Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-07 Thread Itamar Heim

On 12/06/2012 10:35 PM, Charlie wrote:

Supporting non-Kerberos LDAP with simple authentication and no DNS
integration would significantly decrease the work required for people
like Dennis.  Instead of having to set up Kerberos and DNS and an LDAP
provider that integrates with both, he could just set up a very simple
LDAP server and use a physically secured network or SSL with
self-signed keys to protect his authentication traffic.

There are already LDAP servers that use simple backends, including an
OpenLDAP variant that uses /etc/passwd and /etc/shadow instead of a
db.  If the requirement for Kerberos and DNS directory integration
were removed, and simple authentication worked, you would be able to
support pretty much anything out there in the linux/unix world.

That way oVirt wouldn't have to reinvent any wheels, and people like
Dennis would have significantly less costly and time-consuming
rebuilding of their networks to do before being able to implement
oVirt.


I agree. hopefully we'll get to fix this soon.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-06 Thread Charlie
Supporting non-Kerberos LDAP with simple authentication and no DNS
integration would significantly decrease the work required for people
like Dennis.  Instead of having to set up Kerberos and DNS and an LDAP
provider that integrates with both, he could just set up a very simple
LDAP server and use a physically secured network or SSL with
self-signed keys to protect his authentication traffic.

There are already LDAP servers that use simple backends, including an
OpenLDAP variant that uses /etc/passwd and /etc/shadow instead of a
db.  If the requirement for Kerberos and DNS directory integration
were removed, and simple authentication worked, you would be able to
support pretty much anything out there in the linux/unix world.

That way oVirt wouldn't have to reinvent any wheels, and people like
Dennis would have significantly less costly and time-consuming
rebuilding of their networks to do before being able to implement
oVirt.

--Charlie

On Wed, Dec 5, 2012 at 4:52 AM, Itamar Heim ih...@redhat.com wrote:
 On 12/05/2012 11:50 AM, Roy Golan wrote:

 On 12/05/2012 11:01 AM, Yair Zaslavsky wrote:


 - Original Message -

 From: Dennis Böck den...@webdienstleistungen.com
 To: Itamar Heim ih...@redhat.com
 Cc: users@oVirt.org users@ovirt.org
 Sent: Wednesday, December 5, 2012 10:48:58 AM
 Subject: Re: [Users] Manage users without Red Hat Directory Server or
 IBM Tivoli Directory Server?

 Dear Itamar,

 we (German Air Navigation Services) would like to use oVirt for
 testing our air traffic applications.
 In our air traffic application system, there is no directory service,
 since we don't need one. Consequently our test system has no
 directory service too.
 We differentiate only between root-users (manage the OS), air traffic
 application operational-users and air traffic application
 technical-users.
 For three kinds of users a directory service would mean too much
 overhead.
 oVirt is complex enough, therefore it would be advantegous to have a
 simple user-management without the need to install/configure/run a
 directory service infrastructure.

 Best regards
 Dennis

 Hi Dennis,
  From what you're describing - you have to populate oVirt somehow with
 3 groups -
 root-users, air trafdfic application operational-users and air traffic
 application technical-users.

 Not sure if you have technical developers at your organization, but at
 past we developed an internal broker [1] which is not
 Ldap/Directory-Service based.
 We have future thoughts about supporting not just directory services.
 But for now - perhaps the quickest thing for you guys (if you have a
 technical team of developers) is to write your own broker, similar to
 the internal broker).
 I actually saw a non ldap broker that was implemented based on the way
 the internal broker was implemented.
 But I really think you should reconsider your decision NOT to use ldap
 directory-service


 [1] - Internal broker - the piece of code responsible for the
 admin@interal user


 Yair

 I feel that we do need a plain and simple user management broker (could
 be file based similar to jboss user/group properties). Dennis concerns
 about the time/money to invest in an up  running
 installation with few groups seems just.

 we can make /etc/ovirt-engine/user-management/users.properties and
 group.properties

 users.properties:

   #key could be considered as the DN

   user1.name=Dennis
   user1.id={UUID}
   user1.groupids={admins group id},{others}
   user1.pass=plaintext

 group properties:

   admins.id={UUID}
   admins.desc=some description


 there are enough implementations for these things, we don't need to invent
 our own.




 
 Von: Itamar Heim [ih...@redhat.com]
 Gesendet: Dienstag, 4. Dezember 2012 00:44
 An: Dennis Böck
 Cc: users@oVirt.org
 Betreff: Re: [Users] Manage users without Red Hat Directory Server or
 IBM Tivoli Directory Server?

