----- Original Message ----- > From: "Itamar Heim" <[email protected]> > To: "Yair Zaslavsky" <[email protected]> > Cc: [email protected] > Sent: Thursday, February 23, 2012 9:37:43 AM > Subject: Re: [Users] LDAP > > On 02/23/2012 09:33 AM, Yair Zaslavsky wrote: > > On 02/23/2012 09:20 AM, Itamar Heim wrote: > >> On 02/22/2012 11:02 PM, Nathan Stratton wrote: > >>> > >>> On Wed, 22 Feb 2012, Oved Ourfalli wrote: > >>> > >>>> Hey, > >>>> > >>>> This error usually happens where there is no krb5.conf file, or > >>>> there > >>>> is one, but your domain isn't in that. > >>>> The krb5.conf file should be located in > >>>> $JBOSS_HOME/standalone/configuration directory. > >>> > >>> Ya, I gave up on the 389/Kerberos, looking at FreeIPA now. > >>> > >>> BTW, why can't we just use LDAP??? > >> > >> well, this goes to history, as ovirt was ported from a C# solution > >> focused that evolved to server virtualization from VDI (virtual > >> desktops). > >> virtual desktops were mostly windows. > >> so integration with AD was a must, and was based on kerberos (in > >> C#) > >> java port first supported backward compatibility. > >> nothing prevents adding LDAP support, but it probably requires > >> supporting multiple LDAP redundant servers and SSL. > >> > >> btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if > >> you > >> change the authentication type to "SIMPLE". > >> but it is never discussed as a deployment option, as it is not > >> secure. > > > > But what about schema differentiation? > > well, SIMPLE would work only for schemes which are already supported. > I'm just saying for testing purpose 389ds without kerberos may work > as > well in SIMPLE mode. > same for other LDAP providers, should patches for detecting their > type > and supporting their scheme (btw, we say scheme, but we use very few > fields from it for someone to work on this and support other > providers)
btw, the feature was tested with RHDS, and not 389ds. They are indeed based on the same schema so it should work, but it wasn't tested, so there might be some tweaks needed to make it work. > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
