I did short video introduction to oVirt Ansible modules, feel free to check it out.
středa 15. února 2017
neděle 15. ledna 2017
Deploying ManageIQ to oVirt with Ansible
In this blog post I will show you how to deploy ManageIQ appliance to oVirt engine using Ansible.
Prerequisites:
- Ansible 2.2 - Ansible modules for oVirt are available since Ansible 2.2.
- oVirt 4.0.4 - ImageIO is avaible since 4.0.4 (used to upload qcow disk).
The playbook here created will assume that you will run the playbook from the oVirt engine machine. So first please ssh to your oVirt machine. Now install the role which will handle the deploying the ManageIQ, it's called machacekondra.ovirt-manageiq and in order to install it run following command:
Now please ensure that oVirt imageio is properly setup and running. As noted here you should check the ovirt-imageio-proxy service is running on your oVirt engine and ovirt-imageio-daemon service on your hosts. The other important thing is to use proper CA of your oVirt engine, the path can be specified using ovirt_ca variable in your playbook, which is by default /etc/pki/ovirt-engine/ca.pem.
That's it, if you did all steps before correctly, you can now create the playbook:
Please change the URL of you oVirt engine and the password of your user, you can also change other variables as needed, you can find the explanation of variables here. I am strongly suggesting using Ansible vault for your passwords. Now save your playbook to some yaml file, for example manageiq.yml.
Now run the playbook:
Wait until the playbook exit, then check your oVirt engine VMs, you should find there manageiq VM running.
Note, that there is now new better role under oVirt organization on galaxy.
Prerequisites:
- Ansible 2.2 - Ansible modules for oVirt are available since Ansible 2.2.
- oVirt 4.0.4 - ImageIO is avaible since 4.0.4 (used to upload qcow disk).
The playbook here created will assume that you will run the playbook from the oVirt engine machine. So first please ssh to your oVirt machine. Now install the role which will handle the deploying the ManageIQ, it's called machacekondra.ovirt-manageiq and in order to install it run following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ansible-galaxy install machacekondra.ovirt-manageiq |
Now please ensure that oVirt imageio is properly setup and running. As noted here you should check the ovirt-imageio-proxy service is running on your oVirt engine and ovirt-imageio-daemon service on your hosts. The other important thing is to use proper CA of your oVirt engine, the path can be specified using ovirt_ca variable in your playbook, which is by default /etc/pki/ovirt-engine/ca.pem.
That's it, if you did all steps before correctly, you can now create the playbook:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Deploy ManageIQ to oVirt engine | |
| hosts: localhost | |
| gather_facts: no | |
| vars: | |
| ovirt_url: https://CHANGEME/ovirt-engine/api | |
| ovirt_user: admin@internal | |
| ovirt_password: CHANGEME | |
| vm_cluster: Default | |
| vm_memory: 4GiB | |
| vm_cpu: 1 | |
| disk_storage_domain: data | |
| disk_size: 50GiB | |
| vm_cloud_init: | |
| user_name: root | |
| root_password: password | |
| roles: | |
| - machacekondra.ovirt-manageiq |
Please change the URL of you oVirt engine and the password of your user, you can also change other variables as needed, you can find the explanation of variables here. I am strongly suggesting using Ansible vault for your passwords. Now save your playbook to some yaml file, for example manageiq.yml.
Now run the playbook:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ omachace ~/workspace $ ansible-playbook -v manageiq.yml | |
| Using /home/omachace/.ansible.cfg as config file | |
| PLAY [Deploy ManageIQ to oVirt engine] ***************************************** | |
| TASK [ovirt-manageiq : Download the OVA image of ManageIQ] ********************* | |
| changed: [example.com] => {"changed": true, "checksum_dest": null, "checksum_src": "7641fb36babcb85db8348a020bac384d34d99ff2", "dest": "/tmp/manageiq.ova", "gid": 0, "group": "root", "md5sum": "f5bd3388b0fcd0e6b563ee26f2c193fa", "mode": "0644", "msg": "OK (1108479736 bytes)", "owner": "root", "secontext": "unconfined_u:object_r:user_tmp_t:s0", "size": 1108479736, "src": "/tmp/tmpfyCvx5", "state": "file", "uid": 0, "url": "http://releases.manageiq.org/manageiq-ovirt-euwe-1.ova"} | |
| TASK [ovirt-manageiq : Create a directory for extract the OVA image] *********** | |
