Re: [Freeipa-users] service account for ovirt
On 11/20/2015 08:16 PM, Rob Verduijn wrote: > Hello, > > I've tested the solution you suggested it doesnt work > I think ovirt-engine looks for the other users in the same context as > the bind user, it will ofcourse find not many there, Ah, I see. oVirt apparently expects the users to be only in the users container and not in the system user container. I am thinking this might be something that can be improved, as it would be much easier to do with system user, on the first look. > I can't get the seconf option with the keytab to work. > So I'm stuck with the full blown user account for this. Can you show some error log, why ipa-getkeytab on a service failed? It should just work, if you add appropriate service with service-add and then ask for the keytab with power account. > Here's what I did : > > The ovirt os is centos 6 x86_64 > All the latest patches have been applied. > It can be a member of the freeipa domain but this is not required for > the ovirt-freeipa authentication to work. > personally I think its nice to have the ovirt machine under freeipa > supervision as wel. > > the freeipa os is centos7 x*6_64 > All the latest patches have been applied. > > The ovirt environment is configured, up and running. > > There are two ways of single sign on for ovirt. > see > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html > > This howto is for the first option > you require a search account in the freeipa domain. > add a user account to the freeipa domain > login with that account so it asks you to set a new password for it > then reset the experation date for the password to somewhere in the > far future with the procedure below > > # > # Add the search account for ovirt to the freeipa domain. > # > # executed these commands on the freeipa server as root. > # > > # first set the variables > export SUFFIX='dc=example,dc=com' > export OVIRT_SERVER=ovirt.example.com > export FREEIPA_DOMAIN=EXAMPLE.COM > export USERNAME=ovirt > export YOUR_PASSWORD='top_secret_random_very_long_password' > > # create an ldif file > cat > resetexperation.ldif << EOF > dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX > changetype: modify > replace: krbpasswordexpiration > krbpasswordexpiration: 20380119031407Z > EOF > > # apply the ldif file > # the password requested is the directory admin password, this is NOT > the same account as the freeipa admin > ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif > > # for the second option also : > # add the service for http to freeipa > kinit admin > ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN > > # > # The following commands are executed as root on the ovirt-engine machine. > # This is the example that allows single sign on from the portal to the vm's > # Assuming the forementioned bindaccount exists in the freeipa domain > # > > # > # first install the required package : > # > > yum install -y ovirt-engine-extension-aaa-ldap > > # > # create the ovirt configuration files > # examples can be found here : > # /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. > # > > mkdir /etc/ovirt-engine/aaa > mkdir /etc/ovirt-engine/extenstions.d > > # > # set the vars again ( exports do not work between vm's) > # > > export SUFFIX='dc=example,dc=com' > export YOUR_PASSWORD='top_secret_random_very_long_password' > export FREEIPA_SERVER=freeipa.example.com > export PROFILE_NAME=profile1 > > # > # create the config files > # > cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF > include = > vars.server = $FREEIPA_SERVER > vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX > vars.password = $YOUR_PASSWORD > pool.default.serverset.single.server = \${global:vars.server} > pool.default.auth.simple.bindDN = \${global:vars.user} > pool.default.auth.simple.password = \${global:vars.password} > EOF > > cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF > ovirt.engine.extension.name = $PROFILE_NAME-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = ../aaa/$PROFILE_NAME.properties > EOF > > cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF > ovirt.engine.extension.name = $PROFILE_NAME-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME > ovirt.engine.aaa.authn.authz.pl
Re: [Freeipa-users] service account for ovirt
Hello, I've tested the solution you suggested it doesnt work I think ovirt-engine looks for the other users in the same context as the bind user, it will ofcourse find not many there, I can't get the seconf option with the keytab to work. So I'm stuck with the full blown user account for this. Here's what I did : The ovirt os is centos 6 x86_64 All the latest patches have been applied. It can be a member of the freeipa domain but this is not required for the ovirt-freeipa authentication to work. personally I think its nice to have the ovirt machine under freeipa supervision as wel. the freeipa os is centos7 x*6_64 All the latest patches have been applied. The ovirt environment is configured, up and running. There are two ways of single sign on for ovirt. see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html