Re: [Users] oVirt 3.2.2 successfully connected to Samba4
Excellent, Gianluca, thanks for sharing the information! --Charlie On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi wrote: > Hello, > in the past there were some threads related to this subject. > Today I successfully connected my oVirt 3.2.2 (installed on f18 with > ovirt-repo) to a CentOS 6 samba4 server. > > Basically I followed this nice page for CentOS 6 with the difference > that I downloaded and compiled 4.0.6 version of Samba instead of > 4.0.0: > > http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ > > One important thing is that I had to put samba4 server ip in > resolv.conf as the first for my engine. > But in my case this was not a problem because samba4 is then > configured with the original corporate dns as forwarder, so all is ok > for me > > Some commands' output > > [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain > provision --realm=ovtest.local --domain=OVTEST --adminpass 'X' > --server-role=dc --dns-backend=BIND9_DLZ > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=ovtest,DC=local > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > See /usr/local/samba/private/named.conf for an example configuration > include file for BIND > and /usr/local/samba/private/named.txt for further documentation > required for secure DNS updates > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba 4 has been generated at > /usr/local/samba/private/krb5.conf > Once the above files are installed, your Samba4 server will be ready to use > Server Role: active directory domain controller > Hostname: c6dc > NetBIOS Domain:OVTEST > DNS Domain:ovtest.local > DOMAIN SID:S-1-5-21-4186344073-955232896-1764362378 > > > [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom > wrote key file "/etc/rndc.key" > > > - tests > (see also > http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller > ) > > [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U% > Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] > > Sharename Type Comment > - --- > netlogonDisk > sysvol Disk > IPC$IPC IPC Service (Samba 4.0.6) > Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] > > Server Comment > ---- > > WorkgroupMaster > ---- > > [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local. > _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local. > > [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local. > _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local. > > > [root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL > Password for administrator@OVTEST.LOCAL: > Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013 > > [root@c6dc ntp-4.2.6p5]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@OVTEST.LOCAL > > Valid starting ExpiresService principal > 06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/OVTEST.LOCAL@OVTEST.LOCAL > renew until 07/05/13 14:55:08 > > Users' mgmt can be done from windows with Samba AD management tools > see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows > > I managed from linux > see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool > > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM > New Password: > Retype Password: > User 'OVIRTADM' created successfully > > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid > OVIRTADM > S-1-5-21-4186344073-95523
Re: [Users] Active Directory Groups
RFC4515,"String Representation of Distinguished Names", says LDAP transactions that include strings beginning with a space or "#" character MUST use the standard LDAP string encoding rules. Note a "#" character in the middle or end of a string is OK, though. In my experience the rules apply to attribute specification as well as to filters and distinguished names. See Kurt's RFC at http://tools.ietf.org/html/rfc4514 or http://www.rfc-editor.org/info/rfc4514 for details on how to deal with funky characters when talking to Directories. --Charlie On Thu, May 23, 2013 at 7:31 AM, Thomas Scofield wrote: > I tried various search strings, but I could only find groups