| changed: [example.com] => {"changed": true, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/tmp/manageiq/", "secontext": "unconfined_u:object_r:user_tmp_t:s0", "size": 6, "state": "directory", "uid": 0} | |
| TASK [ovirt-manageiq : Extract the qcow image from OVA] ************************ | |
| changed: [example.com] => {"changed": true, "dest": "/tmp/manageiq/", "extract_results": {"cmd": ["/usr/bin/gtar", "--extract", "-C", "/tmp/manageiq/", "-z", "-f", "/tmp/ansible_c6VazY/manageiq-ovirt-euwe-1.ova"], "err": "", "out": "", "rc": 0}, "gid": 0, "group": "root", "handler": "TgzArchive", "mode": "0755", "owner": "root", "secontext": "unconfined_u:object_r:user_tmp_t:s0", "size": 34, "src": "/tmp/ansible_c6VazY/manageiq-ovirt-euwe-1.ova", "state": "directory", "uid": 0} | |
| TASK [ovirt-manageiq : Find the name of the qcow image] ************************ | |
| ok: [example.com] => {"changed": false, "examined": 3, "failed": false, "failed_when_result": false, "files": [{"atime": 1484484081.7455075, "ctime": 1484484151.4001844, "dev": 64768, "gid": 0, "inode": 16844986, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0755", "mtime": 1482258336.0, "nlink": 1, "path": "/tmp/manageiq/images/28c5e3ae-6937-4621-9128-1be8f0a97e81/04a5f050-3956-4bc0-b953-0e11e068b320", "rgrp": true, "roth": true, "rusr": true, "size": 3412459520, "uid": 0, "wgrp": false, "woth": false, "wusr": true, "xgrp": true, "xoth": true, "xusr": true}], "matched": 1, "msg": ""} | |
| TASK [ovirt-manageiq : Login to oVirt engine] ********************************** | |
| ok: [example.com] => {"ansible_facts": {"ovirt_auth": {"ca_file": "/etc/pki/ovirt-engine/ca.pem", "compress": true, "insecure": false, "kerberos": false, "timeout": 0, "token": "KCd..SNIP..WA", "url": "https://example.com/ovirt-engine/api"}}, "changed": false} | |
| TASK [ovirt-manageiq : Deploy the qcow image to oVirt engine] ****************** | |
| changed: [example.com] => {"changed": true, "disk": {"actual_size": 0, "alias": "manageiq_disk", "disk_profile": {"href": "/ovirt-engine/api/diskprofiles/d86a2403-8bbf-4080-8f16-fd907f38e5c9", "id": "d86a2403-8bbf-4080-8f16-fd907f38e5c9"}, "format": "cow", "href": "/ovirt-engine/api/disks/fbe63434-8d49-4567-ad08-9360dabf98d6", "id": "fbe63434-8d49-4567-ad08-9360dabf98d6", "image_id": "d09da2f6-edc4-4012-ad0f-3f4e064b7ae8", "name": "manageiq_disk", "permissions": [], "propagate_errors": false, "provisioned_size": 53687091200, "quota": {"id": "23744f08-7b5c-45e2-b0b0-5daa685912e6"}, "shareable": false, "sparse": true, "statistics": [], "status": "locked", "storage_domains": [{"id": "c7b4115e-2b37-46f8-a9ed-33c285a0a810"}], "storage_type": "image", "wipe_after_delete": false}, "id": "fbe63434-8d49-4567-ad08-9360dabf98d6"} | |
| TASK [ovirt-manageiq : Create virtual machine for the ManageIQ] **************** | |
| changed: [example.com] => {"changed": true, "id": "854b817b-b8e4-4f42-b45b-b2ebea8f4d7e", "vm": {"affinity_labels": [], "applications": [], "bios": {"boot_menu": {"enabled": false}}, "cdroms": [], "cluster": {"href": "/ovirt-engine/api/clusters/75faab86-1b23-406c-b675-1eca339ae734", "id": "75faab86-1b23-406c-b675-1eca339ae734"}, "cpu": {"architecture": "x86_64", "topology": {"cores": 2, "sockets": 1, "threads": 1}}, "cpu_profile": {"href": "/ovirt-engine/api/cpuprofiles/40804dbc-d37f-4547-9ded-b7ec998483fc", "id": "40804dbc-d37f-4547-9ded-b7ec998483fc"}, "cpu_shares": 0, "creation_time": "2017-01-15 14:47:01.328000+02:00", "delete_protected": false, "disk_attachments": [], "display": {"allow_override": false, "copy_paste_enabled": true, "disconnect_action": "LOCK_SCREEN", "file_transfer_enabled": true, "monitors": 1, "single_qxl_pci": false, "smartcard_enabled": false, "type": "spice"}, "graphics_consoles": [], "high_availability": {"enabled": false, "priority": 0}, "host_devices": [], "href": "/ovirt-engine/api/vms/854b817b-b8e4-4f42-b45b-b2ebea8f4d7e", "id": "854b817b-b8e4-4f42-b45b-b2ebea8f4d7e", "io": {"threads": 0}, "katello_errata": [], "large_icon": {"href": "/ovirt-engine/api/icons/642e318c-32cf-40db-b9a8-fbf510ca655d", "id": "642e318c-32cf-40db-b9a8-fbf510ca655d"}, "memory": 6442450944, "memory_policy": {"ballooning": true, "guaranteed": 