Re: [Users] Ovirt 3.1 and Samba4 AD
On 11/13/2012 09:40 PM, Charlie wrote: I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. +1 -- Jiri Belka jbe...@redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
- Original Message - From: Jiri Belka jbe...@redhat.com To: users@ovirt.org Sent: Wednesday, November 14, 2012 9:30:39 AM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD On 11/13/2012 09:40 PM, Charlie wrote: I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. +1 We do have some wiki pages that can be useful to set up a development environment, like: http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit http://wiki.ovirt.org/wiki/Building_oVirt_engine Architecture page: http://wiki.ovirt.org/wiki/Architecture And specifically, there is a wiki page on the LDAP infrastructure, that can give a clue on what entities we have there, and how to work with them: http://wiki.ovirt.org/wiki/DomainInfrastructure -- Jiri Belka jbe...@redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
- Original Message - From: Oved Ourfalli ov...@redhat.com To: Jiri Belka jbe...@redhat.com, medieval...@gmail.com Cc: users@ovirt.org Sent: Wednesday, November 14, 2012 3:50:45 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD - Original Message - From: Jiri Belka jbe...@redhat.com To: users@ovirt.org Sent: Wednesday, November 14, 2012 9:30:39 AM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD On 11/13/2012 09:40 PM, Charlie wrote: I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. +1 We do have some wiki pages that can be useful to set up a development environment, like: http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit http://wiki.ovirt.org/wiki/Building_oVirt_engine Architecture page: http://wiki.ovirt.org/wiki/Architecture And specifically, there is a wiki page on the LDAP infrastructure, that can give a clue on what entities we have there, and how to work with them: http://wiki.ovirt.org/wiki/DomainInfrastructure When looking at OpenLDAP before I remember the issue was that we didn't have any standard schema to work with, that had all the different attributes we need. Currently, we require to authenticate to a Kerberos server. Also, the configuration of the different provider queries is done inside the source code, and not configured externally. So, IMO the best way to add a new OpenLDAP provider is first to externalize this configuration, so that anyone can tweak it out according to his schema. I hope the wiki pages above can give a clue on the infrastructure, but we would be more than happy to help guiding you about that. The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan (rgo...@redhat.com), and myself, which did the latest work on this infrastructure, so we would be more than happy to help on IRC, E-mails, phone calls, and etc. Another relevant mailing list is engine-de...@ovirt.org, where most engine developers are, so that's the best place to get guidance regarding git, gerrit, java, and every development matter. Oved -- Jiri Belka jbe...@redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
The domainInfrastructure wiki page is helpful. The examples are great. It has enough information to understand how oVirt formats an LDAP filter string, for example, which is very important. The constant use of the word domain is confusing, though. People outside the Microsoft world don't know that Microsoft documentation uses three different definitions of domain, sometimes in the same document. Most people will probably just assume you mean an IANA domain. I've worked with LDAP for over ten years, and I read the oVirt domainInfrastructure page three or four times but I still couldn't figure out why it kept talking about domains and LDAP at the same time until I took a week of AD classes and studied a couple of O'Reilly AD books. For example, when the oVirt wiki talks about root DSE for domain it doesn't make sense to anyone who isn't already familiar with AD. A rootDSE describes the configuration of a DSA instance (LDAP server daemon) as defined in RFC4512 section 5.1, and doesn't have anything to do with domains. The word domain does not occur in RFC4512 or RFC2251 at all. The page doesn't explain why oVirt needs a domain and a root DSE to have any special relationship. ISPs load information for hundreds of IANA domains under a single root DSE and it's not a problem; I've done five domains in one DSA under one root DSE. If there was an oVirt wiki page called LDAP or DirectoryInfrastructure, that page could explain if domains really need to be part of oVirt, and if so which kind of domain, and then link the current domainInfrastructure page. Or it could link a separate page for each directory supported by oVirt, and the current domainInfrastructure page could become an activeDirectory page and retain all the AD-specific language. --Charlie On Wed, Nov 14, 2012 at 8:50 AM, Oved Ourfalli ov...@redhat.com wrote: - Original Message - From: Jiri Belka jbe...@redhat.com To: users@ovirt.org Sent: Wednesday, November 14, 2012 9:30:39 AM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD On 11/13/2012 09:40 PM, Charlie wrote: I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. +1 We do have some wiki pages that can be useful to set up a development environment, like: http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit http://wiki.ovirt.org/wiki/Building_oVirt_engine Architecture page: http://wiki.ovirt.org/wiki/Architecture And specifically, there is a wiki page on the LDAP infrastructure, that can give a clue on what entities we have there, and how to work with them: http://wiki.ovirt.org/wiki/DomainInfrastructure -- Jiri Belka jbe...@redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