This howto is for the first option you require a search account in the freeipa domain. add a user account to the freeipa domain login with that account so it asks you to set a new password for it then reset the experation date for the password to somewhere in the far future with the procedure below # # Add the search account for ovirt to the freeipa domain. # # executed these commands on the freeipa server as root. # # first set the variables export SUFFIX='dc=example,dc=com' export OVIRT_SERVER=ovirt.example.com export FREEIPA_DOMAIN=EXAMPLE.COM export USERNAME=ovirt export YOUR_PASSWORD='top_secret_random_very_long_password' # create an ldif file cat > resetexperation.ldif << EOF dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20380119031407Z EOF # apply the ldif file # the password requested is the directory admin password, this is NOT the same account as the freeipa admin ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif # for the second option also : # add the service for http to freeipa kinit admin ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN # # The following commands are executed as root on the ovirt-engine machine. # This is the example that allows single sign on from the portal to the vm's # Assuming the forementioned bindaccount exists in the freeipa domain # # # first install the required package : # yum install -y ovirt-engine-extension-aaa-ldap # # create the ovirt configuration files # examples can be found here : # /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. # mkdir /etc/ovirt-engine/aaa mkdir /etc/ovirt-engine/extenstions.d # # set the vars again ( exports do not work between vm's) # export SUFFIX='dc=example,dc=com' export YOUR_PASSWORD='top_secret_random_very_long_password' export FREEIPA_SERVER=freeipa.example.com export PROFILE_NAME=profile1 # # create the config files # cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF include = vars.server = $FREEIPA_SERVER vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX vars.password = $YOUR_PASSWORD pool.default.serverset.single.server = \${global:vars.server} pool.default.auth.simple.bindDN = \${global:vars.user} pool.default.auth.simple.password = \${global:vars.password} EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME ovirt.engine.aaa.authn.authz.plugin = $PROFILE_NAME-authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF # # change owner and permissions of the profile file # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties chmod 400 /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties # # restart the ovirt engine # service ovirt-engine restart # # done you can now add freeipa users to the rhevm portal in the users menu # after the users have been added you can assign permissions for them on the vm's # Cheers Rob Verduijn 2015-11-18 20:34 GMT+01:00 Martin Kosek : > On 11/18/2015 04:27 PM, Rob Verduijn wrote: >> >> 2015-11-18 15:51 GMT+01:00 Martin Kosek : >>> >>> On 11/18/2015 08:23 AM, Rob Verduijn wrote:
Re: [Freeipa-users] service account for ovirt
On 11/18/2015 04:27 PM, Rob Verduijn wrote: 2015-11-18 15:51 GMT+01:00 Martin Kosek : On 11/18/2015 08:23 AM, Rob Verduijn wrote: Hello all, I've read a lot regarding service accounts on this mailinglist in the past. But it's rather unclear to me what is the current preffered method to create a service account for a service running on a different machine. In this case it would be a service account for ovirt so that freeipa users can authenticate in the ovirt portal using their freeipa credentials. It sounds like that you do not want system user account, but you are OK with service account so that you can get a keytab for your oVirt instance. In that case, simple $ ipa service-add HTTP/frontend.ovirt.test and $ ipa-getkeytab ... should be enough, right? Maybe I just do not understand the use case. I could ofcourse create an account and then apply a ldf to set its password expiration to the next millennium to make sure the password does not expire. Anybody who has a good suggestion on how to deal with this ? Cheers Rob Verduijn Hello, I think some more context should clear this up a bit. according to the rhev administrator guide: (ovirt referes to rhev manuals a lot) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html It talks about two options as a single sign on solution. On have the single sign on work for the portal, but then it won't work for the vm's. ( something about not being able to pass a password since the portal won't have one to pass ) Or have the single sign on work for the vm's but than you have to sign in to the portal so it can pass on your credentials to the vm's. I guess there is some interesting technical challenge to deal with to merge those two cases. The first option requires privileges to browse the freeipa directory to look for user accounts. I do not know if that can be solved with something as simple as a keytab and a pricipal. My current working solution is an account with a very long password experation time in the freeipa directory ( a random 32 character/number password is