Re: [Users] oVirt 3.2.2 successfully connected to Samba4

2013-06-28 Thread Charlie
Excellent, Gianluca, thanks for sharing the information!
--Charlie


On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi gianluca.cec...@gmail.com
 wrote:

 Hello,
 in the past there were some threads related to this subject.
 Today I successfully connected my oVirt 3.2.2 (installed on f18 with
 ovirt-repo) to a CentOS 6 samba4 server.

 Basically I followed this nice page for CentOS 6 with the difference
 that I downloaded and compiled 4.0.6 version of Samba instead of
 4.0.0:

 http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/

 One important thing is that I had to put samba4 server ip in
 resolv.conf as the first for my engine.
 But in my case this was not a problem because samba4 is then
 configured with the original corporate dns as forwarder, so all is ok
 for me

 Some commands' output

 [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
 provision --realm=ovtest.local --domain=OVTEST --adminpass 'X'
 --server-role=dc --dns-backend=BIND9_DLZ
 Looking up IPv4 addresses
 Looking up IPv6 addresses
 No IPv6 address will be assigned
 Setting up secrets.ldb
 Setting up the registry
 Setting up the privileges database
 Setting up idmap db
 Setting up SAM db
 Setting up sam.ldb partitions and settings
 Setting up sam.ldb rootDSE
 Pre-loading the Samba 4 and AD schema
 Adding DomainDN: DC=ovtest,DC=local
 Adding configuration container
 Setting up sam.ldb schema
 Setting up sam.ldb configuration data
 Setting up display specifiers
 Modifying display specifiers
 Adding users container
 Modifying users container
 Adding computers container
 Modifying computers container
 Setting up sam.ldb data
 Setting up well known security principals
 Setting up sam.ldb users and groups
 Setting up self join
 Adding DNS accounts
 Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
 Creating DomainDnsZones and ForestDnsZones partitions
 Populating DomainDnsZones and ForestDnsZones partitions
 See /usr/local/samba/private/named.conf for an example configuration
 include file for BIND
 and /usr/local/samba/private/named.txt for further documentation
 required for secure DNS updates
 Setting up sam.ldb rootDSE marking as synchronized
 Fixing provision GUIDs
 A Kerberos configuration suitable for Samba 4 has been generated at
 /usr/local/samba/private/krb5.conf
 Once the above files are installed, your Samba4 server will be ready to use
 Server Role:   active directory domain controller
 Hostname:  c6dc
 NetBIOS Domain:OVTEST
 DNS Domain:ovtest.local
 DOMAIN SID:S-1-5-21-4186344073-955232896-1764362378


 [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
 wrote key file /etc/rndc.key


 - tests
 (see also
 http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
 )

 [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
 Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]

 Sharename   Type  Comment
 -     ---
 netlogonDisk
 sysvol  Disk
 IPC$IPC   IPC Service (Samba 4.0.6)
 Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]

 Server   Comment
 ----

 WorkgroupMaster
 ----

 [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
 _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.

 [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
 _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.


 [root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL
 Password for administrator@OVTEST.LOCAL:
 Warning: Your password will expire in 41 days on Fri Aug  9 13:30:59 2013

 [root@c6dc ntp-4.2.6p5]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: administrator@OVTEST.LOCAL

 Valid starting ExpiresService principal
 06/28/13 14:55:11  06/29/13 00:55:11  krbtgt/OVTEST.LOCAL@OVTEST.LOCAL
 renew until 07/05/13 14:55:08

 Users' mgmt can be done from windows with Samba AD management tools
 see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows

 I managed from linux
 see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool

 [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM
 New Password:
 Retype Password:
 User 'OVIRTADM' created successfully

 [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid
 OVIRTADM
 S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)

 [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
 S-1-5-21-4186344073-955232896-1764362378-1104
 316

 I missed givenName and sn in user creation
 Unfortunately there is a only proposed patch for an edit subcommand
 but is not inside yet.

 http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html

 See also:
 https://wiki.samba.org/index.php/Samba4/LDBIntro

 To modify users' attributes I used this:
 [root@c6dc ntp

Re: [Users] Active Directory Groups

2013-05-23 Thread Charlie
RFC4515,String Representation of Distinguished Names, says LDAP
transactions that include strings beginning with a space or #
character MUST use the standard LDAP string encoding rules.  Note a
# character in the middle or end of a string is OK, though.  In my
experience the rules apply to attribute specification as well as to
filters and distinguished names.

