[libvirt-users] Authentication via SASL and LDAP?

Andrew Martin amartin at xes-inc.com
Tue Aug 7 19:39:48 UTC 2012 

Hello, 


I've recently configured a new virtual machine host running Ubuntu 12.04 server with libvirt and KVM. I am configuring WebVirtMgr ( https://github.com/retspen/webvirtmgr/ ) for users to manage machines via a web interface. This requires access to the host using qemu+tcp, which I have configured as follows: 




/etc/default/libvirt-bin: 
start_libvirtd="yes" 
libvirtd_opts="-d -l" 



/etc/libvirt/libvirtd.conf: 
listen_tls = 0 
listen_tcp = 1 
unix_sock_group = "libvirtd" 
unix_sock_rw_perms = "0770" 
auth_unix_ro = "none" 
auth_unix_rw = "none" 
auth_tcp = "sasl" 


The libvirt documentation ( http://libvirt.org/auth.html ) does not specify if it is possible to use SASL with a different authentication method other than DIGEST-MD5. I would like to authenticate users via LDAP - is this possible? I configured LDAP authentication via SASL as follows: 

/etc/sasl2/libvirt.conf 
pwcheck_method: saslauthd 
mech_list: PLAIN LOGIN 
log_level: 5 
saslauthd_path: /var/run/saslauthd/mux 
auxprop_plugin: ldap 



/etc/saslauthd.conf 
ldap_servers: ldap://ldap_ip_addr:389/ 
ldap_search_base: ou=People,dc=x-es,dc=com 
ldap_auth_method: none 
ldap_filter: uid=%u 
ldap_version: 3 



/etc/default/saslauthd 
START=yes 
DESC="SASL Authentication Daemon" 
NAME="saslauthd" 
MECHANISMS="ldap" 
MECH_OPTIONS="" 
THREADS=5 
OPTIONS="-O /etc/saslauthd.conf -c -m /var/run/saslauthd -r" 


Testing the configuration works: 

# testsaslauthd -u myuser -p mypass 
0: OK "Success." 


However, if I attempt to connect over the libvirt TCP connection I am denied: 

virsh -c qemu+tcp://my_vm_host/system nodeinfo 
error: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: ) 
error: failed to connect to the hypervisor 


Do you know what is incorrect in my libvirt config, or is it not possible to authenticate libvirt via SASL+LDAP? If not, is there somewhere that documents all of the supported mechanisms? 


Thanks, 


Andrew Martin 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20120807/54950ebf/attachment.htm>

More information about the libvirt-users mailing list