[Freeipa-users] [libvirt-users] libvirt with vnc freeipa
Daniel P. Berrange
berrange at redhat.com
Fri Nov 30 15:20:30 UTC 2012
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
> >> hi,
> >>
> >> sasl_allowed_username_list = ["admin at IPA.EXAMPLE.COM" ]
> >>
> >> if I leave this field commented out (default setting), everybody can
> >> manage the kvm host.
> >
> > Oh it isn't very obvious, but in this log message:
> >
> >> >> > 2012-11-30 12:00:53.403+0000: 7786: error :
> >> >> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
> >
> > 'admin' is the identity being matched against.
> >
> > We ought to quote that string int he log message to make it more
> > obvious.
> >
> > So I guess SASL/GSSAPI is not giving us back the REALM, just
> > the username
> >
> > So you need to change your whitelist to leave out the realm.
>
> Bingo!
>
> Thanks. If I may just hijack this thread: is it possible to whitelist
> groups instead of individual users to use virsh/virtual manager?
>
> I know sasl only deals with the authentication stuff, buy here you are
> also authorizing in the whitelist. If this authorization could go
> further to allow ipa groups, that would be ideal from an admin point
> of view ;-)
It is desirable, but we don't have any way to find out information about
groups. The authorization problem is something we've yet to really get
a good pluggable solution for, though perhaps policykit would help here.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Freeipa-users
mailing list