if I searched > for the full group name. > > On May 23, 2013 3:44 AM, "René Koch (ovido)" wrote: >> >> Hi, >> >> I also had a problem with '#' in an customer project with RHEV 3.0, but >> we also had issues with a broken active directory replication. White >> spaces aren't a problem in groups. >> >> I can't tell if groups with '#' are working, as I told them to not use >> special characters in group names and to fix their replication. Now >> everything is working fine, but don't know if they created new groups >> for RHEV or if it was just the replication. >> >> >> Regards, >> René >> >> >> >> On Thu, 2013-05-23 at 00:36 -0400, Yair Zaslavsky wrote: >> > I don't remember encountering such an issue, but probably never >> > checked. >> > >> > a. What is the search string you're passing in order to get the >> > users/groups? >> > b. From quick look at the code - looks like this is at the step >> > of initializing the data that will be queried - that is, before >> > sending the AD query. >> > >> > >> > >> > >> > Eli - looks like this is from the SeachQuery.InitQueryData - can you >> > elaborate here? >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > __ >> > From: "Thomas Scofield" >> > To: "users" >> > Sent: Thursday, May 23, 2013 4:06:29 AM >> > Subject: [Users] Active Directory Groups >> > >> > >> > I was attempting to assign some permissions to Active >> > Directory groups and ran into an issue where groups with >> > spaces or the # sign in them. The engine log contained >> > messages like these >> > >> > >> > 2013-05-22 08:39:35,228 WARN >> > [org.ovirt.engine.core.bll.SearchQuery] >> > (ajp--127.0.0.1-8702-134) >> > ResourceManager::searchBusinessObjects - erroneous search text >> > - ADGROUP: name=#Virtual Engineering >> > 2013-05-22 08:39:35,228 WARN >> > [org.ovirt.engine.core.bll.SearchQuery] >> > (ajp--127.0.0.1-8702-46) >> > ResourceManager::searchBusinessObjects - erroneous search text >> > - ADUSER: allnames=#Virtual Engineering >> > >> > >> > The group name is valid. The example above contains both the >> > space and #, but trying groups with just a space and others >> > with just a # also fail. I was able to successfully add >> > groups that contained characters and -. Has anyone else had >> > an issue like this? >> > >> > >> > >> > ___ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> > >> > ___ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] AD authentication for ovirt manager
Also set your Active Directory source as your time synchronization provider. You need DNS, Directory services, Kerberos and network time all from the same source if you want anything approaching reliability. --Charlie On Mon, Apr 22, 2013 at 6:17 PM, Christian Hernandez wrote: > Hello Jonathan, > > I believe you can use the Red Hat Documentation for this. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Evaluation_Guide/Evaluation_Guide-VDI.html#Evaluation_Guide-Add_Active_Directory > > One of the "gotchas" that I ran into is that you need to specify the Active > Directory as your DNS provider in your resolv.conf file (not sure if it was > coincidence or not; but I ran into some issues that went away when I did > this) > > HTH > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christi...@4over.com <mailto:christi...@4over.com> > www.4over.com <http://www.4over.com> > > > On Mon, Apr 22, 2013 at 2:57 PM, Jonathan Horne wrote: >> >> Is there a write up out there for setting up ovirt users and adminstrators >> to authenticate into the portal via AD? >> >> >> >> Thanks, >> >> Jonathan >> >> >> >> >> >> This is a PRIVATE message. If you are not the intended recipient, please >> delete without copying and kindly advise us by e-mail of the mistake in >> delivery. NOTE: Regardless of content, this e-mail shall not operate to bind >> SKOPOS to any order or other contract unless pursuant to explicit written >> agreement or government initiative expressly permitting the use of e-mail >> for such purpose. >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] What do you want to see in oVirt next?
