Bug 1472254
Summary: | [downstream clone - 4.1.6] [RFE] - AD domain configuration is not supported in ovirt-engine-extension-aaa-ldap-setup, provide examples how to configure AD domain | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | rhev-integ |
Component: | ovirt-engine-extension-aaa-ldap | Assignee: | Ondra Machacek <omachace> |
Status: | CLOSED ERRATA | QA Contact: | Gonza <grafuls> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 4.1.0 | CC: | bazulay, eheftman, lsurette, mgoldboi, mperina, omachace, oourfali, pstehlik, Rhev-m-bugs, ykaul |
Target Milestone: | ovirt-4.1.6 | Keywords: | FutureFeature, Rebase, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-extension-aaa-ldap-1.3.4 | Doc Type: | Enhancement |
Doc Text: |
When configuring Active Directory (AD) with the ovirt-engine-extension-aaa-ldap-setup tool, regardless of whether you are defining a multiple or single domain forest, you can only configure the name of the forest - you cannot define the name of a specific domain or a specific server.
This release provides examples for common advanced AD configuration which users can copy to their local environment and adapt as required. These examples are bundled within the ovirt-engine-extension-aaa-ldap package and after installing the package, a description of these examples can be found in /usr/share/ovirt-engine-extension-aaa-ldap/examples/README.md
In addition, the following improvements have been made to the ovirt-engine-extension-aaa-ldap-setup tool:
1. A more detailed error reporting for various AD forest configuration steps.
2. A mandatory login test that checks the configuration (previously this test was optional).
|
Story Points: | --- |
Clone Of: | 1462294 | Environment: | |
Last Closed: | 2017-09-19 07:16:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1462294 | ||
Bug Blocks: | 1464498 |
Description
rhev-integ
2017-07-18 10:10:58 UTC
Notes: 1. ovirt-engine-extension-aaa-ldap-setup tool is created to help with default and/or simple LDAP configurations. Unfortunately configuring AD domain is not default nor simple unlike forrest. To configure forrest every information about LDAP servers can be found in DNS, but to configure domain user needs to know which server(s) to use, type of destination server selection algorithme in case of multiple servers, type of protocol to connect to destination server(s) 2. If user knows required information about AD domain, he can configure it manually without the tool Solution: We will provide AD domain configuration within setup tool using set of questions: 1. Do you want to configured AD domain or forrest? 2. If forrest selected, use the same automatic method as currently provided 3. If domain select continue. 4. Which type of servers set do you want to use (single server, failober, round robin)? 5. Which LDAP servers do you want to use (space separated list of FQDNs or IPs) 6. Which protocol do you want to use to connect to above servers (plain, SSL, StartTLS) 7. Which port should be used for connection to above servers? 8. Continue with with authentication questions (same as for forrest) (Originally by Martin Perina) Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration). So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes: 1. Add more detailed error reporting for verious AD forest configuration steps 2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later) Fix is included in ovirt-engine-extension-aaa-ldap-1.3.3 Verified with: ovirt-engine-extension-aaa-ldap-setup-1.3.4-0.0.master.git2db902e.el7.centos.noarch Retargeting to 4.1.6, as we need to withdraw release of ovirt-engine-extension-aaa-ldap-1.3.3 due to critical bug contained in it Fix is included in ovirt-engine-extension-aaa-ldap-1.3.4 Verified with: ovirt-engine-extension-aaa-ldap-setup-1.3.5-0.0.master.git7230cd9.el7.centos.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2743 |