1) instalar la herramienta de configuración.
#yum install ovirt-engine-extension-aaa-ldap-setup.noarch
2) Ejecutar la herramienta de configuración
#ovirt-engine-extension-aaa-ldap-setup
Esto nos mostrará lo siguiente:
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160404183136-6n77oi.log
Version: otopi-1.4.1 (otopi-1.4.1-1.el6)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Please specify profile name that will be visible to users: example.com
Lo cual tecleamos un nombre que nos identifique el dominio que queremos agregar a continuación la tecla Enter y nos muestra esto:
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 3
Basicamente nos solicita el tipo de directorio que queremos configurar, elejimos la opción 3 para Active Directory y nos solicita el forest name.
Please enter Active Directory Forest name: example.com
Con esto buscará en los servidores DNS registros de tipo SRV que hagan match con el dominio y con ellos intentará configurarse (ya lo veremos), presionamos Enter.
[ INFO ] Resolving Global Catalog SRV record for example.com
[ INFO ] Resolving LDAP SRV record for example.com
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Nos pregunta el tipo de Encriptación que usaremos para comunicarnos con el dominio, presionamos Enter para seleccionar startTLS.
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): Insecure
Ahora nos pregunta como obtendremos el certificado, por comodidad mas no por seguridad elegiremos Insecure:
[ INFO ] Resolving SRV record 'example.com'
[ INFO ] Connecting to LDAP using 'ldap://test01.example.com:389'
[ INFO ] Executing startTLS
[ INFO ] Connection succeeded
Enter search user DN (empty for anonymous): example\userauth
Ingresamos el usuario con que nos autenticaremos contra el dominio, es muy importante colocar el dominio y el usuario de lo contrario tendremos errores.
Enter search user password:
[ INFO ] Attempting to bind using 'example\userauth'
[ INFO ] Stage: Setup validation
The following files are about to be overwritten:
/etc/ovirt-engine/extensions.d/example-authn.properties
/etc/ovirt-engine/extensions.d/example-authz.properties
/etc/ovirt-engine/aaa/example.properties
Continue and overwrite? (Yes, No) [No]: Yes
NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]:
#ovirt-engine-extension-aaa-ldap-setup
Esto nos mostrará lo siguiente:
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160404183136-6n77oi.log
Version: otopi-1.4.1 (otopi-1.4.1-1.el6)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Please specify profile name that will be visible to users: example.com
Lo cual tecleamos un nombre que nos identifique el dominio que queremos agregar a continuación la tecla Enter y nos muestra esto:
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 3
Basicamente nos solicita el tipo de directorio que queremos configurar, elejimos la opción 3 para Active Directory y nos solicita el forest name.
Please enter Active Directory Forest name: example.com
Con esto buscará en los servidores DNS registros de tipo SRV que hagan match con el dominio y con ellos intentará configurarse (ya lo veremos), presionamos Enter.
[ INFO ] Resolving Global Catalog SRV record for example.com
[ INFO ] Resolving LDAP SRV record for example.com
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Nos pregunta el tipo de Encriptación que usaremos para comunicarnos con el dominio, presionamos Enter para seleccionar startTLS.
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): Insecure
Ahora nos pregunta como obtendremos el certificado, por comodidad mas no por seguridad elegiremos Insecure:
[ INFO ] Resolving SRV record 'example.com'
[ INFO ] Connecting to LDAP using 'ldap://test01.example.com:389'
[ INFO ] Executing startTLS
[ INFO ] Connection succeeded
Enter search user DN (empty for anonymous): example\userauth
Ingresamos el usuario con que nos autenticaremos contra el dominio, es muy importante colocar el dominio y el usuario de lo contrario tendremos errores.
Enter search user password:
[ INFO ] Attempting to bind using 'example\userauth'
[ INFO ] Stage: Setup validation
The following files are about to be overwritten:
/etc/ovirt-engine/extensions.d/example-authn.properties
/etc/ovirt-engine/extensions.d/example-authz.properties
/etc/ovirt-engine/aaa/example.properties
Continue and overwrite? (Yes, No) [No]: Yes
NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]:
Muy importante los archivos que genera, puuesto que son las configuraciones y podemos modificarlas manualmente, a continuación hacemos pruebas de Login y Search las cuales deben traernos información a cerca del usuario, Tecleamos Done y Enter y eso sería todo.