On Thu, Jan 3, 2013 at 11:08 AM, Itamar Heim wrote: > Hi Everyone, > > as we wrap oVirt 3.2, I wanted to check with oVirt users on what they find > good/useful in oVirt, and what they would like to see improved/added in > coming versions? > > Thanks, >Itamar Good/useful: Open Source virtualization with a strong web management interface. Rapidly improving, too. wish improved: SPICE connection reliability and LDAPS support. wish added: native ATA-over-Ethernet SAN support. wish removed: Kerberos dependencies. Let people who want Kerb have it, but don't force it where it's not needed. LDAP over SSL is secure. Many thanks to all the oVirt team for all their hard work! --Charlie ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine
True LDAP does not require a password encryption method and is perfectly happy with cleartext storage and use. In practice, one uses a secure channel (LDAPS or Starttls or encrypted network) and most LDAP servers (such as OpenLDAP) will allow several different kinds of password encryption. An application, though, should not ever deal with this issue. The password should be validated by doing a BIND operation, and the application should not do any READ operations on the userPassword value at any time, only authenticate operations. Let the LDAP server manage authentication. Groups are harder. You cannot rely on the presence of a memberOf attribute, unfortunately, and schema are contextually meaningless, so you need a way for the directory administrator to tell the client code how groups are being stored in the server. Thierry gives one example, another is groupOfNames using a "member" attribute containing DNs of members. Those are the two most common methods, but there are more. --Charlie On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann wrote: > > Le 04/12/2012 00:51, Itamar Heim a écrit : > > On 11/30/2012 12:30 PM, Thierry Kauffmann wrote: > > Hi, > > I am currently testing Ovirt 3.1 standalone on Fedora 17. > > Until now, I could only use the default user admin@internal. > > Our Directory at the University is OpenLDAP. We use it for > authentication WITHOUT Kerberos : Simple authentication. > > > just wondering, i'm sure it is encrypted somehow, do you know which way? > also, when using openldap, which scheme are you using? > > thanks, >Itamar > > > Hi, > > the password is transmitted by the client encrypted (hashed) to the openldap > server. > We use the standard schemes delivered by openldap : core, cosine, nis, > inetorgperson and samba > > A normal user dn is : uid=username,ou=Users,dc=example,dc=com > A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com > Group members are a list of values for the attribute "memberUid" of a group > dn. > > regards, > > Thierry > > > I wonder how to use this backend to authenticate users and manage groups > in Ovirt. > > Has anyone already set this up ? > How to configure Ovirt to use Simple Authentication (No Kerberos). > > Cheers, > > -- > signature-TK Thierry Kauffmann > Chef du Service Informatique // Faculté des Sciences // Université de > Montpellier 2 > > SIF - Service Informatique de la Faculté des Sciences > <http://sif.info-ufr.univ-montp2.fr/> UM2 - Université de Montpellier 2 > <http://www.univ-montp2.fr/> Service informatique de la Faculté des > Sciences (SIF) > Université de Montpellier 2 > CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 > > Tél : 04 67 14 31 58 > email : thierry.kauffm...@univ-montp2.fr > <mailto:thierry.kauffm...@univ-montp2.fr> > web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ > > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > > > -- > Thierry Kauffmann > Chef du Service Informatique // Faculté des Sciences // Université de > Montpellier 2 > > Service informatique de la Faculté des Sciences (SIF) > Université de Montpellier 2 > CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5 > > Tél : 04 67 14 31 58 > email : thierry.kauffm...@univ-montp2.fr > web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/ > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?
