On 01/22/2015 01:13 PM, Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Jorick Astrego" <j.astr...@netbulae.eu> >> To: users@ovirt.org >> Sent: Thursday, January 22, 2015 2:09:18 PM >> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa >> >> >> On 01/22/2015 12:59 PM, Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Jorick Astrego" <j.astrego@ netbulae.eu > >>>> To: users@ ovirt.org >>>> Sent: Thursday, January 22, 2015 1:41:40 PM >>>> Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa >>>> >>>> >>>> On 10/31/2014 02:47 PM, Marcelo Donato wrote: >>>> >>>> >>>> >>>> >>>> Below the solution. Resolved By "Alon Bar-Lev" < alonbl@ redhat.com > >>>> >>>> >>>> 1. install ovirt-engine-extension-aaa- ldap, it is available in >>>> ovirt-3.5-snapshots repository. >>>> >>>> 2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties >>>> >>>> ovirt.engine.extension.name = din-intranet-authz >>>> ovirt.engine.extension. bindings.method = jbossmodule >>>> ovirt.engine.extension. binding.jbossmodule.module = >>>> org.ovirt.engine-extensions. aaa.ldap >>>> ovirt.engine.extension. binding.jbossmodule.class = >>>> org.ovirt.engineextensions. aaa.ldap.AuthzExtension >>>> ovirt.engine.extension. provides = org.ovirt.engine.api. >>>> extensions.aaa.Authz >>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties >>>> >>>> 3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties >>>> >>>> ovirt.engine.extension.name = din-intranet-authn >>>> ovirt.engine.extension. bindings.method = jbossmodule >>>> ovirt.engine.extension. binding.jbossmodule.module = >>>> org.ovirt.engine-extensions. aaa.ldap >>>> ovirt.engine.extension. binding.jbossmodule.class = >>>> org.ovirt.engineextensions. aaa.ldap.AuthnExtension >>>> ovirt.engine.extension. provides = org.ovirt.engine.api. >>>> extensions.aaa.Authn >>>> ovirt.engine.aaa.authn.profile.name = din.intranet >>>> ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz >>>> config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties >>>> >>>> 4. create /etc/ovirt-engine/aaa/din. intranet.properties >>>> >>>> include = <ipa.properties> >>>> >>>> vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet >>>> vars.password = 123456 >>>> vars.server = ipa1.din.intranet >>>> >>>> pool.default.serverset.single. server = ${global:vars.server} >>>> pool.default.auth.simple. bindDN = ${global:vars.user} >>>> pool.default.auth.simple. password = ${global:vars.password} >>>> >>>> 5. restart engine. >>>> >>>> >>>> Thanks a lot Alon. >>>> >>>> >>>> >>>> Thanks for this, saved me some time! >>>> >>>> Just a couple of addtions, please hash the password with SSHA (I really >>>> hate >>>> plain text admin passwords...) >>>> I tried putting an {SSHA} encoded password in " vars.password =" , but it >>>> fails to authenticate while plain text works fine. >>> I am unsure I understand. >>> using hash to store password hint at server side makes sense. >>> but using hash to store password at client side does not makes sens, this >>> means that if I get the server database I can authenticate to any user >>> without knowing his password. >>> >>> Also, please note that the user you specify within configuration should not >>> have any special privilege but to query public objects within ldap. >> I don't like storing plain text in textfiles, so I try to avoid it. Even >> if it is a read only user there are no "public" objects that I like to >> expose to anyone. I can query groups, group members, e-mail addresses, >> krbPasswordExpiration, krbLastPwdChange etc. with this user. >> >> So that's why I try to have the bind user password hashed in the >> properties file. > as I wrote above, storing hash instead of password does not enhance security. > it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely right. It has been such a long habit... But it does help when people intercept the traffic. Does the ldap plugin send it hashed to the ldap server? I think FreeIPA supports salted sha512 but I'm not entirely sure. You'll probably say that I need to enable TLS, but there have been many weaknesses in ssl and MITM issues. So more is always better in a security perspective. Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts ---------------- Tel: 053 20 30 270 i...@netbulae.eu Staalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ----------------
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users