See Kurt's RFC at http://tools.ietf.org/html/rfc4514 or
http://www.rfc-editor.org/info/rfc4514 for details on how to deal with
funky characters when talking to Directories.

--Charlie

On Thu, May 23, 2013 at 7:31 AM, Thomas Scofield tscofi...@gmail.com wrote:
 I tried various search strings,  but I could only find groups if I searched
 for the full group name.

 On May 23, 2013 3:44 AM, René Koch (ovido) r.k...@ovido.at wrote:

 Hi,

 I also had a problem with '#' in an customer project with RHEV 3.0, but
 we also had issues with a broken active directory replication. White
 spaces aren't a problem in groups.

 I can't tell if groups with '#' are working, as I told them to not use
 special characters in group names and to fix their replication. Now
 everything is working fine, but don't know if they created new groups
 for RHEV or if it was just the replication.


 Regards,
 René



 On Thu, 2013-05-23 at 00:36 -0400, Yair Zaslavsky wrote:
  I don't remember encountering such an issue, but probably never
  checked.
 
  a. What is the search string you're passing in order to get the
  users/groups?
  b. From quick look at the code - looks like this is at the step
  of initializing the data that will be queried  - that is, before
  sending the AD query.
 
 
 
 
  Eli - looks like this is from the SeachQuery.InitQueryData - can you
  elaborate here?
 
 
 
 
 
 
 
 
 
  __
  From: Thomas Scofield tscofi...@gmail.com
  To: users users@ovirt.org
  Sent: Thursday, May 23, 2013 4:06:29 AM
  Subject: [Users] Active Directory Groups
 
 
  I was attempting to assign some permissions to Active
  Directory groups and ran into an issue where groups with
  spaces or the # sign in them.  The engine log contained
  messages like these
 
 
  2013-05-22 08:39:35,228 WARN
   [org.ovirt.engine.core.bll.SearchQuery]
  (ajp--127.0.0.1-8702-134)
  ResourceManager::searchBusinessObjects - erroneous search text
  - ADGROUP: name=#Virtual Engineering
  2013-05-22 08:39:35,228 WARN
   [org.ovirt.engine.core.bll.SearchQuery]
  (ajp--127.0.0.1-8702-46)
  ResourceManager::searchBusinessObjects - erroneous search text
  - ADUSER: allnames=#Virtual Engineering
 
 
  The group name is valid.  The example above contains both the
  space and #, but trying groups with just a space and others
  with just a # also fail.  I was able to successfully add
  groups that contained characters and -.  Has anyone else had
  an issue like this?
 
 
 
  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users
 
 
  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users


 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] AD authentication for ovirt manager

2013-04-23 Thread Charlie
Also set your Active Directory source as your time synchronization
provider.  You need DNS, Directory services, Kerberos and network time
all from the same source if you want anything approaching reliability.

--Charlie

On Mon, Apr 22, 2013 at 6:17 PM, Christian Hernandez
christi...@4over.com wrote:
 Hello Jonathan,

 I believe you can use the Red Hat Documentation for this.