Supporting non-Kerberos LDAP with simple authentication and no DNS integration would significantly decrease the work required for people like Dennis. Instead of having to set up Kerberos and DNS and an LDAP provider that integrates with both, he could just set up a very simple LDAP server and use a physically secured network or SSL with self-signed keys to protect his authentication traffic. There are already LDAP servers that use simple backends, including an OpenLDAP variant that uses /etc/passwd and /etc/shadow instead of a db. If the requirement for Kerberos and DNS directory integration were removed, and simple authentication worked, you would be able to support pretty much anything out there in the linux/unix world. That way oVirt wouldn't have to reinvent any wheels, and people like Dennis would have significantly less costly and time-consuming rebuilding of their networks to do before being able to implement oVirt. --Charlie On Wed, Dec 5, 2012 at 4:52 AM, Itamar Heim wrote: > On 12/05/2012 11:50 AM, Roy Golan wrote: >> >> On 12/05/2012 11:01 AM, Yair Zaslavsky wrote: >>> >>> >>> - Original Message - >>>> >>>> From: "Dennis Böck" >>>> To: "Itamar Heim" >>>> Cc: "users@oVirt.org" >>>> Sent: Wednesday, December 5, 2012 10:48:58 AM >>>> Subject: Re: [Users] Manage users without Red Hat Directory Server or >>>> IBM Tivoli Directory Server? >>>> >>>> Dear Itamar, >>>> >>>> we (German Air Navigation Services) would like to use oVirt for >>>> testing our air traffic applications. >>>> In our air traffic application system, there is no directory service, >>>> since we don't need one. Consequently our test system has no >>>> directory service too. >>>> We differentiate only between root-users (manage the OS), air traffic >>>> application operational-users and air traffic application >>>> technical-users. >>>> For three kinds of users a directory service would mean too much >>>> overhead. >>>> oVirt is complex enough, therefore it would be advantegous to have a >>>> simple user-management without the need to install/configure/run a >>>> directory service infrastructure. >>>> >>>> Best regards >>>> Dennis >>> >>> Hi Dennis, >>> From what you're describing - you have to populate oVirt somehow with >>> 3 groups - >>> root-users, air trafdfic application operational-users and air traffic >>> application technical-users. >>> >>> Not sure if you have technical developers at your organization, but at >>> past we developed an internal broker [1] which is not >>> Ldap/Directory-Service based. >>> We have future thoughts about supporting not just directory services. >>> But for now - perhaps the quickest thing for you guys (if you have a >>> technical team of developers) is to write your own broker, similar to >>> the internal broker). >>> I actually saw a non ldap broker that was implemented based on the way >>> the internal broker was implemented. >>> But I really think you should reconsider your decision NOT to use ldap >>> directory-service >>> >>> >>> [1] - Internal broker - the piece of code responsible for the >>> admin@interal user >>> >>> >>> Yair >> >> I feel that we do need a plain and simple user management broker (could >> be file based similar to jboss user/group properties). Dennis concerns >> about the time/money to invest in an up & running >> installation with few groups seems just. >> >> we can make /etc/ovirt-engine/user-management/users.properties and >> group.properties >> >> users.properties: >> >> #key could be considered as the DN >> >> user1.name=Dennis >> user1.id={UUID} >> user1.groupids={admins group id},{others} >> user1.pass=plaintext >> >> group properties: >> >> admins.id={UUID} >> admins.desc=some description > > > there are enough implementations for these things, we don't need to invent > our own. > > >> >> >>>> >>>> Von: Itamar Heim [ih...@redhat.com] >>>> Gesendet: Dienstag, 4. Dezember 2012 00:44 >>>> An: Dennis Böck >>>> Cc: users@oVirt.org >>>> Betreff: Re: [Users] Manage users without Red Hat Directory Server or >>>> IBM Tivoli Direct
Re: [Users] Ovirt 3.1 and Samba4 AD
Oved, totally agree about externalizing the configuration. Also I like Roy Golan's recommendation of a wiki design page, because I can probably offer more in the design phase than the actual coding phase. I know the OpenLDAP schema interface rather well, and I have my own OID so I can define globally useful oVirt schema for you if you'd like to go that route. You guys are always very helpful and encouraging, which is why this project moves so fast. --Charlie On Wed, Nov 14, 2012 at 11:41 AM, Oved Ourfalli wrote: > > > - Original Message - >> From: "Oved Ourfalli" >> To: "Jiri Belka" , medieval...@gmail.com >> Cc: users@ovirt.org >> Sent: Wednesday, November 14, 2012 3:50:45 PM >> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD >> >> >> >> - Original Message - >> > From: "Jiri Belka" >> > To: users@ovirt.org >> > Sent: Wednesday, November 14, 2012 9:30:39 AM >> > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD >> > >> > On 11/13/2012 09:40 PM, Charlie wrote: >> > > I would like to help oVirt gain compatibility with >> > > standards-based >> > > services like OpenLDAP, but the code's in a language I haven't >> > > used >> > > and a version control system I haven't used and the wiki has no >> > > LDAP >> > > interaction design documents (other than the sources themselves) >> > > and >> > > I've got very limited free time, all of which makes it hard to >> > > contribute. >> > >> > +1 >> > >> >> We do have some wiki pages that can be useful to set up a development >> environment, like: >> http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit >> http://wiki.ovirt.org/wiki/Building_oVirt_engine >> >> Architecture page: >> http://wiki.ovirt.org/wiki/Architecture >> >> And specifically, there is a wiki page on the LDAP infrastructure, >> that can give a clue on what entities we have there, and how to work >> with them: >> http://wiki.ovirt.org/wiki/DomainInfrastructure >> > > When looking at OpenLDAP before I remember the issue was that we didn't have > any standard schema to work with, that had all the different attributes we > need. > Currently, we require to authenticate to a Kerberos server. Also, the > configuration of the different provider queries is done inside the source > code, and not configured externally. > So, IMO the best way to add a new OpenLDAP provider is first to externalize > this configuration, so that anyone can tweak it out according to his schema. > > I hope the wiki pages above can give a clue on the infrastructure, but we > would be more than happy to help guiding you about that. > The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan > (rgo...@redhat.com), and myself, which did the latest work on this > infrastructure, so we would be more than happy to help on IRC, E-mails, phone > calls, and etc. > > Another relevant mailing list is engine-de...@ovirt.org, where most engine > developers are, so that's the best place to get guidance regarding git, > gerrit, java, and every development matter. > > Oved >> > -- >> > >> > Jiri Belka >> > jbe...@redhat.com >> > ___ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
The domainInfrastructure wiki page is helpful. The examples are great. It has enough information to understand how oVirt formats an LDAP filter string, for example, which is very important. The constant use of the word "domain" is confusing, though. People outside the Microsoft world don't know that Microsoft documentation uses three different definitions of domain, sometimes in the same document. Most people will probably just assume you mean an IANA domain. I've worked with LDAP for over ten years, and I read the oVirt domainInfrastructure page three or four times but I still couldn't figure out why it kept talking about domains and LDAP at the same time until I took a week of AD classes and studied a couple of O'Reilly AD books. For example, when the oVirt wiki talks about "root DSE for domain" it doesn't make sense to anyone who isn't already familiar with AD. A rootDSE describes the configuration of a DSA instance (LDAP server daemon) as defined in RFC4512 section 5.1, and doesn't have anything to do with domains. The word domain does not occur in RFC4512 or RFC2251 at all. The page doesn't explain why oVirt needs a domain and a root DSE to have any special relationship. ISPs load information for hundreds of IANA domains under a single root DSE and it's not a problem; I've done five domains in one DSA under one root DSE. If there was an oVirt wiki page called LDAP or DirectoryInfrastructure, that page could explain if domains really need to be part of oVirt, and if so which kind of domain, and then link the current domainInfrastructure page. Or it could link a separate page for each directory supported by oVirt, and the current domainInfrastructure page could become an activeDirectory page and retain all the AD-specific language. --Charlie On Wed, Nov 14, 2012 at 8:50 AM, Oved Ourfalli wrote: > > > - Original Message - >> From: "Jiri Belka" >> To: users@ovirt.org >> Sent: Wednesday, November 14, 2012 9:30:39 AM >> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD >> >> On 11/13/2012 09:40 PM, Charlie wrote: >> > I would like to help oVirt gain compatibility with standards-based >> > services like OpenLDAP, but the code's in a language I haven't used >> > and a version control system I haven't used and the wiki has no >> > LDAP >> > interaction design documents (other than the sources themselves) >> > and >> > I've got very limited free time, all of which makes it hard to >> > contribute. >> >> +1 >> > > We do have some wiki pages that can be useful to set up a development > environment, like: > http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit > http://wiki.ovirt.org/wiki/Building_oVirt_engine > > Architecture page: > http://wiki.ovirt.org/wiki/Architecture > > And specifically, there is a wiki page on the LDAP infrastructure, that can > give a clue on what entities we have there, and how to work with them: > http://wiki.ovirt.org/wiki/DomainInfrastructure > >> -- >> >> Jiri Belka >> jbe...@redhat.com >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