 On 12/03/2012 08:51 AM, Dennis Böck wrote:

 Dear oVirt-Community,

 how can I add a new User? If I click “Add” under the “Users”-Tag of
 the
 web interface, I cannot create a new user. If I start a search,
 only the
 user “admin” is displayed.

 Is it maybe not possible to create users out of oVirt?

 Even users which I added locally (on the fedora host which runs the
 ovirt engine) are not displayed.

 Can you only manage users if oVirt is connected to a Red Hat
 Directory
 Server or IBM Tivoli Directory Server?

 can you please explain the use case where there is no existing
 directory
 to handle group membership and authentication?

 thanks,
  Itamar
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users


 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-05 Thread Roy Golan

On 12/05/2012 11:01 AM, Yair Zaslavsky wrote:


- Original Message -

From: Dennis Böck den...@webdienstleistungen.com
To: Itamar Heim ih...@redhat.com
Cc: users@oVirt.org users@ovirt.org
Sent: Wednesday, December 5, 2012 10:48:58 AM
Subject: Re: [Users] Manage users without Red Hat Directory Server or IBM 
Tivoli Directory Server?

Dear Itamar,

we (German Air Navigation Services) would like to use oVirt for
testing our air traffic applications.
In our air traffic application system, there is no directory service,
since we don't need one. Consequently our test system has no
directory service too.
We differentiate only between root-users (manage the OS), air traffic
application operational-users and air traffic application
technical-users.
For three kinds of users a directory service would mean too much
overhead.
oVirt is complex enough, therefore it would be advantegous to have a
simple user-management without the need to install/configure/run a
directory service infrastructure.

Best regards
Dennis

Hi Dennis,
 From what you're describing - you have to populate oVirt somehow with 3 groups 
-
root-users, air trafdfic application operational-users and air traffic 
application technical-users.

Not sure if you have technical developers at your organization, but at past we 
developed an internal broker [1] which is not Ldap/Directory-Service based.
We have future thoughts about supporting not just directory services.
But for now - perhaps the quickest thing for you guys (if you have a technical 
team of developers) is to write your own broker, similar to the internal 
broker).
I actually saw a non ldap broker that was implemented based on the way the 
internal broker was implemented.
But I really think you should reconsider your decision NOT to use ldap 
directory-service


[1] - Internal broker - the piece of code responsible for the admin@interal user


Yair
I feel that we do need a plain and simple user management broker (could 
be file based similar to jboss user/group properties). Dennis concerns 
about the time/money to invest in an up  running

installation with few groups seems just.

we can make /etc/ovirt-engine/user-management/users.properties and 
group.properties


users.properties:

 #key could be considered as the DN

 user1.name=Dennis
 user1.id={UUID}
 user1.groupids={admins group id},{others}
 user1.pass=plaintext

group properties:

 admins.id={UUID}
 admins.desc=some description




Von: Itamar Heim [ih...@redhat.com]
Gesendet: Dienstag, 4. Dezember 2012 00:44
An: Dennis Böck
Cc: users@oVirt.org
Betreff: Re: [Users] Manage users without Red Hat Directory Server or
IBM Tivoli Directory Server?

On 12/03/2012 08:51 AM, Dennis Böck wrote:

Dear oVirt-Community,

how can I add a new User? If I click “Add” under the “Users”-Tag of
the
web interface, I cannot create a new user. If I start a search,
only the
user “admin” is displayed.

Is it maybe not possible to create users out of oVirt?

Even users which I added locally (on the fedora host which runs the
ovirt engine) are not displayed.

Can you only manage users if oVirt is connected to a Red Hat
Directory
Server or IBM Tivoli Directory Server?


can you please explain the use case where there is no existing
directory
to handle group membership and authentication?

thanks,
 Itamar
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-05 Thread Itamar Heim

On 12/05/2012 11:50 AM, Roy Golan wrote:

On 12/05/2012 11:01 AM, Yair Zaslavsky wrote:


- Original Message -

From: Dennis Böck den...@webdienstleistungen.com
To: Itamar Heim ih...@redhat.com
Cc: users@oVirt.org users@ovirt.org
Sent: Wednesday, December 5, 2012 10:48:58 AM
Subject: Re: [Users] Manage users without Red Hat Directory Server or
IBM Tivoli Directory Server?