1073741824}, "migration": {"auto_converge": "inherit", "compressed": "inherit"}, "migration_downtime": -1, "name": "manageiq", "next_run_configuration_exists": false, "nics": [], "numa_nodes": [], "numa_tune_mode": "interleave", "origin": "ovirt", "original_template": {"href": "/ovirt-engine/api/templates/00000000-0000-0000-0000-000000000000", "id": "00000000-0000-0000-0000-000000000000"}, "os": {"boot": {"devices": ["hd"]}, "type": "rhel_7x64"}, "permissions": [], "placement_policy": {"affinity": "migratable"}, "quota": {"id": "23744f08-7b5c-45e2-b0b0-5daa685912e6"}, "reported_devices": [], "sessions": [], "small_icon": {"href": "/ovirt-engine/api/icons/b5107cab-7f80-4149-8add-d8c5aa9fa65d", "id": "b5107cab-7f80-4149-8add-d8c5aa9fa65d"}, "snapshots": [], "sso": {"methods": [{"id": "guest_agent"}]}, "start_paused": false, "stateless": false, "statistics": [], "status": "down", "stop_time": "2017-01-15 14:47:01.370000+02:00", "tags": [], "template": {"href": "/ovirt-engine/api/templates/00000000-0000-0000-0000-000000000000", "id": "00000000-0000-0000-0000-000000000000"}, "time_zone": {"name": "Etc/GMT"}, "type": "server", "usb": {"enabled": false}, "watchdogs": []}} | |
| TASK [ovirt-manageiq : Logout from oVirt engine] ******************************* | |
| ok: [example.com] => {"ansible_facts": {"ovirt_auth": {}}, "changed": false} | |
| PLAY RECAP ********************************************************************* | |
| example.com : ok=7 changed=4 unreachable=0 failed=0 |
Wait until the playbook exit, then check your oVirt engine VMs, you should find there manageiq VM running.
Note, that there is now new better role under oVirt organization on galaxy.
čtvrtek 18. února 2016
Client certificate authentication with oVirt
This post will show you how to configure authentication using client certificates.
FreeIPA 4.2.0 introduced support for multiple certificate profiles, including support for user certificates.
So we will use integration with FreeIPA 4.2. Please follow this post to create new profile for issuing user certificates in FreeIPA.
Second, we have to create certificate signing request(CSR), using config, where we specify subjectAltName extension, which must match our user's email address in FreeIPA and commonName which must match user's login.
We can now submit our CSR to IPA to issue certificate for our user. Remember to specify our user's login and profile for user certificates.
Now, we need to extract user's cetificate.
Now lets finnaly create our pkcs#12. Which you can later use with your browser to login.
Now add CA certificate of ipa to /etc/pki/ovirt-engine/apache-ca.pem
Authn configuration:
example.properties - specify your specifc creadentials and values for your IPA server
Restart ovirt-engine and httpd
In order to try it with our browser, please find relevant documentation how to import your pkcs#12 into browser, then you will be able to connect to oVirt via browser using client certificate.
And then don't forget to link this mapping to authn extension.
Test user creation
We create our user testing user in IPA, please be carefull specifying email address and login, we will need these later on.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ipa user-add --first=Ondra --last=Machacek --email=omachace@example.com omachace | |
| --------------------- | |
| Added user "omachace" | |
| --------------------- | |
| User login: omachace | |
| First name: Ondra | |
| Last name: Machacek | |
| Full name: Ondra Machacek | |
| Display name: Ondra Machacek | |
| Initials: OM | |
| Home directory: /home/omachace | |
| GECOS: Ondra Machacek | |
| Login shell: /bin/sh | |
| Kerberos principal: omachace@EXAMPLE.COM | |
| Email address: omachace@example.com | |
| UID: 725600015 | |
| GID: 725600015 | |
| Password: False | |
| Member of groups: ipausers | |
| Kerberos keys available: False |
pkcs#12 creation
First, we need to create private key for our user:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ openssl genrsa -out mykey.pem 2048 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat ~/csr.conf | |
| [ req ] | |
| prompt = no | |
| encrypt_key = no | |
| req_extensions = exts | |
| distinguished_name = dn | |
| [ dn ] | |
| commonName = "omachace" | |
| [ exts ] | |
| subjectAltName=email:omachace@example.com | |
| $ openssl req -new -key mykey.pem -out cert.req -text -config csr.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ipa cert-request cert.req --principal omachace --profile-id clientIdentity | |