being used for this ) However something tells me that there is a more elegant solution. And I was wondering if anyone knows one. Reading the HowTo, I think using normal FreeIPA POSIX user with password policy, uid, home and all the rings and bells may be an over kill. You could replica what is done with sudo system user for binding to LDAP for example: # ldapmodify -D "cn=Directory Manager" -x -W dn: uid=ovirt,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: sudo userPassword: $YOUR_PASSWORD passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 and use that as oVirt BIND user. As for keytab, you just would not use kadmin, but rather add the service object with "service-add" and get the keytab with "ipa-getkeytab". Other than that, the HowTo was mostly about oVirt side of configuration. If you succeed, it would nice to record your steps specific to FreeIPA in a HowTo article on FreeIPA :-) http://www.freeipa.org/page/HowTos http://www.freeipa.org/page/HowTo/Writing_how_to_documentation_on_the_wiki Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service account for ovirt
2015-11-18 15:51 GMT+01:00 Martin Kosek : > On 11/18/2015 08:23 AM, Rob Verduijn wrote: >> Hello all, >> >> I've read a lot regarding service accounts on this mailinglist in the past. >> But it's rather unclear to me what is the current preffered method to >> create a service account for a service running on a different machine. >> >> In this case it would be a service account for ovirt so that freeipa >> users can authenticate in the ovirt portal using their freeipa >> credentials. > > It sounds like that you do not want system user account, but you are OK with > service account so that you can get a keytab for your oVirt instance. In that > case, simple > > $ ipa service-add HTTP/frontend.ovirt.test > and > $ ipa-getkeytab ... > should be enough, right? > > Maybe I just do not understand the use case. > >> I could ofcourse create an account and then apply a ldf to set its >> password expiration to the next millennium to make sure the password >> does not expire. >> >> Anybody who has a good suggestion on how to deal with this ? >> >> Cheers >> Rob Verduijn >> > Hello, I think some more context should clear this up a bit. according to the rhev administrator guide: (ovirt referes to rhev manuals a lot) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html It talks about two options as a single sign on solution. On have the single sign on work for the portal, but then it won't work for the vm's. ( something about not being able to pass a password since the portal won't have one to pass ) Or have the single sign on work for the vm's but than you have to sign in to the portal so it can pass on your credentials to the vm's. I guess there is some interesting technical challenge to deal with to merge those two cases. The first option requires privileges to browse the freeipa directory to look for user accounts. I do not know if that can be solved with something as simple as a keytab and a pricipal. My current working solution is an account with a very long password experation time in the freeipa directory ( a random 32 character/number password is being used for this ) However something tells me that there is a more elegant solution. And I was wondering if anyone knows one. Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service account for ovirt
On 11/18/2015 08:23 AM, Rob Verduijn wrote: > Hello all, > > I've read a lot regarding service accounts on this mailinglist in the past. > But it's rather unclear to me what is the current preffered method to > create a service account for a service running on a different machine. > > In this case it would be a service account for ovirt so that freeipa > users can authenticate in the ovirt portal using their freeipa > credentials. It sounds like that you do not want system user account, but you are OK with service account so that you can get a keytab for your oVirt instance. In that case, simple $ ipa service-add HTTP/frontend.ovirt.test and $ ipa-getkeytab ... should be enough, right? Maybe I just do not understand the use case. > I could ofcourse create an account and then apply a ldf to set its > password expiration to the next millennium to make sure the password > does not expire. > > Anybody who has a good suggestion on how to deal with this ? > > Cheers > Rob Verduijn > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] service account for ovirt
Hello all, I've read a lot regarding service accounts on this mailinglist in the past. But it's rather unclear to me what is the current preffered method to create a service account for a service running on a different machine. In this case it would be a service account for ovirt so that freeipa users can authenticate in the ovirt portal using their freeipa credentials. I could ofcourse create an account and then apply a ldf to set its password expiration to the next millennium to make sure the password does not expire. Anybody who has a good suggestion on how to deal with this ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project