Dear Itamar,

we (German Air Navigation Services) would like to use oVirt for
testing our air traffic applications.
In our air traffic application system, there is no directory service,
since we don't need one. Consequently our test system has no
directory service too.
We differentiate only between root-users (manage the OS), air traffic
application operational-users and air traffic application
technical-users.
For three kinds of users a directory service would mean too much
overhead.
oVirt is complex enough, therefore it would be advantegous to have a
simple user-management without the need to install/configure/run a
directory service infrastructure.

Best regards
Dennis

Hi Dennis,
 From what you're describing - you have to populate oVirt somehow with
3 groups -
root-users, air trafdfic application operational-users and air traffic
application technical-users.

Not sure if you have technical developers at your organization, but at
past we developed an internal broker [1] which is not
Ldap/Directory-Service based.
We have future thoughts about supporting not just directory services.
But for now - perhaps the quickest thing for you guys (if you have a
technical team of developers) is to write your own broker, similar to
the internal broker).
I actually saw a non ldap broker that was implemented based on the way
the internal broker was implemented.
But I really think you should reconsider your decision NOT to use ldap
directory-service


[1] - Internal broker - the piece of code responsible for the
admin@interal user


Yair

I feel that we do need a plain and simple user management broker (could
be file based similar to jboss user/group properties). Dennis concerns
about the time/money to invest in an up  running
installation with few groups seems just.

we can make /etc/ovirt-engine/user-management/users.properties and
group.properties

users.properties:

  #key could be considered as the DN

  user1.name=Dennis
  user1.id={UUID}
  user1.groupids={admins group id},{others}
  user1.pass=plaintext

group properties:

  admins.id={UUID}
  admins.desc=some description


there are enough implementations for these things, we don't need to 
invent our own.







Von: Itamar Heim [ih...@redhat.com]
Gesendet: Dienstag, 4. Dezember 2012 00:44
An: Dennis Böck
Cc: users@oVirt.org
Betreff: Re: [Users] Manage users without Red Hat Directory Server or
IBM Tivoli Directory Server?

On 12/03/2012 08:51 AM, Dennis Böck wrote:

Dear oVirt-Community,

how can I add a new User? If I click “Add” under the “Users”-Tag of
the
web interface, I cannot create a new user. If I start a search,
only the
user “admin” is displayed.

Is it maybe not possible to create users out of oVirt?

Even users which I added locally (on the fedora host which runs the
ovirt engine) are not displayed.

Can you only manage users if oVirt is connected to a Red Hat
Directory
Server or IBM Tivoli Directory Server?


can you please explain the use case where there is no existing
directory
to handle group membership and authentication?

thanks,
 Itamar
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-03 Thread Itamar Heim

On 12/03/2012 08:51 AM, Dennis Böck wrote:

Dear oVirt-Community,

how can I add a new User? If I click “Add” under the “Users”-Tag of the
web interface, I cannot create a new user. If I start a search, only the
user “admin” is displayed.

Is it maybe not possible to create users out of oVirt?

Even users which I added locally (on the fedora host which runs the
ovirt engine) are not displayed.

Can you only manage users if oVirt is connected to a Red Hat Directory
Server or IBM Tivoli Directory Server?



can you please explain the use case where there is no existing directory 
to handle group membership and authentication?


thanks,
   Itamar
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-02 Thread Dennis Böck
Dear oVirt-Community,

how can I add a new User? If I click Add under the Users-Tag of the web 
interface, I cannot create a new user. If I start a search, only the user 
admin is displayed.
Is it maybe not possible to create users out of oVirt?
Even users which I added locally (on the fedora host which runs the ovirt 
engine) are not displayed.
Can you only manage users if oVirt is connected to a Red Hat Directory Server 
or IBM Tivoli Directory Server?

Best regards
Dennis

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Manage users without Red Hat Directory Server or IBM Tivoli Directory Server?

2012-12-02 Thread Roy Golan

On 12/03/2012 08:51 AM, Dennis Böck wrote:


Dear oVirt-Community,

how can I add a new User? If I click Add under the Users-Tag of 
the web interface, I cannot create a new user. If I start a search, 
only the user admin is displayed.


Is it maybe not possible to create users out of oVirt?

ovirt user-management relies on external directories - currently 
supported Red Hat IPA, Active Directory, RHDS and IBM Tivoli.
to add a user one must first provision his domain (with LDAP and 
Kerberos)  using ovirt using engine-manage-domains tool.


http://www.ovirt.org/Building_oVirt_engine#Deploying_engine-config_.26_engine-manage-domains

Even users which I added locally (on the fedora host which runs the 
ovirt engine) are not displayed.


Can you only manage users if oVirt is connected to a Red Hat Directory 
Server or IBM Tivoli Directory Server?


Best regards

Dennis



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users