 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Evaluation_Guide/Evaluation_Guide-VDI.html#Evaluation_Guide-Add_Active_Directory

 One of the gotchas that I ran into is that you need to specify the Active
 Directory as your DNS provider in your resolv.conf file (not sure if it was
 coincidence or not; but I ran into some issues that went away when I did
 this)

 HTH


 Thank you,

 Christian Hernandez
 1225 Los Angeles Street
 Glendale, CA 91204
 Phone: 877-782-2737 ext. 4566
 Fax: 818-265-3152
 christi...@4over.com mailto:christi...@4over.com
 www.4over.com http://www.4over.com


 On Mon, Apr 22, 2013 at 2:57 PM, Jonathan Horne jho...@skopos.us wrote:

 Is there a write up out there for setting up ovirt users and adminstrators
 to authenticate into the portal via AD?



 Thanks,

 Jonathan




 
 This is a PRIVATE message. If you are not the intended recipient, please
 delete without copying and kindly advise us by e-mail of the mistake in
 delivery. NOTE: Regardless of content, this e-mail shall not operate to bind
 SKOPOS to any order or other contract unless pursuant to explicit written
 agreement or government initiative expressly permitting the use of e-mail
 for such purpose.

 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users



 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] What do you want to see in oVirt next?

2013-01-04 Thread Charlie
On Thu, Jan 3, 2013 at 11:08 AM, Itamar Heim ih...@redhat.com wrote:
 Hi Everyone,

 as we wrap oVirt 3.2, I wanted to check with oVirt users on what they find
 good/useful in oVirt, and what they would like to see improved/added in
 coming versions?

 Thanks,
Itamar

Good/useful:  Open Source virtualization with a strong web management
interface.  Rapidly improving, too.

wish improved:  SPICE connection reliability and LDAPS support.

wish added:  native ATA-over-Ethernet SAN support.

wish removed:  Kerberos dependencies.  Let people who want Kerb have
it, but don't force it where it's not needed.  LDAP over SSL is
secure.

Many thanks to all the oVirt team for all their hard work!

--Charlie
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] OpenLDAP Simple Authentication in Ovirt Engine

2012-12-11 Thread Charlie
True LDAP does not require a password encryption method and is
perfectly happy with cleartext storage and use.

In practice, one uses a secure channel (LDAPS or Starttls or encrypted
network) and most LDAP servers (such as OpenLDAP) will allow several
different kinds of password encryption.

An application, though, should not ever deal with this issue.  The
password should be validated by doing a BIND operation, and the
application should not do any READ operations on the userPassword
value at any time, only authenticate operations.  Let the LDAP server
manage authentication.

Groups are harder.  You cannot rely on the presence of a memberOf
attribute, unfortunately, and schema are contextually meaningless, so
you need a way for the directory administrator to tell the client code
how groups are being stored in the server.  Thierry gives one example,
another is groupOfNames using a member attribute containing DNs of
members.  Those are the two most common methods, but there are more.

--Charlie

On Tue, Dec 4, 2012 at 2:31 AM, Thierry Kauffmann
thierry.kauffm...@univ-montp2.fr wrote:

 Le 04/12/2012 00:51, Itamar Heim a écrit :

 On 11/30/2012 12:30 PM, Thierry Kauffmann wrote:

 Hi,

 I am currently testing Ovirt 3.1 standalone on Fedora 17.

 Until now, I could only use the default user admin@internal.

 Our Directory at the University is OpenLDAP. We use it for
 authentication WITHOUT Kerberos : Simple authentication.


 just wondering, i'm sure it is encrypted somehow, do you know which way?
 also, when using openldap, which scheme are you using?

 thanks,
Itamar


 Hi,

 the password is transmitted by the client encrypted (hashed) to the openldap 
 server.
 We use the standard schemes delivered by openldap : core, cosine, nis, 
 inetorgperson and samba

 A normal user dn is : uid=username,ou=Users,dc=example,dc=com
 A normal group dn is : cn=groupname,ou=Groups,dc=example,dc=com
 Group members are a list of values for the attribute memberUid of a group 
 dn.

 regards,

 Thierry


 I wonder how to use this backend to authenticate users and manage groups
 in Ovirt.

 Has anyone already set this up ?
 How to configure Ovirt to use Simple Authentication (No Kerberos).

