So you just finished setting up oVirt / RHEV Virtualization platform and would like to integrate it with FreeIPA LDAP for user authentication?. Before interacting with oVirt Virtualization management system, user accounts must be configured
and granted access rights. The user accounts can be local or from an LDAP store. These account sources are called user domains. Each user account has a form [email protected], this is referred to as User Principal Name (UPN). During installation process, a local domain called internal is created, which can contain local user accounts in the Virtualization platform.
An initial local user with full administrative control over oVirt Virtualization environment is created in the internal domain. This user has the UPN [email protected]. Additional Local user accounts and groups can be created as discussed in the guide below:
In a corporate environment, there is a need to configure external domain that gets user information from an external directory service such as OpenLDAP, FreeIPA, Microsoft Active Directory, and any other supported options. With external domain configured, the hassle of managing local user database is eliminated. You’ll only focus with privileges and permissions management for directory users.
From the administration standpoint, users and groups are created in a directory service (FreeIPA in our case). Once FreeIPA is attached to oVirt / RHEV as an external domain, users from FreeIPA directory service must be configured with roles that grants appropriate level of access on the Virtualization environment. You can grant some directory users administrative rights then use e [email protected] as an emergency administrative account in case of issues connecting to directory service.
In one of our guides, we discussed on attaching Windows Active Directory to oVirt/RHEV. The article is accessible on below link:
Note it’s also possible to attach more than one directory server to oVirt / RHEV. If more than one directory server is attached, then as administrator you can choose which one to authenticate against by selecting the correct domain at the login window.
Attach FreeIPA domain server to oVirt / RHEV
The requirements for this setup are:
- Administrative access to working FreeIPA Server (deployed and configured)
- Administrative access to oVirt / RHEV Portal
- Access to oVirt Engine / RHEV Manager Command Line interface
We have few guides that can help with FreeIPA server if you don’t have one already:
- How To Install FreeIPA Server on CentOS 7
- Install and Configure FreeIPA Server on CentOS 8 / RHEL 8
- Install and Configure FreeIPA Server on Rocky Linux 8
On the side of oVirt Manager setup, refer to guides below:
Step 1 – Create a user for oVirt/RHEV on FreeIPA
FreeIPA is a free to use and open source centralized identity, policy, and authorization service. It provides an LDAP integration
interface Red Hat Enterprise Linux based systems. FreeIPA is an upstream project to Red Hat Enterprise Linux Identity Manager. In this setup, FreeIPA is used as an authentication source for your Red Hat Virtualization environment.
Login to FreeIPA Server and go to Identity > Active users > Add
Create a user that will be used on oVirt/RHEV manager.
Update user password expiry time
For a new user created in FreeIPA, a password reset is required on first login. Since we’ll use this user as service account, let’s change expiration date to later date like 2030.
Get kerberos ticket for admin user.
[[email protected] ~]$ kinit admin Password for [email protected]: [[email protected] ~]$ klist Ticket cache: KCM:1000 Default principal: [email protected] Valid starting Expires Service principal 01/22/22 01:47:03 01/23/22 01:46:56 krbtgt/[email protected]
Set user expiry date to 31/12/2030
[[email protected] ~]$ ipa user-mod ovirtadmin --setattr=krbPasswordExpiration=20301231011529Z -------------------------- Modified user "ovirtadmin" -------------------------- User login: ovirtadmin First name: oVirt Last name: Admin Home directory: /home/ovirtadmin Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] User password expiration: 20301231011529Z Email address: [email protected] UID: 1827000003 GID: 1827000003 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
Test login on FreeIPA web portal as ovirtadmin user created.
Confirm expiry date for the password.
Step 3 – Create test user on FreeIPA Server
We need additional user account that will be used to validate successful FreeIPA attachment on RHEV/oVirt Manager server.
Step 3 – Install ovirt-engine-extension-aaa-ldap on oVirt/RHEV Manager
ovirt-engine-extension-aaa-ldap is a software package created to provide integration support for LDAP directory services with oVirt/RHEV Manager.
Login to your RHEV Manager / oVirt Engine instance and install ovirt-engine-extension-aaa-ldap package.
sudo yum install ovirt-engine-extension-aaa-ldap
This package we just installed contains the oVirt Engine LDAP Users Management Extension to manage users stored in LDAP server.
$ which ovirt-engine-extension-aaa-ldap-setup /usr/bin/ovirt-engine-extension-aaa-ldap-setup
The script above is used to configure LDAP integration with oVirt/RHEV Manager. In the next discussion we shall explore how this configuration is accomplished.
