
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
search result
search: 2
result: 0 Success
numResponses: 3
numEntries: 2
[root@sequoia ~]# getent passwd admin
admin:*:125080:125080:Administrator:/home/admin:/bin/bash
[root@sequoia ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DIN.INTRANET
Valid starting Expires Service principal
10/29/14 15:37:46 10/30/14 15:37:45 krbtgt/DIN.INTRANET@DIN.INTRANET
[root@sequoia ~]# engine-manage-domains add --domain=din.intranet
--provider=ipa --user=admin
Enter password:
Error: exception message: ipa1.din.intranet.
Failure while testing domain din.intranet. Details: Kerberos error. Please
check log for further details.
##
[root@ipa1 ~]# tail -f /var/log/krb5kdc.log
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2007](info): AS_REQ (4 etypes {18
17 16 23}) 10.30.0.27 : NEEDED_PREAUTH: host/sequoia.din.uem.br@DIN.INTRANET
for krbtgt/DIN.INTRANET@DIN.INTRANET, Additional pre-authentication required
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2006](info): AS_REQ (4 etypes {18
17 16 23}) 10.30.0.27 : ISSUE: authtime 1414603522, etypes {rep=18 tkt=18
ses=18}, host/sequoia.din.uem.br@DIN.INTRANET for
krbtgt/DIN.INTRANET@DIN.INTRANET
Oct 29 15:25:22 ipa1.din.intranet krb5kdc[2007](info): TGS_REQ (4 etypes {18
17 16 23}) 10.30.0.27 : ISSUE: authtime 1414603522, etypes {rep=18 tkt=18
ses=18}, host/sequoia.din.uem.br@DIN.INTRANET for
ldap/ipa1.din.intranet@DIN.INTRANET
##
Why engine-manage-domains does not work?
--
Ao encaminhar esta mensagem, por favor:
1. Apague o meu e-mail e o meu nome.
2. Apague também os endereços dos amigos antes de reenviar
3. Use Cco ou Bcc para enviar mensagens!
Dificulte a disseminação de vírus e spam.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
oVirt without it does not work with ipa? -- Ao encaminhar esta mensagem, por favor: 1. Apague o meu e-mail e o meu nome. 2. Apague também os endereços dos amigos antes de reenviar 3. Use Cco ou Bcc para enviar mensagens! Dificulte a disseminação de vírus e spam. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
should work, but instead of debugging the legacy providers that are not going to be farther development, I suggest you help us perfect the new component that provides much simpler interaction, for example no kerberos dependency. - Original Message - From: Marcelo Donato don...@din.uem.br To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Wednesday, October 29, 2014 8:59:42 PM Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa oVirt without it does not work with ipa? -- Ao encaminhar esta mensagem, por favor: 1. Apague o meu e-mail e o meu nome. 2. Apague também os endereços dos amigos antes de reenviar 3. Use Cco ou Bcc para enviar mensagens! Dificulte a disseminação de vírus e spam. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