 Cheers,

 --
 signature-TK Thierry Kauffmann
 Chef du Service Informatique // Faculté des Sciences // Université de
 Montpellier 2

 SIF - Service Informatique de la Faculté des Sciences
 http://sif.info-ufr.univ-montp2.fr/ UM2 - Université de Montpellier 2
 http://www.univ-montp2.fr/ Service informatique de la Faculté des
 Sciences (SIF)
 Université de Montpellier 2
 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5

 Tél : 04 67 14 31 58
 email : thierry.kauffm...@univ-montp2.fr
 mailto:thierry.kauffm...@univ-montp2.fr
 web : http://sif.info-ufr.univ-montp2.fr/ http://www.fdsweb.univ-montp2.fr/




 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users





 --
 Thierry Kauffmann
 Chef du Service Informatique // Faculté des Sciences // Université de 
 Montpellier 2

 Service informatique de la Faculté des Sciences (SIF)
 Université de Montpellier 2
 CC437 // Place Eugène Bataillon // 34095 Montpellier Cedex 5

 Tél : 04 67 14 31 58
 email : thierry.kauffm...@univ-montp2.fr
 web : http://sif.info-ufr.univ-montp2.fr/  http://www.fdsweb.univ-montp2.fr/


 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-06 Thread Charlie
Supporting non-Kerberos LDAP with simple authentication and no DNS
integration would significantly decrease the work required for people
like Dennis.  Instead of having to set up Kerberos and DNS and an LDAP
provider that integrates with both, he could just set up a very simple
LDAP server and use a physically secured network or SSL with
self-signed keys to protect his authentication traffic.

There are already LDAP servers that use simple backends, including an
OpenLDAP variant that uses /etc/passwd and /etc/shadow instead of a
db.  If the requirement for Kerberos and DNS directory integration
were removed, and simple authentication worked, you would be able to
support pretty much anything out there in the linux/unix world.

That way oVirt wouldn't have to reinvent any wheels, and people like
Dennis would have significantly less costly and time-consuming
rebuilding of their networks to do before being able to implement
oVirt.

--Charlie

On Wed, Dec 5, 2012 at 4:52 AM, Itamar Heim ih...@redhat.com wrote:
 On 12/05/2012 11:50 AM, Roy Golan wrote:

 On 12/05/2012 11:01 AM, Yair Zaslavsky wrote:


 - Original Message -

 From: Dennis Böck den...@webdienstleistungen.com
 To: Itamar Heim ih...@redhat.com
 Cc: users@oVirt.org users@ovirt.org
 Sent: Wednesday, December 5, 2012 10:48:58 AM
 Subject: Re: [Users] Manage users without Red Hat Directory Server or
 IBM Tivoli Directory Server?

 Dear Itamar,

 we (German Air Navigation Services) would like to use oVirt for
 testing our air traffic applications.
 In our air traffic application system, there is no directory service,
 since we don't need one. Consequently our test system has no
 directory service too.
 We differentiate only between root-users (manage the OS), air traffic
 application operational-users and air traffic application
 technical-users.
 For three kinds of users a directory service would mean too much
 overhead.
 oVirt is complex enough, therefore it would be advantegous to have a
 simple user-management without the need to install/configure/run a
 directory service infrastructure.

 Best regards
 Dennis

 Hi Dennis,
  From what you're describing - you have to populate oVirt somehow with
 3 groups -
 root-users, air trafdfic application operational-users and air traffic
 application technical-users.

