úterý 30. prosince 2014
Tool which will help you migrate from legacy kerbldap to new AAA
Since oVirt 4.0 there will be no support for legacy kerbldap domains (added via engine-manage-domains command). A tool that will help your to migrate to new AAA was written. Please refer to README to more information.
openldap stops work with ovirt when uprage into fedora 20
I have recently upgraded openldap to fedora 20 and I had
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
openldap connected into ovirt 3.5. Everything went
smooth but openldap didn't work with ovirt. The first issue,
is common for all almost all ldap providers since it was cyrus-sasl-lib
bug. There was an easy workaround with setting sasl_qop into auth.
But there was another issue which I don't why happend, but ovirt
send kerberos request:
ldap/localhost@REALM
instead of
ldap/fqdn@REALM,
So to easily workaround this problem just add:
$ kadmin.local:
add_principal -randkey ldap/localhost@REALM
ktadd -keytab your_keytab_path ldap/localhost@REALM
Then restart openldap, and everything goes fine now. :)
[PART 3] Ovirt with SSO - ovirt & apache
Installing ovirt
Create vm(or whatever) where you install your oVirt.Here are all steps provided. Just follow the steps.Configure kerberos for ovirt
ssh into your openldap machine. Here we need to create SPN for our oVirt in kerberos database. Create keytab and copy it to our oVirt machine. Then change permissions/owner of keytab appropriatelly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [openldap]$ kadmin.local | |
| add_principal -randkey HTTP/openldap.yourdomain.com | |
| [openldap]$ kadmin.local | |
| ktadd -keytab /tmp/ovirt.keytab HTTP/openldap.yourdomain.com | |
| [openldap]$ scp /tmp/ovirt.keytab ovirt@ovirt.fqdn:/etc/http.keytab | |
| [ovirt]$ chmod 660 /etc/http.keytab | |
| [ovirt]$ chown ovirt:ovirt /etc/http.keytab |
Configure apache kerberos module
First we need to install kerberos module for apache and then configure it, with our kerberos configuration.(I suggest to use mod_auth_gssapi since centos 7):
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ yum install -y mod_auth_kerb | |
| $ cat /etc/httpd/conf.d/auth_kerb.conf | |
| LoadModule auth_kerb_module modules/mod_auth_kerb.so | |
| <IfModule auth_kerb_module> | |
| <LocationMatch ^(/ovirt-engine/api|/api)> | |
| RewriteEngine on | |
| RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ | |
| RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1] | |
| RequestHeader set X-Remote-User %{REMOTE_USER}s | |
| AuthType Kerberos | |
| AuthName "Kerberos Login" | |
| Krb5Keytab /etc/http.keytab | |
| KrbAuthRealms OPENLDAP.YOURDOMAIN.COM | |
| Require valid-user | |
| </LocationMatch> | |
| </IfModule>EOF |
Configure ovirt
First we need to install new extension api. We have to install two packages one is for ldap extensions and second is gateway extension. If you just wanna try new extension api, you don't have to install misc package, but we will need it for SSO. There is also one for logging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ yum install -y ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap |
Now I highly recommend to read the all READMEs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ rpm -qd ovirt-engine-extension-aaa-ldap | |
| /usr/share/doc/ovirt-engine-extension-aaa-ldap-1.0.0/README | |
| /usr/share/doc/ovirt-engine-extension-aaa-ldap-1.0.0/README.profile | |
| /usr/share/doc/ovirt-engine-extension-aaa-ldap-1.0.0/README.unboundid-ldapsdk |
In another steps we have to configure the mappping for SSO, authorization and authentication. Authorization configuration is quite simple for our example. We just let all values default, and just set url for our openldap. We place all our configurations into /etc/ovirt-engine/extensions.d.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/ovirt-engine/extensions.d/openldap-authz.properties | |
| ovirt.engine.extension.enabled = true | |
| ovirt.engine.extension.name = openldap-authz | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz | |
| config.profile.file.1 = /etc/ovirt-engine/aaa/openldap.properties | |
| $ cat /etc/ovirt-engine/aaa/openldap.properties | |
| include = <openldap.properties> | |
| pool.default.serverset.type = single | |
| pool.default.serverset.single.server = openldap.example.com | |
