- Issued:
- 2016-08-23
- Updated:
- 2016-08-23
RHEA-2016:1749 - Product Enhancement Advisory
Synopsis
ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.0
Type/Severity
Product Enhancement Advisory
Topic
Updated ovirt-engine-extension-aaa-ldap packages that fix several bugs and add various enhancements are now available.
Description
The ovirt-engine-extension-aaa-ldap extension allows users to customize their external directory setup easily. The ovirt-engine-extension-aaa-ldap extension supports many different LDAP server types, and an interactive setup script is provided to assist you with the setup for most LDAP types.
Changes to the ovirt-engine component:
- To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:
AAA_KRB5_CONF_FILE=path_to_krb5_conf
Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf
Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.
AAA_JAAS_USE_TICKET_CACHE=true/false
Enable or disable using the ticket cache file for authentication.
AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache
Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.
AAA_JAAS_USE_KEYTAB=false/true
Enable or disable using the keytab file for authentication.
AAA_JAAS_KEYTAB_FILE=path_to_keytab_file
Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.
To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.
To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:
pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA (BZ#1322940)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Virtualization 4.0 x86_64
- Red Hat Virtualization for IBM Power LE 4 x86_64
Fixes
- BZ - 1322940 - [RFE] AAA - Make Kerberos work with Java Authentication Framework
- BZ - 1323361 - [AAA] It is not clear if the setup failed or not
- BZ - 1328100 - ovirt-engine-extension-aaa-ldap-1.2.0 version bump
CVEs
(none)
References
Red Hat Virtualization 4.0
| SRPM | |
|---|---|
| ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.src.rpm | SHA-256: 3b4834cf2d6b2c2069e5d92c888368234c1de954becf4a8fa86365e646cf9e14 |
| x86_64 | |
| ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch.rpm | SHA-256: 1e21ab5ed27c1f0f51a25b9371f73ee06be5eca4a761db6f2680cb67ea5c95a2 |
| ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch.rpm | SHA-256: f43505bbf4313cb18cbeb0ea3d0f3c9f404b0b6223e1f5bf5b5fd1835124aebd |
Red Hat Virtualization for IBM Power LE 4
| SRPM | |
|---|---|
| ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.src.rpm | SHA-256: 3b4834cf2d6b2c2069e5d92c888368234c1de954becf4a8fa86365e646cf9e14 |
| x86_64 | |
| ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch.rpm | SHA-256: 1e21ab5ed27c1f0f51a25b9371f73ee06be5eca4a761db6f2680cb67ea5c95a2 |
| ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch.rpm | SHA-256: f43505bbf4313cb18cbeb0ea3d0f3c9f404b0b6223e1f5bf5b5fd1835124aebd |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.