 Not sure if you have technical developers at your organization, but at
 past we developed an internal broker [1] which is not
 Ldap/Directory-Service based.
 We have future thoughts about supporting not just directory services.
 But for now - perhaps the quickest thing for you guys (if you have a
 technical team of developers) is to write your own broker, similar to
 the internal broker).
 I actually saw a non ldap broker that was implemented based on the way
 the internal broker was implemented.
 But I really think you should reconsider your decision NOT to use ldap
 directory-service


 [1] - Internal broker - the piece of code responsible for the
 admin@interal user


 Yair

 I feel that we do need a plain and simple user management broker (could
 be file based similar to jboss user/group properties). Dennis concerns
 about the time/money to invest in an up  running
 installation with few groups seems just.

 we can make /etc/ovirt-engine/user-management/users.properties and
 group.properties

 users.properties:

   #key could be considered as the DN

   user1.name=Dennis
   user1.id={UUID}
   user1.groupids={admins group id},{others}
   user1.pass=plaintext

 group properties:

   admins.id={UUID}
   admins.desc=some description


 there are enough implementations for these things, we don't need to invent
 our own.




 
 Von: Itamar Heim [ih...@redhat.com]
 Gesendet: Dienstag, 4. Dezember 2012 00:44
 An: Dennis Böck
 Cc: users@oVirt.org
 Betreff: Re: [Users] Manage users without Red Hat Directory Server or
 IBM Tivoli Directory Server?

 On 12/03/2012 08:51 AM, Dennis Böck wrote:

 Dear oVirt-Community,

 how can I add a new User? If I click “Add” under the “Users”-Tag of
 the
 web interface, I cannot create a new user. If I start a search,
 only the
 user “admin” is displayed.

 Is it maybe not possible to create users out of oVirt?

 Even users which I added locally (on the fedora host which runs the
 ovirt engine) are not displayed.

 Can you only manage users if oVirt is connected to a Red Hat
 Directory
 Server or IBM Tivoli Directory Server?

 can you please explain the use case where there is no existing
 directory
 to handle group membership and authentication?

 thanks,
  Itamar
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users


 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Charlie
The domainInfrastructure wiki page is helpful.  The examples are
great.  It has enough information to understand how oVirt formats an
LDAP filter string, for example, which is very important.  The
constant use of the word domain is confusing, though.

People outside the Microsoft world don't know that Microsoft
documentation uses three different definitions of domain, sometimes in
the same document.  Most people will probably just assume you mean an
IANA domain.

I've worked with LDAP for over ten years, and I read the oVirt
domainInfrastructure page three or four times but I still couldn't
figure out why it kept talking about domains and LDAP at the same time
until I took a week of AD classes and studied a couple of O'Reilly AD
books.

For example, when the oVirt wiki talks about root DSE for domain it
doesn't make sense to anyone who isn't already familiar with AD.  A
rootDSE describes the configuration of a DSA instance (LDAP server
daemon) as defined in RFC4512 section 5.1, and doesn't have anything
to do with domains.  The word domain does not occur in RFC4512 or
RFC2251 at all.  The page doesn't explain why oVirt needs a domain and
a root DSE to have any special relationship.  ISPs load information
for hundreds of IANA domains under a single root DSE and it's not a
problem; I've done five domains in one DSA under one root DSE.

If there was an oVirt wiki page called LDAP or
DirectoryInfrastructure, that page could explain if domains really
need to be part of oVirt, and if so which kind of domain, and then
link the current domainInfrastructure page.  Or it could link a
separate page for each directory supported by oVirt, and the current
domainInfrastructure page could become an activeDirectory page and
retain all the AD-specific language.

--Charlie

On Wed, Nov 14, 2012 at 8:50 AM, Oved Ourfalli ov...@redhat.com wrote:


 - Original Message -
 From: Jiri Belka jbe...@redhat.com
 To: users@ovirt.org
 Sent: Wednesday, November 14, 2012 9:30:39 AM
 Subject: Re: [Users] Ovirt 3.1 and Samba4 AD

 On 11/13/2012 09:40 PM, Charlie wrote:
  I would like to help oVirt gain compatibility with standards-based
  services like OpenLDAP, but the code's in a language I haven't used
  and a version control system I haven't used and the wiki has no
  LDAP
  interaction design documents (other than the sources themselves)
  and
  I've got very limited free time, all of which makes it hard to
  contribute.

