Bug 1411384 - [RFE] Add support for integration with AD <-> IPA trust to aaa-ldap extension [NEEDINFO]
Summary: [RFE] Add support for integration with AD <-> IPA trust to aaa-ldap extension
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Martin Perina
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-09 15:29 UTC by Anitha Udgiri
Modified: 2020-04-01 14:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-01 14:43:52 UTC
oVirt Team: Infra
Target Upstream Version:
mperina: needinfo? (pvilayat)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anitha Udgiri 2017-01-09 15:29:17 UTC 
Description of problem:
Here is the requirement from Customer :

"We have installed and configured the ipa (or IDM) client on the hypervisor. 

The end intent is to configure the hypervisor so that our end users can deploy systems with a limited number of resources. Ie. a user or group cannot use more than n CPU's,  n GB of memory, n amount of disk space, etc. However since we moving toward centralized authentication we need to be able to have the user authenticate against active directory via the IPA/IDM client *WITH* their active directory credentials in the web ui for RHEV. 

So that we are clear, the systems configured as hypervisor are hypervisors ONLY and will be performing NO OTHER function than to manager virtual systems.

The IDM client has already been installed/configured and is working. However we are having difficulty in getting the web UI to authenticate against active directory.

What do we need to tweak in order to make that happen? "
Comment 1 Anitha Udgiri 2017-01-09 15:33:07 UTC 
Ondra's response :

"We have never tested AD<->IPA integration, but it should work.
Can you ask them if they want to use SSO with kerberos to
automatically login to RHEV?
Or if they want to use LDAP protocol to login into RHEV with username/password?

We can test it later if it works properly.

Also what version of the RHEV and IPA do they use? Do they use aaa-ldap?
"

Ondra, Martin,
   Have asked the customer for information. Will update as soon as I get a response.

Thanks,
Anitha
Comment 3 Martin Perina 2017-01-10 14:40:48 UTC 
We looked at the issue and unfortunately we cannot currently provide working solution how to integrate with AD <-> IPA trust using existing aaa-ldap versions.
Comment 9 Jimm 2020-02-10 23:09:15 UTC 
For the record, Pavel Brezina shared following known issue with these options in SSSD:
https://fedorahosted.org/sssd/ticket/2316 https://www.socialmediacore.com/product/buy-facebook-comments https://www.targetedwebtraffic.com/buy/usa-facebook-comments (sudoNotBefore time is not always respected)
Comment 10 Michal Skrivanek 2020-03-19 15:40:39 UTC 
We didn't get to this bug for more than 2 years, and it's not being considered for the upcoming 4.4. It's unlikely that it will ever be addressed so I'm suggesting to close it.
If you feel this needs to be addressed and want to work on it please remove cond nack and target accordingly.
Comment 11 Michal Skrivanek 2020-04-01 14:43:52 UTC 
ok, closing. Please reopen if still relevant/you want to work on it.
Comment 12 Michal Skrivanek 2020-04-01 14:49:08 UTC 
ok, closing. Please reopen if still relevant/you want to work on it.
Note You need to log in before you can comment on or make changes to this bug.