- Issued:
- 2016-08-23
- Updated:
- 2016-08-23
RHEA-2016:1749 - ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.0
Synopsis
ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.0
Type/Severity
Product Enhancement Advisory None
Topic
Updated ovirt-engine-extension-aaa-ldap packages that fix several bugs and add various enhancements are now available.
Description
The ovirt-engine-extension-aaa-ldap extension allows users to customize their external directory setup easily. The ovirt-engine-extension-aaa-ldap extension supports many different LDAP server types, and an interactive setup script is provided to assist you with the setup for most LDAP types.
Changes to the ovirt-engine component:
- To provide a way to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:
AAA_KRB5_CONF_FILE=path_to_krb5_conf Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.
AAA_JAAS_USE_TICKET_CACHE=true/false Enable or disable using the ticket cache file for authentication.
AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.
AAA_JAAS_USE_KEYTAB=false/true Enable or disable using the keytab file for authentication.
AAA_JAAS_KEYTAB_FILE=path_to_keytab_file Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.
To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.
To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:
pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA
To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:
pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA (BZ#1322940)
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Virtualization | 4.0 | x86_64 |
| Red Hat Virtualization for IBM Power LE | 4 | x86_64 |
Updated Packages
- ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch.rpm
- ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.src.rpm
- ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch.rpm
Fixes
- This content is not included.BZ - 1322940
- This content is not included.BZ - 1323361
- This content is not included.BZ - 1328100
CVEs
(none)
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.