| Certificate: MIIEcjCCA1qgAwIBAgIBDTANBgkqhkiG9w0BAQsFADBQMS4wLAYDVQQKDCVCUlEtSVBBLTQuUkhFVi5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMjE4MTEwNTQyWhcNMTgwMjE4MTEwNTQyWjBDMS4wLAYDVQQKDCVCUlEtSVBBLTQuUkhFVi5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMREwDwYDVQQDDAhvbWFjaGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPbWoaF2vSdVbguUvZurMcTJA5NWUfteuB/gGMTacwZMCQqqE1DBNDyW1kDcSTMJ0f65K1ae/6xEA1u9exwP6OkSqthivLt6swXID9LGaEsy2kG7jS6udH+5NMMkswTQqee17T66FkofUCr7kjTOluyIPQiidlxCIzBw8WkfO+nQTSSqy9AJh2NT9/zn0Sl8LVNwWirztfhuUB6XOxWKpONWGGnrDE8V6AqdWmNVdZTuXXoRjgdsBQ7FpPteoJiURtYnDNtxIkgL25ISOhn6siQdYnYnBYOmUfYIFi93SfdK4r1UULWGkXuK7nardHz+mkgOjrOU56TzdQW8Zk25wxECAwEAAaOCAWIwggFeMB8GA1UdIwQYMBaAFL8uAcchjBsV8cNhofSahkvtIGvdME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL2lwYS1jYS5yaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwgYYGA1UdHwR/MH0we6BDoEGGP2h0dHA6Ly9pcGEtY2Eucmhldi5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUz1860OiS7+wt1LzbLosFlAjiuXowHwYDVR0RBBgwFoEUb21hY2hhY2VAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH9BLwuhLlx3V/3F63rtAmZXpcbdoXxbna3qED454uJ2sWMd0rZqMdlnCQoGJ9kXSKuSsTlw1Zzn/S+ubsYAIJzTeLHQ4sPsqUlxd2eg/ikcUvDTqTKMYdXHP0kDvGTAlncRd8ySKY7HQoD7Bgg97B3yYvE8bGkYC90fhQqaL9lRpuVqueeJvqZ7hWF+Of8dvOugqC0CNb0roNlZ7r5gklgRILldLomkxgjWF4hazN+X+ibnnVx8DTNzYtTO8lMdKzGZtbOdX75FKuO7Ld9ikFKvGHUp5CechJzGQrClmQP9qZVO9ZZMgCwUeXiCgzqlOehGMVkt9qQtaqYDPODJcDY= | |
| Subject: CN=omachace,O=EXAMPLE.COM | |
| Issuer: CN=Certificate Authority,O=EXAMPLE.COM | |
| Not Before: Thu Feb 18 11:05:42 2016 UTC | |
| Not After: Sun Feb 18 11:05:42 2018 UTC | |
| Fingerprint (MD5): 0c:db:6f:ad:ef:52:e4:12:7d:fc:8e:0e:bb:c2:fc:bd | |
| Fingerprint (SHA1): e9:15:78:94:67:25:61:d0:4f:f2:6b:59:8d:2f:2d:09:95:64:27:fe | |
| Serial number: 13 | |
| Serial number (hex): 0xD |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ipa user-show omachace --out=cert.pem | |
| ---------------------------------------- | |
| Certificate(s) stored in file 'cert.pem' | |
| ---------------------------------------- | |
| User login: omachace | |
| First name: Ondra | |
| Last name: Machacek | |
| Home directory: /home/omachace | |
| Login shell: /bin/sh | |
| Email address: omachace@example.com | |
| UID: 725600015 | |
| GID: 725600015 | |
| Certificate: MIIEcjCCA1qgAwIBAgIBDTANBgkqhkiG9w0BAQsFADBQMS4wLAYDVQQKDCVCUlEtSVBBLTQuUkhFVi5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMjE4MTEwNTQyWhcNMTgwMjE4MTEwNTQyWjBDMS4wLAYDVQQKDCVCUlEtSVBBLTQuUkhFVi5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMREwDwYDVQQDDAhvbWFjaGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPbWoaF2vSdVbguUvZurMcTJA5NWUfteuB/gGMTacwZMCQqqE1DBNDyW1kDcSTMJ0f65K1ae/6xEA1u9exwP6OkSqthivLt6swXID9LGaEsy2kG7jS6udH+5NMMkswTQqee17T66FkofUCr7kjTOluyIPQiidlxCIzBw8WkfO+nQTSSqy9AJh2NT9/zn0Sl8LVNwWirztfhuUB6XOxWKpONWGGnrDE8V6AqdWmNVdZTuXXoRjgdsBQ7FpPteoJiURtYnDNtxIkgL25ISOhn6siQdYnYnBYOmUfYIFi93SfdK4r1UULWGkXuK7nardHz+mkgOjrOU56TzdQW8Zk25wxECAwEAAaOCAWIwggFeMB8GA1UdIwQYMBaAFL8uAcchjBsV8cNhofSahkvtIGvdME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL2lwYS1jYS5yaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwgYYGA1UdHwR/MH0we6BDoEGGP2h0dHA6Ly9pcGEtY2Eucmhldi5sYWIuZW5nLmJycS5yZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUz1860OiS7+wt1LzbLosFlAjiuXowHwYDVR0RBBgwFoEUb21hY2hhY2VAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH9BLwuhLlx3V/3F63rtAmZXpcbdoXxbna3qED454uJ2sWMd0rZqMdlnCQoGJ9kXSKuSsTlw1Zzn/S+ubsYAIJzTeLHQ4sPsqUlxd2eg/ikcUvDTqTKMYdXHP0kDvGTAlncRd8ySKY7HQoD7Bgg97B3yYvE8bGkYC90fhQqaL9lRpuVqueeJvqZ7hWF+Of8dvOugqC0CNb0roNlZ7r5gklgRILldLomkxgjWF4hazN+X+ibnnVx8DTNzYtTO8lMdKzGZtbOdX75FKuO7Ld9ikFKvGHUp5CechJzGQrClmQP9qZVO9ZZMgCwUeXiCgzqlOehGMVkt9qQtaqYDPODJcDY= | |
| Account disabled: False | |
| Password: False | |
| Member of groups: ipausers | |
| Kerberos keys available: False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ openssl pkcs12 -export -out my.p12 -inkey mykey.pem -in cert.pem | |
| Enter Export Password: | |
| Verifying - Enter Export Password: |
Apache mod_ssl configuration
Now ssh to your oVirt machine. We need to reconfigure apache mod_ssl module, to require client certificate and since oVirt's AAA works with X-Remote-User header, we need to set it to REMOTE_USER env variable. Please add following lines into /etc/httpd/conf.d/ssl.conf.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SSLVerifyClient require | |
| SSLVerifyDepth 1 | |
| SSLUserName SSL_CLIENT_S_DN_CN | |
| RewriteEngine on | |
| RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ | |
| RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1,NS] | |
| RequestHeader set X-Remote-User %{REMOTE_USER}s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ssh root@ipa.example.com 'cat /etc/ipa/ca.crt' >> /etc/pki/ovirt-engine/apache-ca.pem |
