Authors:

Feature pages are design documents that developers have created while collaborating on oVirt.

Most of them are outdated, but provide historical design context.

They are not user documentation and should not be treated as such.

Documentation is available here.

AAA Frequently asked questions

Is it possible to use specific Active Directory site?

Yes. It is possible since oVirt 3.6. Let’s say we have two Active Directory sites - one for Brno(called BRQ) and second for Tel Aviv(called TLV). Now if we want to be sure to use only Active Directory servers from Brno site we need to append this to configuration:

pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = ^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = BRQ._sites.${domain}

What these three magic lines does is, that instead of quering _service._protocol.${domain} SRV record, we query _service._protocol.BRQ._sites.${domain}. In case of quering Global Catalog it’s of course _service._protocol.BRQ._sites.gc._msdcs.{forest}.

Full example configuration.

Is it possible to use specific base DN instead of automatic resolution?

You can specify custom base DN, which overrides the one which is automatically resolved if you add following lines into /etc/ovirt-engine/aaa/your_profile.properties:

sequence-init.init.100-my-basedn-init-vars = my-basedn-init
sequence.my-basedn-init.010.description = set custom baseDN
sequence.my-basedn-init.010.type = var-set
sequence.my-basedn-init.010.var-set.variable = simple_baseDN
sequence.my-basedn-init.010.var-set.value = dc=your,dc=different,dc=dn

What’s default connection/response timeout for LDAP? Can I change it?

Default connection timeout is 5 seconds. Default response timeout is 60 seconds.

In order to change these, you need to change following configuration options:

# Values are in miliseconds
pool.default.connection-options.connectTimeoutMillis = 300
pool.default.connection-options.responseTimeoutMillis = 30000

Is it possible to use forest trust in Active Directory setup?

It is not currently supported.

Is it possible to use multi-domain Active Directory setup?

Yes, it’s fully supported since oVirt 3.5. All domains are automatically resolved. User only need to specify Active Directory forest name.

Is it possible to change default domain of multi-domain Active Directory setup?

Yes, you can configure it with aaa-misc extension. First you need to install it:

# yum install -y ovirt-engine-extension-aaa-misc

Then create such mapping configuration, for example /etc/ovirt-engine/extensions.d/mapping.properties

ovirt.engine.extension.name = mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@<default.suffix>
config.mapUser.regex.mustMatch = false

Replace <default.suffix> with the desired suffix, for example ${user}@subdomain.domain.com. Then apply above mapping into authn extension:

ovirt.engine.aaa.authn.mapping.plugin = mapping

Now, when you insert into login field user with username joe it will be mapped to joe@subdomain.domain.com.

What’s default Java Keystore password generated by aaa-ldap-setup? Can I change it?

Default password is changeit.

In order to change it run following command:

# keytool -storepasswd -keystore /etc/ovirt-engine/aaa/profile_name.jks

Keytool will ask you for old password, which is changeit and then for new password.

Is it possible to use client certificate authentication?

Yes, it’s possible with apache mod_ssl module. Full blog post is available here.

Is it possible to use CAS for authentication?

Yes, it’s possible with apache mod_auth_cas module. Full blog post is available here.

Is it possible to use SSSD for authentication?

Unfortunatelly it’s not supported, yet. You can track this bugzilla for more information.

Is it possible to modify users search filter?

Yes it’s possible, with a little hack to your properties file. Please append the following lines to your profile configuration:

sequence.simple-query-principals.005.description = modify filter to search only by uid
sequence.simple-query-principals.005.type = regex
sequence.simple-query-principals.005.regex.value = ${seq:filter}
sequence.simple-query-principals.005.regex.flags = a
sequence.simple-query-principals.005.regex.pattern = \\(givenName=[^)]*\\)|\\(sn=[^)]*\\)|\\(displayName=[^)]*\\)
sequence.simple-query-principals.005.regex.replacement.filter =

This example will replace occurrences of givenName, sn, and displayName and its values with an empty string. Only uid will persist in the filter. You can modify it as you like, simply by changing the regex expression.