[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: 1/10: SASL authentication support



On Mon, Dec 03, 2007 at 04:24:51AM -0500, Daniel Veillard wrote:
> On Fri, Nov 30, 2007 at 10:32:40PM +0000, Daniel P. Berrange wrote:
> > On Thu, Nov 29, 2007 at 05:16:34PM +0000, Daniel P. Berrange wrote:
> > > This patch hooks up the basic authentication RPC calls, and the specific
> > > SASL implementation. The SASL impl can be enabled/disable via the configurre
> > > script with --without-sasl / --with-sasl - it'll auto-enable it if it finds
> > > the headers & libs OK.
> > > 
> > > The sample /etc/sasl2/libvirt.conf file enables the DIGEST-MD5 mechanism
> > > by default, since it is by far the easiest to setup for admins. No need for
> > > a Kerberos server, or certificates - it just uses username/password which
> > > can be set with 'saslpasswd2 -a libvirt [username]' and a list of all active
> > > users viewed with 'sasldblistusers2 -a libvirt'
> > > 
> > > There are also example settings for enabling Kerberos (GSSAPI) but this is
> > > disabled by default. It requires a file /etc/libvirt/krb5.tab containing a
> > > service principle. On some distros you need to set KRB5_KTNAME to point to
> > > this file when starting the daemon, so our init script does that. Other
> > > distros, the 'keytab' config param in /etc/sasl2/libvirt.conf is actually
> > > honoured.
> > > 
> > > With this patch you can successfully authentication client <-> server for
> > > any authentication mechansim which doesn't need to prompt the user for
> > > credentials. In effect this means it only works for GSSAPI/Kerberos, but
> > > the later patches in this series will enable callbacks making the default
> > > DIGEST-MD5 auth work.
> > > 
> > > The way auth is controlled, is that if the 'auth' parameter is set on the
> > > struct qemud_client object, *NO* rpc call will be processed except for the
> > > REMOTE_PROC_AUTH_LIST, SASL_AUTH_INIT, SASL_AUTH_START & SASL_AUTH_STEP
> > > calls. If SASL is not compiled in, the latter 3 will send errors back to
> > > the caller.
> > > 
> > > Only once authentication is complete, are the other calls allowed. It
> > > currently hardcodes use of SASL on the TCP socket. The TLS & UNIX sockets
> > > are unchanged. A subsequent patch will make it configurable.
> > 
> > Updated to add constants for getnameinfo() params as Jim suggested. Also
> > remove the dep on cyrus-sasl-gssapi, and add one on cyrus-sasl-md5
> 
>   Okay looks good to me, +1

This patch is now committed.

Regards,
Dan
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]