oVirt AAA configuration
Authz configuration:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/ovirt-engine/extensions.d/example-authz.properties | |
| ovirt.engine.extension.name = example-authz | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz | |
| config.profile.file.1 = ../aaa/example.properties | |
| config.globals.bindFormat.simple_bindFormat = realm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/ovirt-engine/extensions.d/profile1-http-authn.properties | |
| ovirt.engine.extension.name = example-http-authn | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn | |
| ovirt.engine.aaa.authn.profile.name = example.com | |
| ovirt.engine.aaa.authn.authz.plugin = example-authz | |
| config.artifact.name = HEADER | |
| config.artifact.arg = X-Remote-User |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/ovirt-engine/aaa/example.properties | |
| include = <ipa.properties> | |
| vars.server = ipa.example.com | |
| vars.user = uid=search_user,cn=users,cn=accounts,dc=example,dc=com | |
| vars.password = securepassword | |
| pool.default.serverset.single.server = ${global:vars.server} | |
| pool.default.auth.simple.bindDN = ${global:vars.user} | |
| pool.default.auth.simple.password = ${global:vars.password} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ service httpd restart | |
| $ service ovirt-engine restart |
Let's try login
Please assign your user some permissions, in our case we assign user omachace SuperUser permission on system. Then we are able login as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ wget http://ovirt.example.com/ca.crt | |
| $ curl --cacert ca.crt -E cert.pem --key mykey.pem https://ovirt.example.com/ovirt-engine/api/users/8483b0d6-29b2-44ea-b8a1-53b77af8be69 | |
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <user href="/ovirt-engine/api/users/8483b0d6-29b2-44ea-b8a1-53b77af8be69" id="8483b0d6-29b2-44ea-b8a1-53b77af8be69"> | |
| <name>Ondra</name> | |
| <link href="/ovirt-engine/api/users/8483b0d6-29b2-44ea-b8a1-53b77af8be69/permissions" rel="permissions"/> | |
| <link href="/ovirt-engine/api/users/8483b0d6-29b2-44ea-b8a1-53b77af8be69/roles" rel="roles"/> | |
| <link href="/ovirt-engine/api/users/8483b0d6-29b2-44ea-b8a1-53b77af8be69/tags" rel="tags"/> | |
| <domain href="/ovirt-engine/api/domains/6578616D706C652D617574687A" id="6578616D706C652D617574687A"> | |
| <name>example-authz</name> | |
| </domain> | |
| <domain_entry_id>35386132666338302D643632652D313165352D623962362D303031613461303133663630</domain_entry_id> | |
| <namespace>dc=example,dc=com</namespace> | |
| <last_name>Machacek</last_name> | |
| <user_name>omachace@example-authz</user_name> | |
| <principal>omachace</principal> | |
| <email>omachace@example.com</email> | |
| </user> |
CN to username mapping
In some setups you can met with situation, that your CN and username don't equal, in that moment you can use mapping extension. Imagine situation that in your CN is 'Ondra.Machacek' instead of 'omachace'. Then you would create a new mapping properties file as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ovirt.engine.extension.name = example-http-mapping | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping | |
| config.mapAuthRecord.type = regex | |
| config.mapAuthRecord.regex.mustMatch = true | |
| config.mapAuthRecord.regex.pattern = ^(?<firstchar>[A-Z])[A-Z]*\\.(?<lastname>[A-Z]{1,7}).*?$ | |
| config.mapAuthRecord.regex.replacement = ${firstchar}${lastname} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ovirt.engine.extension.name = example-http-authn | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn | |
| ovirt.engine.aaa.authn.mapping.plugin = example-http-mapping | |
| ovirt.engine.aaa.authn.profile.name = example.com | |
| ovirt.engine.aaa.authn.authz.plugin = example-authz | |
| config.artifact.name = HEADER | |
| config.artifact.arg = X-Remote-User |
pátek 2. října 2015
ovirt-engine-extension-aaa-jdbc introduction & settings customization
oVirt 3.6 introduced new extension called ovirt-engine-extension-aaa-jdbc. If you upgrade from older version or if you install fresh new 3.6 you will have this extension installed and configured. With this extension you can store you users/group in database. Very good for people who don't need much users and don't want to deploy LDAP. Note that your admin@internal will now be part of this extension, this migration is done transparently by engine-setup.