| $ cat /etc/ovirt-engine/extensions.d/http-authn.properties | |
| ovirt.engine.extension.name = http-authn | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn | |
| ovirt.engine.aaa.authn.profile.name = http | |
| ovirt.engine.aaa.authn.authz.plugin = openldap-authz | |
| ovirt.engine.aaa.authn.mapping.plugin = http-mapping | |
| config.artifact.name = HEADER | |
| config.artifact.arg = X-Remote-User | |
| $ cat /etc/ovirt-engine/extensions.d/http-mapping.properties | |
| ovirt.engine.extension.enabled = true | |
| ovirt.engine.extension.name = http-mapping | |
| ovirt.engine.extension.bindings.method = jbossmodule | |
| ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc | |
| ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension | |
| ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping | |
| config.mapAuthRecord.type = regex | |
| config.mapAuthRecord.regex.mustMatch = true | |
| config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ | |
| config.mapAuthRecord.regex.replacement = ${user}${at}${suffix} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ service httpd restart | |
| $ service ovirt-engine restart |
Configure kerberos workstation
OK. We are done. The last step is to setup our workstation and test if it's working.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /etc/krb5.conf | |
| [libdefaults] | |
| dns_lookup_realm = false | |
| ticket_lifetime = 24h | |
| renew_lifetime = 7d | |
| forwardable = true | |
| default_realm = OPENLDAP.YOURDOMAIN.COM | |
| [realms] | |
| OPENLDAP.YOURDOMAIN.COM = { | |
| kdc = openldap.yourdomain.com | |
| admin_server = openldap.yourdomain.com | |
| } | |
| [domain_realm] | |
| .openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM | |
| openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM |
$ kinit user1
sobota 27. prosince 2014
[PART 2] Ovirt with SSO - kerberos
Install kerberos
We need to install kerberos workstation and server packages.
# yum -y install krb5-{workstation,server}
Configure krb5.conf
dc=openldap,dc=yourdomain,dc=com
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = OPENLDAP.YOURDOMAIN.COM
[realms]
OPENLDAP.YOURDOMAIN.COM = {
kdc = openldap.yourdomain.com
admin_server = openldap.yourdomain.com
}
[domain_realm]
.openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
Configure kerberos
Create kerberos database.
# cd /var/kerberos/krb5kdc # kdb5_util create -s
Configure correct realm.
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc.conf
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc/kadm5.acl
Create root/admin principal.
# kadmin.local Authenticating as principal root/admin@OPENLDAP.YOURDOMAIN.COM with password. kadmin.local: add_principal root/admin WARNING: no policy specified for root/admin@OPENLDAP.YOURDOMAIN.COM; Enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Re-enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Principal "root/admin@OPENLDAP.YOURDOMAIN.COM" created.
Enable and start kerberos services.
# systemctl start krb5kdc # systemctl enable krb5kdc # systemctl start kadmin # systemctl enable kadmin Add users into kerberos database. # kadmin.local kadmin: add_principal user0 kadmin: add_principal user1
Login as user0.
# kinit user0 Password for user0@OPENLDAP.YOURDOMAIN.COM: Create principal for ldap and extract keytab for it. # kadmin kadmin: add_principal -randkey ldap/openldap.yourdomain.com kadmin: ktadd -keytab /etc/openldap/ldap.keytab
Set keytab permissions and ownership.
# chgrp ldap /etc/openldap/ldap.keytab # chmod 640 /etc/openldap/ldap.keytab
Set KRB5_KTNAME to our keytab. # sed -ri s/^#?KRB5_KTNAME=/"KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"/g
/etc/sysconfig/slapd Test kerberos with ldap # kinit user0 # Password for user0@OPENLDAP.YOURDOMAIN.COM # ldapsearch -h localhost -Y GSSAPI -b 'dc=openldap,dc=yourdomain,dc=com'
'(uid=user0)'
If this command works for you, then everything is fine, if it's not,
then check logs, check correct permissions and ownership of keytab.
pátek 26. září 2014
[PART 1] Ovirt with SSO - openldap
This tutorial was tested with fedora 18 for openldap, and centos 6.5 for ovirt. I will try to give detailed steps how to get work ovirt with SSO.
I assume that you have some basic information about ovirt, LDAP and Kerberos.