Oved, totally agree about externalizing the configuration. Also I like Roy Golan's recommendation of a wiki design page, because I can probably offer more in the design phase than the actual coding phase. I know the OpenLDAP schema interface rather well, and I have my own OID so I can define globally useful oVirt schema for you if you'd like to go that route. You guys are always very helpful and encouraging, which is why this project moves so fast. --Charlie On Wed, Nov 14, 2012 at 11:41 AM, Oved Ourfalli ov...@redhat.com wrote: - Original Message - From: Oved Ourfalli ov...@redhat.com To: Jiri Belka jbe...@redhat.com, medieval...@gmail.com Cc: users@ovirt.org Sent: Wednesday, November 14, 2012 3:50:45 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD - Original Message - From: Jiri Belka jbe...@redhat.com To: users@ovirt.org Sent: Wednesday, November 14, 2012 9:30:39 AM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD On 11/13/2012 09:40 PM, Charlie wrote: I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. +1 We do have some wiki pages that can be useful to set up a development environment, like: http://wiki.ovirt.org/wiki/Working_with_oVirt_Gerrit http://wiki.ovirt.org/wiki/Building_oVirt_engine Architecture page: http://wiki.ovirt.org/wiki/Architecture And specifically, there is a wiki page on the LDAP infrastructure, that can give a clue on what entities we have there, and how to work with them: http://wiki.ovirt.org/wiki/DomainInfrastructure When looking at OpenLDAP before I remember the issue was that we didn't have any standard schema to work with, that had all the different attributes we need. Currently, we require to authenticate to a Kerberos server. Also, the configuration of the different provider queries is done inside the source code, and not configured externally. So, IMO the best way to add a new OpenLDAP provider is first to externalize this configuration, so that anyone can tweak it out according to his schema. I hope the wiki pages above can give a clue on the infrastructure, but we would be more than happy to help guiding you about that. The relevant people are Yair Zaslavsky (yzasl...@redhat.com), and Roy Golan (rgo...@redhat.com), and myself, which did the latest work on this infrastructure, so we would be more than happy to help on IRC, E-mails, phone calls, and etc. Another relevant mailing list is engine-de...@ovirt.org, where most engine developers are, so that's the best place to get guidance regarding git, gerrit, java, and every development matter. Oved -- Jiri Belka jbe...@redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] Ovirt 3.1 and Samba4 AD
I'm triing to use Samba4rc5 like autenticator for Ovirt 3.1.0-3.26 First problem is Ovirt is user usernameprincipal (login@domain in place of login) to autenticate with Samba4, But samba4 don't use it. I use engine-manage-domains -action=add -domain=DOMAINFQDN -user=LOGIN -provider=ActiveDirectory -interactive -addPermissions And the result is: No user in Directory was found for LOGIN@DOMAINFQDN. Trying next LDAP server in list Failure while testing domain DOMAINFQDN. Details: No user information was found for user And the Samba4 give me: filter=((sAMAccountType=805306368)(userPrincipalName=LOGIN@DOMAINFQDN)) But no userPrincipalName is configured in any user. Actual Solution: I add a userPrincipalName LOGIN@DOMAINFQDN in the LOGIN account (using a ldap tool) and add the ovirt machine to the domain. After restart the ovirt engine I go to the UserPortal. I find now other problem, the user isn't search by the Common Name (cn), a example of search filter=((sAMAccountType=805306368)(|(givenname=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN))) must be filter=((sAMAccountType=805306368)(|(givenname=TESTLOGIN)(cn=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN))) Thanks for all -- Alejandro Escanero Blanco Consultor de sistemas basados en fuentes abiertas Desarrollador de FusionDirectory (http://www.fusiondirectory.org) Blog: http://www.disasterproject.com Jabber: blain...@jabberes.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
2012/11/13 Yair Zaslavsky yzasl...@redhat.com Hi ALejandro, Officially we're not supporting Sambra4rc5, but I talked with Alon Bar-Lev (CC'ed) and he explained me Sambra4rc5 is 2003 AD compliant. Hi Yair I know it, but is very interesting the idea to avoid Microsoft solutions and move to OpenSource Enviroment. I am not sure why you had to add the cn part, can you elaborate? I find the problem, isn't the cn, only when the user has a userPrincipalName is find by ovirt. Probably will be a problem in migration from samba3 to samba4, will quest in samba4 technical list. Thanks -- Alejandro Escanero Blanco Consultor de sistemas basados en fuentes abiertas Desarrollador de FusionDirectory (http://www.fusiondirectory.org) Blog: http://www.disasterproject.com Jabber: blain...@jabberes.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
FreeIPA is a microsoft clone solution. It is an emulator for AD, much like Samba4 is. Neither of them is based on Open Standards, although both are Open Source. This is a very important distinction. In our test RHEVM environment, only closed-source, proprietary Microsoft Active Directory could provide a fully functional user provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 but after a couple of weeks the bosses got tired of the slow progress, threw up their hands and told us to just use Microsoft. This situation led directly to the replacement of half a dozen production Red Hat servers with Microsoft Hyper-V hosted Windows servers. Essentially, this one shortcoming (inability to use OpenLDAP as an AAA source) ended up driving the abandonment of Open Source in our enterprise. We're currently in the process of replacing all our FOSS infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's nothing I can do to stop that. http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 It's very unfortunate. Law of unintended consequences I guess. I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. I hope that didn't sound too much like whining. I don't blame anyone outside my organization for my organization's bad decisions, I'm just pointing out that giving your userbase no option other than to implement proprietary Directory models may have unintended consequences in the field. Why spend a lot of money pretending to be Microsoft when you can be Microsoft for the same or less money? --Charlie I know it, but is very interesting the idea to avoid Microsoft solutions and move to OpenSource Enviroment. we do support a few other directory solutions (like freeIPA and 389ds). 389ds needs a kerberos enhancement. Kerberos should be optional. Many organizations don't need the extra complexity, LDAP STARTTLS or LDAPS gives them all the security they need. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
