Bug 1462294 - [RFE] AD domain configuration is not supported in ovirt-engine-extension-aaa-ldap-setup, provide examples how to configure AD domain
[RFE] AD domain configuration is not supported in ovirt-engine-extension-aaa-...
Status: MODIFIED
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
4.1.0
Unspecified Unspecified
urgent Severity high
: ovirt-4.2.0
: ---
Assigned To: Ondra Machacek
Gonza
: FutureFeature, ZStream
Depends On:
Blocks: 1464498 1472254
  Show dependency treegraph
 
Reported: 2017-06-16 11:58 EDT by Anitha Udgiri
Modified: 2017-09-12 05:34 EDT (History)
10 users (show)

See Also:
Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.3
Doc Type: Enhancement
Doc Text:
Feature: Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration). Reason: Result: So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment. Those examples are bundled within ovirt-engine-extension-aaa-ldap package and after installation description of those examples can be found at /usr/share/ovirt-engine-extension-aaa-ldap/examples/README.md To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes: 1. Add more detailed error reporting for various AD forest configuration steps 2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later)
Story Points: ---
Clone Of:
: 1472254 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
grafuls: testing_plan_complete-


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 80049 None None None 2017-08-03 08:46 EDT
oVirt gerrit 80078 None None None 2017-08-03 08:47 EDT
oVirt gerrit 80088 None None None 2017-08-03 08:47 EDT

  None (edit)
Description Anitha Udgiri 2017-06-16 11:58:55 EDT
Description of problem:

At present, the setup script prompts the user to enter the forest name for AD configuration.

If the user does not want to use the Forest name and wants just the domain name, there is no such option at present for the user.

Seems like Forest name is made mandatory for AD setup.

Also, if the user enters a wrong Forest name, the script exits with an error and does not offer a chance to specify the domain name instead.

Need the script to provide the flexibility to use either one by the user.

Thanks,
Anitha
Comment 2 Martin Perina 2017-06-25 18:59:53 EDT
Notes:
1. ovirt-engine-extension-aaa-ldap-setup tool is created to help with default and/or simple LDAP configurations. Unfortunately configuring AD domain is not default nor simple unlike forrest. To configure forrest every information about LDAP servers can be found in DNS, but to configure domain user needs to know which server(s) to use, type of destination server selection algorithme in case of multiple servers, type of protocol to connect to destination server(s)

2. If user knows required information about AD domain, he can configure it manually without the tool

Solution:
We will provide AD domain configuration within setup tool using set of questions:

1. Do you want to configured AD domain or forrest?
2. If forrest selected, use the same automatic method as currently provided
3. If domain select continue.
4. Which type of servers set do you want to use (single server, failober, round robin)?
5. Which LDAP servers do you want to use (space separated list of FQDNs or IPs)
6. Which protocol do you want to use to connect to above servers (plain, SSL, StartTLS)
7. Which port should be used for connection to above servers?
8. Continue with with authentication questions (same as for forrest)
Comment 4 Martin Perina 2017-08-03 08:31:06 EDT
Inside ovirt-engine-extension-aaa-ldap-setup tool it's possible to configure AD Forrest with multi-domain trust or AD Forrest with single domain (aka single domain), but it's not possible to configure using only a single domain from multi-domain AD forest. This is advanced configuration which is very hard to achieve to be performed automatically (unlike configuring AD forest which is quite easy for automatic configuration).

So we will provide examples for common advanced AD configuration which users can copy and adapt to their local environment
Comment 5 Martin Perina 2017-08-03 08:45:59 EDT
To improve ovirt-engine-extension-aaa-ldap-setup tool user experience will also do following changes:

1. Add more detailed error reporting for verious AD forest configuration steps
2. Make Login test mandatory to test provided configuration (until now invoking Login or Search tests was optional and most users just skipped those tests and they were surprised later)
Comment 6 Martin Perina 2017-08-08 04:04:06 EDT
Fix is included in ovirt-engine-extension-aaa-ldap-1.3.3

Note You need to log in before you can comment on or make changes to this bug.