úterý 30. prosince 2014
Tool which will help you migrate from legacy kerbldap to new AAA
Since oVirt 4.0 there will be no support for legacy kerbldap domains (added via engine-manage-domains command). A tool that will help your to migrate to new AAA was written. Please refer to README to more information.
openldap stops work with ovirt when uprage into fedora 20
I have recently upgraded openldap to fedora 20 and I had
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
[PART 3] Ovirt with SSO - ovirt & apache
Installing ovirt
Create vm(or whatever) where you install your oVirt.Here are all steps provided. Just follow the steps.Configure kerberos for ovirt
ssh into your openldap machine. Here we need to create SPN for our oVirt in kerberos database. Create keytab and copy it to our oVirt machine. Then change permissions/owner of keytab appropriatelly.Configure apache kerberos module
First we need to install kerberos module for apache and then configure it, with our kerberos configuration.(I suggest to use mod_auth_gssapi since centos 7):Configure ovirt
First we need to install new extension api. We have to install two packages one is for ldap extensions and second is gateway extension. If you just wanna try new extension api, you don't have to install misc package, but we will need it for SSO. There is also one for logging.Now I highly recommend to read the all READMEs.
In another steps we have to configure the mappping for SSO, authorization and authentication. Authorization configuration is quite simple for our example. We just let all values default, and just set url for our openldap. We place all our configurations into /etc/ovirt-engine/extensions.d. Now restart ovirt and apache, because configurations are loaded on start.
Configure kerberos workstation
OK. We are done. The last step is to setup our workstation and test if it's working. Now go into ovirt admin console and login as admin@internal. Find user1 from ldap-authz-simple_openldap assign him some permissions. Last step is to configure our browser. I tested firefox. Here is the link. Now just obtain ticket and browse webadmin without log in .. :)$ kinit user1
sobota 27. prosince 2014
[PART 2] Ovirt with SSO - kerberos
Install kerberos
We need to install kerberos workstation and server packages.
# yum -y install krb5-{workstation,server}
Configure krb5.conf
dc=openldap,dc=yourdomain,dc=com
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = OPENLDAP.YOURDOMAIN.COM
[realms]
OPENLDAP.YOURDOMAIN.COM = {
kdc = openldap.yourdomain.com
admin_server = openldap.yourdomain.com
}
[domain_realm]
.openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
Configure kerberos
Create kerberos database.
# cd /var/kerberos/krb5kdc # kdb5_util create -s
Configure correct realm.
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc.conf
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc/kadm5.acl
Create root/admin principal.
# kadmin.local Authenticating as principal root/admin@OPENLDAP.YOURDOMAIN.COM with password. kadmin.local: add_principal root/admin WARNING: no policy specified for root/admin@OPENLDAP.YOURDOMAIN.COM; Enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Re-enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Principal "root/admin@OPENLDAP.YOURDOMAIN.COM" created.
Enable and start kerberos services.
# systemctl start krb5kdc # systemctl enable krb5kdc # systemctl start kadmin # systemctl enable kadmin Add users into kerberos database. # kadmin.local kadmin: add_principal user0 kadmin: add_principal user1
Login as user0.
# kinit user0 Password for user0@OPENLDAP.YOURDOMAIN.COM: Create principal for ldap and extract keytab for it. # kadmin kadmin: add_principal -randkey ldap/openldap.yourdomain.com kadmin: ktadd -keytab /etc/openldap/ldap.keytab
Set keytab permissions and ownership.
# chgrp ldap /etc/openldap/ldap.keytab # chmod 640 /etc/openldap/ldap.keytab
Set KRB5_KTNAME to our keytab. # sed -ri s/^#?KRB5_KTNAME=/"KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"/g
/etc/sysconfig/slapd Test kerberos with ldap # kinit user0 # Password for user0@OPENLDAP.YOURDOMAIN.COM # ldapsearch -h localhost -Y GSSAPI -b 'dc=openldap,dc=yourdomain,dc=com'
'(uid=user0)'
If this command works for you, then everything is fine, if it's not,
then check logs, check correct permissions and ownership of keytab.
Přihlásit se k odběru:
Příspěvky (Atom)