Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello,
many thanks to Alon! We have a working setup with support for base dn. The
special challenge in our setup is the constraint of specifying a base dn for
every ldap search and referrals inside the branches that must be processed.
If anyone has the same problem, our working configuration with a slightly newer
version of ovirt-engine-extension-aaa-ldap is:
$ cat /etc/ovirt-engine/aaa/company-ldap.properties
include = rfc2307-openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = dc=company,dc=de
search.default.search-request.derefPolicy = ALWAYS
Best regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message -
From: jdel...@web.de
To: Alon Bar-Lev alo...@redhat.com
Cc: users@ovirt.org
Sent: Monday, January 12, 2015 4:16:17 PM
Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello,
many thanks to Alon! We have a working setup with support for base dn. The
special challenge in our setup is the constraint of specifying a base dn for
every ldap search and referrals inside the branches that must be processed.
If anyone has the same problem, our working configuration with a slightly
newer version of ovirt-engine-extension-aaa-ldap is:
Note that this environment has more than only baseDN issue, it also requires to
dereference references at server side. Most environments should not require
this, nor have invalid baseDN in their rootDSE naming context.
In this specific environment a query for baseDN X result in baseDN Y.
Thank you Jannick for the problem determination process.
Supporting baseDN X-Y will be formally released in 1.0.2.
$ cat /etc/ovirt-engine/aaa/company-ldap.properties
include = rfc2307-openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = dc=company,dc=de
search.default.search-request.derefPolicy = ALWAYS
Best regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Ondra, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? [...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you try user 'cn=Manager', I think it's incorrectly configured ACL. Nice try, but this is no proper solution for the problem. Raising privileges should be always avoided. Alon is currently troubleshooting this issue and he is close to find a good solution. Best regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Alon, All over? :) traveling into the past. This e-mail comes from Mailmans moderator queue. It was sent before I was registered. And after being registered I was unable to cancel the e-mail, because Mailman always told me the token was unknown. The problem is solved to my complete satisfaction. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message -
From: jdel...@web.de
To: users@ovirt.org
Sent: Friday, January 9, 2015 8:31:19 AM
Subject: [ovirt-users] Setting Base DN for LDAP authentication
Hello,
I'm trying to configure LDAP authentication with oVirt 3.5 and
ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example.
But the given examples are missing the explicit specification of a base dn.
Could you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties
include = openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties
ovirt.engine.extension.name = company-ldap-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company-ldap
ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties
ovirt.engine.extension.name = company-ldap-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn
dc=de instead of dc=company,dc=de.
Can you explain why the namingContexts is not sufficient? just for me to know
and maybe enable easier override?
It should contain a valid base DN for you to use.
You have two options to fix this:
1. add another attribute to openldap let's say myNamingContext with valid value
and add the following to profile (company-ldap.properties):
sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
2. another option is to enforce baseDN (company-ldap.properties):
sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN
sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
If you use the 2nd form, please note that it might break if I add proper
support in next version.
Regards,
Alon.
Kind regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Alon,
I'm trying to configure LDAP authentication with oVirt 3.5 and
ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example.
But the given examples are missing the explicit specification of a base dn.
Could you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties
include = openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties
ovirt.engine.extension.name = company-ldap-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company-ldap
ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties
ovirt.engine.extension.name = company-ldap-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn
dc=de instead of dc=company,dc=de.
Can you explain why the namingContexts is not sufficient? just for me to know
and maybe enable easier override?
It should contain a valid base DN for you to use.
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -s base namingContexts -LLL
dn:
namingContexts: dc=de
This isn't the correct base dn. I need dc=company,dc=de to find any users. I
don't know, why LDAP is configured like this. But I need to work with it.
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
You have two options to fix this:
1. add another attribute to openldap let's say myNamingContext with valid
value and add the following to profile (company-ldap.properties):
sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
I can't use this options, because I'm not allowed to make LDAP changes.
2. another option is to enforce baseDN (company-ldap.properties):
sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN
sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
I have added the lines and restarted ovirt-engine, but the Namespace in 'Add
Users and Groups' is still 'dc=de' and I can't find any users.
Kind regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hi,
On 01/09/2015 07:31 AM, jdel...@web.de wrote:
Hello,
I'm trying to configure LDAP authentication with oVirt 3.5 and
ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But
the given examples are missing the explicit specification of a base dn. Could
you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties
include = openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties
ovirt.engine.extension.name = company-ldap-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company-ldap
ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties
ovirt.engine.extension.name = company-ldap-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn dc=de
instead of dc=company,dc=de.
Can you try user 'cn=Manager', I think it's incorrectly configured ACL.
Kind regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message -
From: jdel...@web.de
To: Alon Bar-Lev alo...@redhat.com
Cc: users@ovirt.org
Sent: Friday, January 9, 2015 1:20:44 PM
Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Alon,
I'm trying to configure LDAP authentication with oVirt 3.5 and
ovirt-engine-extension-aaa-ldap. I chose the simple bind transport
example.
But the given examples are missing the explicit specification of a base
dn.
Could you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties
include = openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties
ovirt.engine.extension.name = company-ldap-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company-ldap
ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties
ovirt.engine.extension.name = company-ldap-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn
dc=de instead of dc=company,dc=de.
Can you explain why the namingContexts is not sufficient? just for me to
know and maybe enable easier override?
It should contain a valid base DN for you to use.
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -s base namingContexts -LLL
dn:
namingContexts: dc=de
This isn't the correct base dn. I need dc=company,dc=de to find any users. I
don't know, why LDAP is configured like this. But I need to work with it.
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
You have two options to fix this:
1. add another attribute to openldap let's say myNamingContext with valid
value and add the following to profile (company-ldap.properties):
sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts
I can't use this options, because I'm not allowed to make LDAP changes.
2. another option is to enforce baseDN (company-ldap.properties):
sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars
sequence.my-openldap-init-vars.010.description = set base dn
sequence.my-openldap-init-vars.010.type = var-set
sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN
sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de
I have added the lines and restarted ovirt-engine, but the Namespace in 'Add
Users and Groups' is still 'dc=de' and I can't find any users.
Yes, the namespace will still present dc=de, this is expected.
Can
[ovirt-users] Setting Base DN for LDAP authentication
Hello,
I'm trying to configure LDAP authentication with oVirt 3.5 and
ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But
the given examples are missing the explicit specification of a base dn. Could
you please advise me how this can be done?
My curent configuration:
[jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties
include = openldap.properties
vars.server = ldap.company.de
vars.user = cn=system,dc=company,dc=de
vars.password = password
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
[jd@om01 ovirt-engine]$ cat company-ldap-authn.properties
ovirt.engine.extension.name = company-ldap-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = company-ldap
ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ cat company-ldap-authz.properties
ovirt.engine.extension.name = company-ldap-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties
[jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D
cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro
# extended LDIF
#
# LDAPv3
# base dc=company,dc=de with scope subtree
# filter: cn=jdeloro
# requesting: ALL
#
# jdeloro, users, admins, company.de
dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de
[... and many more lines ...]
I could not use namingContexts from RootDSE cause this results in base dn dc=de
instead of dc=company,dc=de.
Kind regards
Jannick
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
