On 11/18/2015 04:27 PM, Rob Verduijn wrote:
2015-11-18 15:51 GMT+01:00 Martin Kosek <mko...@redhat.com>:
On 11/18/2015 08:23 AM, Rob Verduijn wrote:
Hello all,

I've read a lot regarding service accounts on this mailinglist in the past.
But it's rather unclear to me what is the current preffered method to
create a service account for a service running on a different machine.

In this case it would be  a service account for ovirt so that freeipa
users can authenticate in the ovirt portal using their freeipa
credentials.

It sounds like that you do not want system user account, but you are OK with
service account so that you can get a keytab for your oVirt instance. In that
case, simple

$ ipa service-add HTTP/frontend.ovirt.test
and
$ ipa-getkeytab ...
should be enough, right?

Maybe I just do not understand the use case.

I could ofcourse create an account and then apply a ldf to set its
password expiration to the next millennium to make sure the password
does not expire.

Anybody who has a good suggestion on how to deal with this ?

Cheers
Rob Verduijn





Hello,

I think some more context should clear this up a bit.

according to the rhev administrator guide: (ovirt referes to rhev manuals a lot)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html

It talks about two options as a single sign on solution.

On have the single sign on work for the portal, but then it won't work
for the vm's.
( something about not being able to pass a password since the portal
won't have one to pass )

Or have the single sign on work for the vm's but than you have to sign
in to the portal so it can pass on your credentials to the vm's.

  I guess there is some interesting technical challenge to deal with to
merge those two cases.

The first option requires privileges to browse the freeipa directory
to look for user accounts.
I do not know if that can be solved with something as simple as a
keytab and a pricipal.

My current working solution is an account with a very long password
experation time in the freeipa directory
( a random 32 character/number password is being used for this )

However something tells me that there is a more elegant solution.
And I was wondering if anyone knows one.

Reading the HowTo, I think using normal FreeIPA POSIX user with password policy, uid, home and all the rings and bells may be an over kill. You could replica what is done with sudo system user for binding to LDAP for example:

# ldapmodify -D "cn=Directory Manager" -x -W
dn: uid=ovirt,cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: sudo
userPassword: $YOUR_PASSWORD
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

and use that as oVirt BIND user. As for keytab, you just would not use kadmin, but rather add the service object with "service-add" and get the keytab with "ipa-getkeytab".

Other than that, the HowTo was mostly about oVirt side of configuration.

If you succeed, it would nice to record your steps specific to FreeIPA in a HowTo article on FreeIPA :-)

http://www.freeipa.org/page/HowTos
http://www.freeipa.org/page/HowTo/Writing_how_to_documentation_on_the_wiki

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to