Auth[zn] files for internal extension can be found in etc/ovirt-engine/extensions.d/internal-authz.properties and etc/ovirt-engine/extensions.d/internal-authn.properties. Nothing interesting can be found those two files. In common configuration of auth[zn] you can then find database connection settings, which you will find in etc/ovirt-engine/aaa/internal.properties. Content of the file looks like:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config.datasource.jdbcurl=jdbc:postgresql://localhost:5432/engine?sslfactory=org.postgresql.ssl.NonValidatingFactory | |
| config.datasource.dbuser=engine | |
| config.datasource.dbpassword=***** | |
| config.datasource.jdbcdriver=org.postgresql.Driver | |
| config.datasource.schemaname=aaa_jdbc |
Exploring tables
Wanna check the data aaa-jdbc extension store? You can do as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ su postgres | |
| bash-4.3$ psql -d engine | |
| engine=# \dt aaa_jdbc.*; | |
| List of relations | |
| Schema | Name | Type | Owner | |
| ----------+-----------------------+-------+-------- | |
| aaa_jdbc | failed_logins | table | engine | |
| aaa_jdbc | group_attributes | table | engine | |
| aaa_jdbc | group_groups | table | engine | |
| aaa_jdbc | groups | table | engine | |
| aaa_jdbc | schema_version | table | engine | |
| aaa_jdbc | settings | table | engine | |
| aaa_jdbc | user_attributes | table | engine | |
| aaa_jdbc | user_groups | table | engine | |
| aaa_jdbc | user_password_history | table | engine | |
| aaa_jdbc | users | table | engine | |
| (10 rows) | |
| engine=# select name, valid_from, valid_to from aaa_jdbc.users; | |
| name | valid_from | valid_to | |
| -------+----------------------------+---------------------------- | |
| admin | 2015-10-01 10:38:32.361+02 | 2215-10-01 10:38:32.361+02 | |
| (1 row) |
Well, this is not too comfortable to work with your users. The extension provide CLI tool to manage the users more comfortable way.
CLI tool
Cli too name is ovirt-aaa-jdbc-tool. Not much I can say about this tool, since it has good documentation in help.So whenever you are in doubt what to use just append --help to your args. Please note that by default use the command user @internal extension. If you want to use different one just pass --db-config=/path/to/db/settings.properties of your configuration.
Adding user via CLI tool
If you explored help of this tool you can see there is user module, which you can use to manage users. So we will add some users, which we will use later in this blog post. Please note that by default freshly added users don't have set password, so you need to set it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool user add user1 | |
| $ ovirt-aaa-jdbc-tool user password-reset user1 --password=pass:123456 --password-valid-to="2100-01-01 00:00:00Z" |
Changing settings via CLI tool
As there is user module there is also settings module to change settings of aaa-jdbc extension. To see what you can change simply run 'ovirt-aaa-jdbc-tool settings show'. There are lot of stuff you can change, the most important/interesting I will show you later.Policies
Password history limit
You can use setting option PASSWORD_HISTORY_LIMIT to prohibit user to set same password as he used before. Limit can be integer value, by default it's 3. That means user can't change password to last three passwords he used before.To change it, use command below(set it to 5):
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name PASSWORD_HISTORY_LIMIT --value 5 |
Password complexity
Minimal lenght
To set minimal lenght of password you have to change MIN_LENGTH option. By default it's 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name MIN_LENGTH --value 8 |
To set complexity of password you have to change PASSWORD_COMPLEXITY option. You can create different complexity groups. By default there is no restriction. So if you want to for example your user force to have at least one upper case letter, lower case letter and number in his password run the command below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ovirt-aaa-jdbc-tool settings set --name PASSWORD_COMPLEXITY --value "UPPERCASE:chars=ABCDEFGHIJKLMNOPQRSTUVWXYZ::min=1::LOWERCASE:chars=abcdefghijklmnopqrstuvwxyz::min=1::NUMBERS:chars=0123456789::min=1::" |
Account & login policy
Non locking policy after failed login
To prevent brute force attacks to your account and at the same time prevent denial of your account you can set non locking policy when there is too many attempts to guess password to your user account. To set it use MAX_FAILURES_PER_MINUTE option. By default it's set to 6.
Locking of account after failed login
You account can be locked after X failed logins. There are two options to configure that.
