RHEA-2016:1749 - Product Enhancement Advisory

Topic

Updated ovirt-engine-extension-aaa-ldap packages that fix several bugs and add various enhancements are now available.

Description

The ovirt-engine-extension-aaa-ldap extension allows users to customize their external directory setup easily. The ovirt-engine-extension-aaa-ldap extension supports many different LDAP server types, and an interactive setup script is provided to assist you with the setup for most LDAP types.

Changes to the ovirt-engine component:

• To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:

AAA_KRB5_CONF_FILE=path_to_krb5_conf
Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf
Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.

AAA_JAAS_USE_TICKET_CACHE=true/false
Enable or disable using the ticket cache file for authentication.

AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache
Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.

AAA_JAAS_USE_KEYTAB=false/true
Enable or disable using the keytab file for authentication.

AAA_JAAS_KEYTAB_FILE=path_to_keytab_file
Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.

To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.

To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:

pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA

To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:

pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA (BZ#1322940)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 4.0 x86_64
• Red Hat Virtualization for IBM Power LE 4 for RHEL 7 x86_64

Fixes

• BZ - 1322940 - [RFE] AAA - Make Kerberos work with Java Authentication Framework
• BZ - 1323361 - [AAA] It is not clear if the setup failed or not
• BZ - 1328100 - ovirt-engine-extension-aaa-ldap-1.2.0 version bump

CVEs

(none)

References

• http://www.redhat.com/security/updates/classification/#normal