FreeIPA is a microsoft "clone" solution. It is an emulator for AD, much like Samba4 is. Neither of them is based on Open Standards, although both are Open Source. This is a very important distinction. In our test RHEVM environment, only closed-source, proprietary Microsoft Active Directory could provide a fully functional user provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 but after a couple of weeks the bosses got tired of the slow progress, threw up their hands and told us to just use Microsoft. This situation led directly to the replacement of half a dozen production Red Hat servers with Microsoft Hyper-V hosted Windows servers. Essentially, this one shortcoming (inability to use OpenLDAP as an AAA source) ended up driving the abandonment of Open Source in our enterprise. We're currently in the process of replacing all our FOSS infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's nothing I can do to stop that. http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 It's very unfortunate. Law of unintended consequences I guess. I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. I hope that didn't sound too much like whining. I don't blame anyone outside my organization for my organization's bad decisions, I'm just pointing out that giving your userbase no option other than to implement proprietary Directory models may have unintended consequences in the field. Why spend a lot of money pretending to be Microsoft when you can be Microsoft for the same or less money? --Charlie >> I know it, but is very interesting the idea to avoid Microsoft solutions >> and move to OpenSource Enviroment. > > > we do support a few other directory solutions (like freeIPA and 389ds). > 389ds needs a kerberos enhancement. > Kerberos should be optional. Many organizations don't need the extra complexity, LDAP STARTTLS or LDAPS gives them all the security they need. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] call for suggests on oVirt authentication back-end (directory service, etc.)
LDAP-accessible core directories are pretty much required for any large enterprise for the forseeable future. Products like email gateways, remote support hosts, clustered services, cloud environments, etc. etc. all need highly available consistent user provisioning and AAA service, and everybody's building in LDAP clients to achieve this. You get a bomgar box or an Ironport and it wants LDAP. If you have 250 linux/Solaris/HP-UX servers you can choose LDAP, NIS/YP or Hesiod, but LDAP is best. Microsoft's ADS is simply their "embraced and extended" LDAP, designed to pull you into the Microsoft support structure forever by providing capabilities and consistency slightly extended beyond what RFC-compliant LDAP servers provide. TL;DR version - if you have 400 or more employees build a core directory with user passwords in it. If you are a Microsoft shop use ADS and be happy, if you are not a Microsoft shop think very carefully about letting the camel's nose into the tent. --Charlie On Wed, Oct 10, 2012 at 6:47 AM, Yair Zaslavsky wrote: > > > On 10/10/2012 12:13 PM, Itamar Heim wrote: >> >> On 10/09/2012 03:56 PM, Alan Johnson wrote: >>> >>> Thanks to Tim Hildred, I found out about the need to have a directory >>> server. Before I embark on this path, I thought I could ping the >>> community to get a since for what is common, easy, and/or available to >>> best suit our wants. >>> >>> First, what's the easiest one to setup and use? Something with a simple >>> GUI would be desirable: a webmin module perhaps? >>> >>> Most ideal would be something that is in line with our desire to move >>> towards single sign on, ultimately authenticating against Google Apps. >>> Does Google provide something supported? Is there something that can >>> proxy google apps auth to an oVirt supported protocol? >>> >>> Alternately, we have an LDAP server, but it does NOT store passwords, >>> and as such, does not provide authentication for anything. Will oVirt >>> store passwords for users created from such an LDAP service, or does >>> LDAP need to be the authority as well? > > > Currently oVirt code has SIMPLE and Kerberos authentication. > Queries that are not RootDSE queries must be authenticated. > > >>> >>> Finally, we also have NIS setup (thought we hope to get away from that >>> soon), so some means of authenticating through the systems local PAM >>> system would be the next most convenient. >>> >>> These are just thoughts and I am completely open to suggestions. Thanks >>> in advance for any input! =) >> >> >> in the future, well, everything is possible. for now, your choices are: >> freeIPA/IPA >> 389ds/RHDS >> MS AD >> Tivoli DS >> >> ovirt does not store passwords (other than for admin@internal) >> >> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users