[libvirt-users] Authentication via SASL and LDAP?

Tue, 07 Aug 2012 12:44:28 -0700 

Hello, 


I've recently configured a new virtual machine host running Ubuntu 12.04 server 
with libvirt and KVM. I am configuring WebVirtMgr ( 
https://github.com/retspen/webvirtmgr/ ) for users to manage machines via a web 
interface. This requires access to the host using qemu+tcp, which I have 
configured as follows: 




/etc/default/libvirt-bin: 
start_libvirtd="yes" 
libvirtd_opts="-d -l" 



/etc/libvirt/libvirtd.conf: 
listen_tls = 0 
listen_tcp = 1 
unix_sock_group = "libvirtd" 
unix_sock_rw_perms = "0770" 
auth_unix_ro = "none" 
auth_unix_rw = "none" 
auth_tcp = "sasl" 


The libvirt documentation ( http://libvirt.org/auth.html ) does not specify if 
it is possible to use SASL with a different authentication method other than 
DIGEST-MD5. I would like to authenticate users via LDAP - is this possible? I 
configured LDAP authentication via SASL as follows: 

/etc/sasl2/libvirt.conf 
pwcheck_method: saslauthd 
mech_list: PLAIN LOGIN 
log_level: 5 
saslauthd_path: /var/run/saslauthd/mux 
auxprop_plugin: ldap 



/etc/saslauthd.conf 
ldap_servers: ldap://ldap_ip_addr:389/ 
ldap_search_base: ou=People,dc=x-es,dc=com 
ldap_auth_method: none 
ldap_filter: uid=%u 
ldap_version: 3 



/etc/default/saslauthd 
START=yes 
DESC="SASL Authentication Daemon" 
NAME="saslauthd" 
MECHANISMS="ldap" 
MECH_OPTIONS="" 
THREADS=5 
OPTIONS="-O /etc/saslauthd.conf -c -m /var/run/saslauthd -r" 


Testing the configuration works: 

# testsaslauthd -u myuser -p mypass 
0: OK "Success." 


However, if I attempt to connect over the libvirt TCP connection I am denied: 

virsh -c qemu+tcp://my_vm_host/system nodeinfo 
error: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): 
no mechanism available: ) 
error: failed to connect to the hypervisor 


Do you know what is incorrect in my libvirt config, or is it not possible to 
authenticate libvirt via SASL+LDAP? If not, is there somewhere that documents 
all of the supported mechanisms? 


Thanks, 


Andrew Martin 






_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users

Reply via email to