 +1


 We do have some wiki pages that can be useful to set up a development 
 environment, like:
 http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
 http://wiki.ovirt.org/wiki/Building_oVirt_engine

 Architecture page:
 http://wiki.ovirt.org/wiki/Architecture

 And specifically, there is a wiki page on the LDAP infrastructure, that can 
 give a clue on what entities we have there, and how to work with them:
 http://wiki.ovirt.org/wiki/DomainInfrastructure

 --

 Jiri Belka
 jbe...@redhat.com
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-14 Thread Charlie
Oved, totally agree about externalizing the configuration.  Also I
like Roy Golan's recommendation of a wiki design page, because I can
probably offer more in the design phase than the actual coding phase.
I know the OpenLDAP schema interface rather well, and I have my own
OID so I can define globally useful oVirt schema for you if you'd like
to go that route.

You guys are always very helpful and encouraging, which is why this
project moves so fast.

--Charlie

On Wed, Nov 14, 2012 at 11:41 AM, Oved Ourfalli ov...@redhat.com wrote:


 - Original Message -
 From: Oved Ourfalli ov...@redhat.com
 To: Jiri Belka jbe...@redhat.com, medieval...@gmail.com
 Cc: users@ovirt.org
 Sent: Wednesday, November 14, 2012 3:50:45 PM
 Subject: Re: [Users] Ovirt 3.1 and Samba4 AD



 - Original Message -
  From: Jiri Belka jbe...@redhat.com
  To: users@ovirt.org
  Sent: Wednesday, November 14, 2012 9:30:39 AM
  Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
 
  On 11/13/2012 09:40 PM, Charlie wrote:
   I would like to help oVirt gain compatibility with
   standards-based
   services like OpenLDAP, but the code's in a language I haven't
   used
   and a version control system I haven't used and the wiki has no
   LDAP
   interaction design documents (other than the sources themselves)
   and
   I've got very limited free time, all of which makes it hard to
   contribute.
 
  +1
 

 We do have some wiki pages that can be useful to set up a development
 environment, like:
 http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit
 http://wiki.ovirt.org/wiki/Building_oVirt_engine

 Architecture page:
 http://wiki.ovirt.org/wiki/Architecture

 And specifically, there is a wiki page on the LDAP infrastructure,
 that can give a clue on what entities we have there, and how to work
 with them:
 http://wiki.ovirt.org/wiki/DomainInfrastructure


 When looking at OpenLDAP before I remember the issue was that we didn't have 
 any standard schema to work with, that had all the different attributes we 
 need.
 Currently, we require to authenticate to a Kerberos server. Also, the 
 configuration of the different provider queries is done inside the source 
 code, and not configured externally.
 So, IMO the best way to add a new OpenLDAP provider is first to externalize 
 this configuration, so that anyone can tweak it out according to his schema.

 I hope the wiki pages above can give a clue on the infrastructure, but we 
 would be more than happy to help guiding you about that.
 The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan 
 (rgo...@redhat.com), and myself, which did the latest work on this 
 infrastructure, so we would be more than happy to help on IRC, E-mails, phone 
 calls, and etc.

 Another relevant mailing list is engine-de...@ovirt.org, where most engine 
 developers are, so that's the best place to get guidance regarding git, 
 gerrit, java, and every development matter.

 Oved
  --
 
  Jiri Belka
  jbe...@redhat.com
  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Ovirt 3.1 and Samba4 AD

2012-11-13 Thread Charlie
FreeIPA is a microsoft clone solution.  It is an emulator for AD,
much like Samba4 is.  Neither of them is based on Open Standards,
although both are Open Source.  This is a very important distinction.