First possibility is to set MAX_FAILURES_SINCE_SUCCESS this option means that user account is locked after X unsuccessfull login attempts to your account after last successfull login.
The second possibility is to set MAX_FAILURES_PER_INTERVAL this options means that your user account will be locked after X unsuccesfull login attempts to your account in X hours. The value of hours can be set in option INTERVAL_HOURS.
Your accounts are locked to X minutes. The amount of minutes can be changed by value of option LOCK_MINUTES. Or you can unlock your user by running cli command:
$ ovirt-aaa-jdbc-tool user unlock user1
Removing of failed login
Failed login can be automatically removed during house keeping. All failed login which are older then X days specified in option FAILED_LOGINS_OLD_DAYS will be removed.
Other
Max login minutes
With MAX_LOGIN_MINUTES option you can set how long your user can be logged in. If time exceeds, he will be automatically logged out.Many others
There are many other options. You can explore them by yourself, just run:$ ovirt-aaa-jdbc-tool settings show
úterý 19. května 2015
SAML and oVirt 3.5
Same way as kerberos is supported for oVirt 3.5 there is also support for SAML via apache module.
There are few SAML apache modules, but I chose mod_auth_mellon, as it has very nice documentation.
First of all we need to setup some identity provider. I chose OpenAM. Please follow steps to quick install of OpenAM with embedded OpenDJ ldap.
OK I presume, that you have up and running OpenAM on tomcat with embedded OpenDJ ldap.
Next step is to setup ourt OpenAM as Identity Provider. Go to 'common-tasks' tab and hit the button 'Created Hosted Identity Provider'. Set name of your metadata(your URL). Signing key, if you want. Then create new CoT and named it as you like, not important for us. Now very important thing. You need to add attribute mapping, so we are able to map the uid of user in ldap to REMOTE_USER env of apache. Please set 'Name in assertion' to 'common-name' and 'Local attribute name' to 'cn'. And we are done.
WHAT_EVER_SP_ENTITY_NAME_ID.key
WHAT_EVER_SP_ENTITY_NAME_ID.cert
No we will create test user in OpenDJ. Go to OpenAM -> 'Access Control' tab -> select your realm (default /). Click 'Subjects' tab -> Add new user -> Fill appropriate values. (ie user1.)
Now go to oVirt webadmin and search within 'http' profile for user1 and assign him permissions. Now go to ovirt-engine/api URL and you will be forwarded to OpenAM login screen, fill your credentials and you are now able to access rest-api.
There are few SAML apache modules, but I chose mod_auth_mellon, as it has very nice documentation.
First of all we need to setup some identity provider. I chose OpenAM. Please follow steps to quick install of OpenAM with embedded OpenDJ ldap.
OK I presume, that you have up and running OpenAM on tomcat with embedded OpenDJ ldap.
Next step is to setup ourt OpenAM as Identity Provider. Go to 'common-tasks' tab and hit the button 'Created Hosted Identity Provider'. Set name of your metadata(your URL). Signing key, if you want. Then create new CoT and named it as you like, not important for us. Now very important thing. You need to add attribute mapping, so we are able to map the uid of user in ldap to REMOTE_USER env of apache. Please set 'Name in assertion' to 'common-name' and 'Local attribute name' to 'cn'. And we are done.
Apache configuration
Now we need to setup oVirt apache as service provider(I am using RHEL 6.6):- Install mod_auth_mellon apache module:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ yum install -y mod_auth_mellon
-
Obtain IdP metadata:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ wget $YOUR_IDP_URL/saml2/jsp/exportmetadata.jsp -O /etc/httpd/mellon/idp.xml
-
Create SP metadata:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh WHAT_EVER_SP_ENTITY_NAME_ID ENTITY-ID https://ovirt/mellon
- Previous step will create for you three files:
WHAT_EVER_SP_ENTITY_NAME_ID.key
WHAT_EVER_SP_ENTITY_NAME_ID.cert
- copy them to the /etc/httpd/mellon and asure that all files and folder can be read by apache.
- Create mod_auth_mellon configuration:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ cat /etc/httpd/conf.d/auth_mellon.conf LoadModule auth_mellon_module modules/mod_auth_mellon.so <Location /> MellonSPCertFile /etc/httpd/mellon/WHAT_EVER_SP_ENTITY_NAME_ID.cert MellonSPPrivateKeyFile /etc/httpd/mellon/WHAT_EVER_SP_ENTITY_NAME_ID.key MellonSPMetadataFile /etc/httpd/mellon/WHAT_EVER_SP_ENTITY_NAME_ID.xml MellonUser "common-name" MellonEndpointPath /mellon RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s </Location> <Location /ovirt-engine/api> MellonEnable "auth" Require valid-user AuthType "Mellon" </Location>
- In OpenAM go to 'common-tasks' , hit 'register remote service provider'. Upload your SP metadata WHAT_EVER_SP_ENTITY_NAME_ID.xml. Choose already cretead CoT. That's all, click 'configure'.