- Original Message - From: Charlie medieval...@gmail.com To: Itamar Heim ih...@redhat.com Cc: users users@ovirt.org Sent: Tuesday, November 13, 2012 10:40:34 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD FreeIPA is a microsoft clone solution. It is an emulator for AD, much like Samba4 is. Neither of them is based on Open Standards, although both are Open Source. This is a very important distinction. In our test RHEVM environment, only closed-source, proprietary Microsoft Active Directory could provide a fully functional user provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 but after a couple of weeks the bosses got tired of the slow progress, threw up their hands and told us to just use Microsoft. This situation led directly to the replacement of half a dozen production Red Hat servers with Microsoft Hyper-V hosted Windows servers. Essentially, this one shortcoming (inability to use OpenLDAP as an AAA source) ended up driving the abandonment of Open Source in our enterprise. We're currently in the process of replacing all our FOSS infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's nothing I can do to stop that. http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 It's very unfortunate. Law of unintended consequences I guess. I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. I hope that didn't sound too much like whining. I don't blame anyone outside my organization for my organization's bad decisions, I'm just pointing out that giving your userbase no option other than to implement proprietary Directory models may have unintended consequences in the field. Why spend a lot of money pretending to be Microsoft when you can be Microsoft for the same or less money? Not at all. I feel the same, we really need to support openldap without krb and with krb. Alon. --Charlie I know it, but is very interesting the idea to avoid Microsoft solutions and move to OpenSource Enviroment. we do support a few other directory solutions (like freeIPA and 389ds). 389ds needs a kerberos enhancement. Kerberos should be optional. Many organizations don't need the extra complexity, LDAP STARTTLS or LDAPS gives them all the security they need. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
2012/11/13 Yair Zaslavsky yzasl...@redhat.com There is a reason why we query for userPrincipalName so it has to include this information. From http://theessentialexchange.com/blogs/michael/archive/2007/11/13/the-user-principle-name-and-you.aspx : The user principal name is not a required attribute (that is, Active Directory does not require it to be set). The new user wizard in ADUC makes you set it - but you can go in and delete it from the Account Properties page later, and when you are creating users programmatically (such as via scripting), it doesn't need to be specified at all. Which is the reason to make searchs with a not required attribute? Thanks -- Alejandro Escanero Blanco Consultor de sistemas basados en fuentes abiertas Desarrollador de FusionDirectory (http://www.fusiondirectory.org) Blog: http://www.disasterproject.com Jabber: blain...@jabberes.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Ovirt 3.1 and Samba4 AD
- Original Message - From: Alon Bar-Lev alo...@redhat.com To: Charlie medieval...@gmail.com Cc: users users@ovirt.org Sent: Tuesday, November 13, 2012 10:46:37 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD - Original Message - From: Charlie medieval...@gmail.com To: Itamar Heim ih...@redhat.com Cc: users users@ovirt.org Sent: Tuesday, November 13, 2012 10:40:34 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD FreeIPA is a microsoft clone solution. It is an emulator for AD, much like Samba4 is. Neither of them is based on Open Standards, although both are Open Source. This is a very important distinction. In our test RHEVM environment, only closed-source, proprietary Microsoft Active Directory could provide a fully functional user provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 but after a couple of weeks the bosses got tired of the slow progress, threw up their hands and told us to just use Microsoft. This situation led directly to the replacement of half a dozen production Red Hat servers with Microsoft Hyper-V hosted Windows servers. Essentially, this one shortcoming (inability to use OpenLDAP as an AAA source) ended up driving the abandonment of Open Source in our enterprise. We're currently in the process of replacing all our FOSS infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's nothing I can do to stop that. http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 It's very unfortunate. Law of unintended consequences I guess. I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. I hope that didn't sound too much like whining. I don't blame anyone outside my organization for my organization's bad decisions, I'm just pointing out that giving your userbase no option other than to implement proprietary Directory models may have unintended consequences in the field. Why spend a lot of money pretending to be Microsoft when you can be Microsoft for the same or less money? Not at all. I feel the same, we really need to support openldap without krb and with krb. +10 here (not to say we really need to extract all our query/attribute mapping logic in such way we can further ease integration with new ldap proiders). Alon. --Charlie I know it, but is very interesting the idea to avoid Microsoft solutions and move to OpenSource Enviroment. we do support a few other directory solutions (like freeIPA and 389ds). 389ds needs a kerberos enhancement. Kerberos should be optional. Many organizations don't need the extra complexity, LDAP STARTTLS or LDAPS gives them all the security they need. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users