In our test RHEVM environment, only closed-source, proprietary
Microsoft Active Directory could provide a fully functional user
provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
but after a couple of weeks the bosses got tired of the slow progress,
threw up their hands and told us to just use Microsoft.  This
situation led directly to the replacement of half a dozen production
Red Hat servers with Microsoft Hyper-V hosted Windows servers.
Essentially, this one shortcoming (inability to use OpenLDAP as an AAA
source) ended up driving the abandonment of Open Source in our
enterprise.  We're currently in the process of replacing all our FOSS
infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
nothing I can do to stop that.

http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29

It's very unfortunate.  Law of unintended consequences I guess.  I
would like to help oVirt gain compatibility with standards-based
services like OpenLDAP, but the code's in a language I haven't used
and a version control system I haven't used and the wiki has no LDAP
interaction design documents (other than the sources themselves) and
I've got very limited free time, all of which makes it hard to
contribute.

I hope that didn't sound too much like whining.  I don't blame anyone
outside my organization for my organization's bad decisions, I'm just
pointing out that giving your userbase no option other than to
implement proprietary Directory models may have unintended
consequences in the field.  Why spend a lot of money pretending to be
Microsoft when you can be Microsoft for the same or less money?

--Charlie

 I know it, but is very interesting the idea to avoid Microsoft solutions
 and move to OpenSource Enviroment.


 we do support a few other directory solutions (like freeIPA and 389ds).
 389ds needs a kerberos enhancement.


Kerberos should be optional.  Many organizations don't need the extra
complexity, LDAP STARTTLS or LDAPS gives them all the security they
need.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] call for suggests on oVirt authentication back-end (directory service, etc.)

2012-10-10 Thread Charlie
LDAP-accessible core directories are pretty much required for any
large enterprise for the forseeable future.  Products like email
gateways, remote support hosts, clustered services, cloud
environments, etc. etc. all need highly available consistent user
provisioning and AAA service, and everybody's building in LDAP clients
to achieve this.  You get a bomgar box or an Ironport and it wants
LDAP.  If you have 250 linux/Solaris/HP-UX servers you can choose
LDAP, NIS/YP or Hesiod, but LDAP is best.

Microsoft's ADS is simply their embraced and extended LDAP, designed
to pull you into the Microsoft support structure forever by providing
capabilities and consistency slightly extended beyond what
RFC-compliant LDAP servers provide.

TL;DR version - if you have 400 or more employees build a core
directory with user passwords in it.  If you are a Microsoft shop use
ADS and be happy, if you are not a Microsoft shop think very carefully
about letting the camel's nose into the tent.

--Charlie

On Wed, Oct 10, 2012 at 6:47 AM, Yair Zaslavsky yzasl...@redhat.com wrote:


 On 10/10/2012 12:13 PM, Itamar Heim wrote:

 On 10/09/2012 03:56 PM, Alan Johnson wrote:

 Thanks to Tim Hildred, I found out about the need to have a directory
 server.  Before I embark on this path, I thought I could ping the
 community to get a since for what is common, easy, and/or available to
 best suit our wants.

 First, what's the easiest one to setup and use?  Something with a simple
 GUI would be desirable: a webmin module perhaps?

 Most ideal would be something that is in line with our desire to move
 towards single sign on, ultimately authenticating against Google Apps.
 Does Google provide something supported?  Is there something that can
 proxy google apps auth to an oVirt supported protocol?

 Alternately, we have an LDAP server, but it does NOT store passwords,
 and as such, does not provide authentication for anything.  Will oVirt
 store passwords for users created from such an LDAP service, or does
 LDAP need to be the authority as well?


 Currently oVirt code has SIMPLE and Kerberos authentication.
 Queries that are not RootDSE queries must be authenticated.



 Finally, we also have NIS setup (thought we hope to get away from that
 soon), so some means of authenticating through the systems local PAM
 system would be the next most convenient.

 These are just thoughts and I am completely open to suggestions.  Thanks
 in advance for any input! =)


 in the future, well, everything is possible. for now, your choices are:
 freeIPA/IPA
 389ds/RHDS
 MS AD
 Tivoli DS

 ovirt does not store passwords (other than for admin@internal)




 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users