2015-11-18 15:51 GMT+01:00 Martin Kosek <mko...@redhat.com>:
> On 11/18/2015 08:23 AM, Rob Verduijn wrote:
>> Hello all,
>> I've read a lot regarding service accounts on this mailinglist in the past.
>> But it's rather unclear to me what is the current preffered method to
>> create a service account for a service running on a different machine.
>> In this case it would be  a service account for ovirt so that freeipa
>> users can authenticate in the ovirt portal using their freeipa
>> credentials.
> It sounds like that you do not want system user account, but you are OK with
> service account so that you can get a keytab for your oVirt instance. In that
> case, simple
> $ ipa service-add HTTP/frontend.ovirt.test
> and
> $ ipa-getkeytab ...
> should be enough, right?
> Maybe I just do not understand the use case.
>> I could ofcourse create an account and then apply a ldf to set its
>> password expiration to the next millennium to make sure the password
>> does not expire.
>> Anybody who has a good suggestion on how to deal with this ?
>> Cheers
>> Rob Verduijn


I think some more context should clear this up a bit.

according to the rhev administrator guide: (ovirt referes to rhev manuals a lot)

It talks about two options as a single sign on solution.

On have the single sign on work for the portal, but then it won't work
for the vm's.
( something about not being able to pass a password since the portal
won't have one to pass )

Or have the single sign on work for the vm's but than you have to sign
in to the portal so it can pass on your credentials to the vm's.

 I guess there is some interesting technical challenge to deal with to
merge those two cases.

The first option requires privileges to browse the freeipa directory
to look for user accounts.
I do not know if that can be solved with something as simple as a
keytab and a pricipal.

My current working solution is an account with a very long password
experation time in the freeipa directory
( a random 32 character/number password is being used for this )

However something tells me that there is a more elegant solution.
And I was wondering if anyone knows one.

Rob Verduijn

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to