We will later install kerberos, as authN provider:
Ok, once we have both packages installed, we will start the service and enable autostart:
Now we have up and running OpenLDAP, but we are far what we need.
If we would need to oVirt work corectly with groups, we have to add memberof overlay.
Now, we have to create password for directory administrator.:
Specify our suffix, rootdn and password of directory manager.
Create user and group.
In next part we will configure OpenLDAP with kerberos.
I assume that you have some basic information about ovirt, LDAP and Kerberos.
Installing OpenLDAP
First of all, we need to install OpenLDAP as a LDAP provider.We will later install kerberos, as authN provider:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ yum -y install openldap-{clients,servers} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ systemctl start slapd | |
| $ systemctl enable slapd |
Configuring schemas, overlay, dn and password
First of all we need to add cosine and inetorgperson schemas:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/cosine.ldif | |
| $ ldapadd -H ldapi:/// -Y EXTERNAL -f /etc/openldap/schema/inetorgperson.ldif |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /tmp/memberof.ldif | |
| dn: cn={0}module,cn=config | |
| objectClass: olcModuleList | |
| cn: {0}module | |
| olcModulePath: /usr/lib64/openldap | |
| olcModuleLoad: {0}memberof.la | |
| dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config | |
| objectClass: olcConfig | |
| objectClass: olcMemberOf | |
| objectClass: olcOverlayConfig | |
| objectClass: top | |
| olcOverlay: {0}memberof | |
| $ ldapadd -H ldapi:/// -Y EXTERNAL -f /tmp/memberof.ldif |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ slappasswd | |
| New password: | |
| Re-enter new password: | |
| {SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA</i> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /tmp/config.ldif | |
| dn: olcDatabase={2}hdb,cn=config | |
| changetype: modify | |
| replace: olcSuffix | |
| olcSuffix: dc=openldap,dc=yourdomain,dc=com | |
| - | |
| replace: olcRootDN | |
| olcRootDN: cn=Manager,dc=openldap,dc=yourdomain,dc=com | |
| - | |
| replace: olcRootPW | |
| olcRootPW: {SSHA}sWl2t6bk77IXh3BZeCtqii6rLz6aUUyA | |
| - | |
| $ ldapmodify -H ldapi:/// -Y EXTERNAL -f /tmp/config.ldif |
Create OU for users and groups
Create oraganization and organization unit for users and groups.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /tmp/structure.ldif | |
| dn: dc=openldap,dc=yourdomain,dc=com | |
| objectClass: dcObject | |
| objectClass: organization | |
| dc: openldap | |
| o: OpenLDAP Example | |
| dn: ou=Users,dc=openldap,dc=yourdomain,dc=com | |
| objectClass: organizationalUnit | |
| ou: Users | |
| dn: ou=Groups,dc=openldap,dc=yourdomain,dc=com | |
| objectClass: organizationalUnit | |
| ou: Groups | |
| $ ldapadd -x -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -W -f structure.ldif |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat /tmp/users.ldif | |
| dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
| objectclass: inetOrgPerson | |
| objectclass: uidObject | |
| uid: user0 | |
| cn: User2 | |
| givenName: User | |
| title: User | |
| mail: user0@openldap.yourdomain.com | |
| sn: user0 | |
| $ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/users.ldif | |
| $ cat /tmp/group.ldif | |
| dn: cn=Group0,ou=Groups,dc=openldap,dc=yourdomain,dc=com | |
| objectclass: groupOfNames | |
| cn: Group0 | |
| member: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
| member: uid=user1,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
| $ ldapadd -H ldapi:/// -D 'cn=Manager,dc=openldap,dc=yourdomain,dc=com' -x -W -f /tmp/group.ldif |
Try it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ldapsearch -LLL -H ldapi:/// -b 'dc=openldap,dc=yourdomain,dc=com' -x '(uid=user0)' | |
| dn: uid=user0,ou=Users,dc=openldap,dc=yourdomain,dc=com | |
| objectclass: inetOrgPerson | |
| objectclass: uidObject | |
| uid: user0 | |
| cn: User2 | |
| title: User | |
| sn: user0 | |
| givenName: User | |
| mail: user0@openldap.yourdomain.com |
Přihlásit se k odběru:
Příspěvky (Atom)