oVirt AAA configuration
We had setup both mod_auth_mellon as SP and OpenAM as IdP. Last thing is to setup oVirt to respect this setup.-
Install oVirt AAA packages:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ yum install -y ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap -
Authn configuration:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ cat /etc/ovirt-engine/extensions.d/http-authn.properties ovirt.engine.extension.name = http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = http ovirt.engine.aaa.authn.authz.plugin = saml-authz config.artifact.name = HEADER config.artifact.arg = X-Remote-User -
Authz configuration:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ cat /etc/ovirt-engine/extensions.d/saml_authz.properties ovirt.engine.extension.name = saml-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/opendj_saml.properties -
Connection configuration:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ cat /etc/ovirt-engine/aaa/opendj_saml.properties include = <opendj.properties> pool.default.serverset.type = single pool.default.serverset.single.server = YOUR_OPEN_AM_URL pool.default.serverset.single.port = YOUR_EMBEEDED_OPENDJ_PORT # default 50389 pool.default.auth.type = simple pool.default.auth.simple.bindDN = cn=Directory Manager # use user with some only read permissions pool.default.auth.simple.password = XXXXXXX -
This is custom properties file of opendj, I've created it for this example saml configuration. It's not supported by oVirt:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
$ cat /usr/share/ovirt-engine-extension-aaa-ldap/profiles/opendj.properties include = <simple.properties> attrmap.map-principal-record.attr.PrincipalRecord_DN.map = _dn attrmap.map-principal-record.attr.PrincipalRecord_ID.map = entryUUID attrmap.map-principal-record.attr.PrincipalRecord_NAME.map = uid attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = uid attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = displayName attrmap.map-principal-record.attr.PrincipalRecord_DEPARTMENT.map = department attrmap.map-principal-record.attr.PrincipalRecord_FIRST_NAME.map = givenName attrmap.map-principal-record.attr.PrincipalRecord_LAST_NAME.map = sn attrmap.map-principal-record.attr.PrincipalRecord_TITLE.map = title attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = mail attrmap.map-group-record.attr.GroupRecord_DN.map = _dn attrmap.map-group-record.attr.GroupRecord_ID.map = entryUUID attrmap.map-group-record.attr.GroupRecord_NAME.map = cn attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = description sequence-init.init.600-opendj-init-vars = opendj-init-vars sequence.opendj-init-vars.010.description = set base dn sequence.opendj-init-vars.010.type = var-set sequence.opendj-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.opendj-init-vars.010.var-set.value = namingContexts sequence.opendj-init-vars.020.description = set user attribute sequence.opendj-init-vars.020.type = var-set sequence.opendj-init-vars.020.var-set.variable = simple_attrsUserName sequence.opendj-init-vars.020.var-set.value = uid sequence.opendj-init-vars.030.description = set principal record attributes sequence.opendj-init-vars.030.type = var-set sequence.opendj-init-vars.030.var-set.variable = simple_attrsPrincipalRecord sequence.opendj-init-vars.030.var-set.value = entryUUID, uid, displayName, department, givenName, sn, title, mail sequence.opendj-init-vars.040.type = var-set sequence.opendj-init-vars.040.var-set.variable = simple_filterUserObject sequence.opendj-init-vars.040.var-set.value = (objectClass=person)(uid=*) sequence.opendj-init-vars.050.description = set group record attributes sequence.opendj-init-vars.050.type = var-set sequence.opendj-init-vars.050.var-set.variable = simple_attrsGroupRecord sequence.opendj-init-vars.050.var-set.value = entryUUID, cn, description sequence.opendj-init-vars.060.description = set group object filter sequence.opendj-init-vars.060.type = var-set sequence.opendj-init-vars.060.var-set.variable = simple_filterGroupObject sequence.opendj-init-vars.060.var-set.value = (objectClass=groupOfUniqueNames) sequence.opendj-init-vars.070.description = set group member filter sequence.opendj-init-vars.070.type = var-set sequence.opendj-init-vars.070.var-set.variable = simple_attrGroupMemberDN sequence.opendj-init-vars.070.var-set.value = uniqueMember - Check correct persmissions of all properties file, it have to be readeble by oVirt.
No we will create test user in OpenDJ. Go to OpenAM -> 'Access Control' tab -> select your realm (default /). Click 'Subjects' tab -> Add new user -> Fill appropriate values. (ie user1.)
Now go to oVirt webadmin and search within 'http' profile for user1 and assign him permissions. Now go to ovirt-engine/api URL and you will be forwarded to OpenAM login screen, fill your credentials and you are now able to access rest-api.
úterý 30. prosince 2014
Tool which will help you migrate from legacy kerbldap to new AAA
Since oVirt 4.0 there will be no support for legacy kerbldap domains (added via engine-manage-domains command). A tool that will help your to migrate to new AAA was written. Please refer to README to more information.
openldap stops work with ovirt when uprage into fedora 20
I have recently upgraded openldap to fedora 20 and I had
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
Přihlásit se k odběru:
Příspěvky (Atom)