Step 4 – Attach FreeIPA identity service to oVirt/RHEV Manager
Before we begin the configuration, the following information is required:
- The fully qualified DNS domain name of the FreeIPA server (Should be resolvable from RHEV Manager machine)
- For a secure communication, the public TLS/SSL CA certificate that validates the LDAP server’s TLS certificate, in PEM format is also required
- FreeIPA directory server administrator password
- Obtain base distinguished name (DN) of FreeIPA server
- A FreeIPA user account configured used to perform search and login queries
The details used in this example are:
FreeIPA Server FQDN: ipa.example.com FreeIPA public TLS/SSL CA certificate: http://ipa.example.com/ipa/config/ca.crt Search user DN: uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com Profile name visible to users: FreeIPA
With all the prerequisites met, we run the ovirt-engine-extension-aaa-ldap-setup to interactively configure RHEV Manager server to use FreeIPA as external domain for user information.
[[email protected] ~]$ sudo ovirt-engine-extension-aaa-ldap-setup
Choose IPA from LDAP implementations list – 6
[ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20220122022922-qkjrka.log Version: otopi-1.9.6 (otopi-1.9.6-1.el8) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IBM Security Directory Server 5 - IBM Security Directory Server RFC-2307 Schema 6 - IPA 7 - Novell eDirectory RFC-2307 Schema 8 - OpenLDAP RFC-2307 Schema 9 - OpenLDAP Standard Schema 10 - Oracle Unified Directory RFC-2307 Schema 11 - RFC-2307 Schema (Generic) 12 - RHDS 13 - RHDS RFC-2307 Schema 14 - iPlanet Please select: 6
Use DNS resolution for FreeIPA server if you have it configured with a valid A record.
NOTE: It is highly recommended to use DNS resolution for LDAP server. If for some reason you intend to use hosts or plain address disable DNS usage. Use DNS (Yes, No) [Yes]: Yes
Select Policy method for your LDAP server setup. In our setup, we have a single server hence the choice of the first option 1.
Available policy method: 1 - Single server 2 - DNS domain LDAP SRV record 3 - Round-robin between multiple hosts 4 - Failover between multiple hosts Please select: 1
Provide the hostname fqdn of your FreeIPA Server.
Please enter host address: ipa.example.com
Select access protocol to access LDAP server. A default installation of FreeIPA has CA certificate and you can choose startTLS.
[ INFO ] Trying to resolve host 'ipa.example.com' NOTE: It is highly recommended to use secure protocol to access the LDAP server. Protocol startTLS is the standard recommended method to do so. Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol. Use plain for test environments only. Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Select URL as the PEM CA Certificate pull method and provide URL address for CA cert.
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL URL: http://ipa.example.com/ipa/config/ca.crt [ INFO ] Connecting to LDAP using 'ldap://ipa.example.com:389' [ INFO ] Executing startTLS [ INFO ] Connection succeeded
Confirm connection is successful, and enter User search DN and Password for search user account.
Enter search user DN: uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com Enter search user password: <INPUT-ovirtadmin-user-Password>
Verify details and press <Enter> to continue.
[ INFO ] Attempting to bind using 'uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com' Please enter base DN (dc=example,dc=com) [dc=example,dc=com]:
Type Yes to indicate that you will use single sign-on for virtual machines.
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes
Specify the name of the profile for the external domain.
Please specify profile name that will be visible to users [ipa.example.com]: FreeIPA [ INFO ] Stage: Setup validation
Use the user account created in Step 3 to test successful integration between FreeIPA and oVirt/RHEV Manager.
NOTE: It is highly recommended to test drive the configuration before applying it into engine. Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence. Please provide credentials to test login flow: Enter user name: computingpost Enter user password: <INPUT-USER-PASSWORD> [ INFO ] Executing login sequence... Login output: ... [ INFO ] Login sequence executed successfully
To complete the configuration, press Enter to use Done as the default selection or manually type Done.
Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles). Abort if output is incorrect. Select test sequence to execute (Done, Abort, Login, Search) [Done]: Done [ INFO ] Stage: Transaction setup [ INFO ] Stage: Misc configuration (early) [ INFO ] Stage: Package installation [ INFO ] Stage: Misc configuration [ INFO ] Stage: Transaction commit [ INFO ] Stage: Closing up CONFIGURATION SUMMARY Profile name is: FreeIPA The following files were created: /etc/ovirt-engine/aaa/FreeIPA.jks /etc/ovirt-engine/aaa/FreeIPA.properties /etc/ovirt-engine/extensions.d/FreeIPA.properties /etc/ovirt-engine/extensions.d/FreeIPA-authn.properties [ INFO ] Stage: Clean up Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20220122022922-qkjrka.log: [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination
After completing the configuration changes, a restart of the ovirt-engine service on oVirt/RHEV Manager server is required before being able to use the new profile:
sudo systemctl restart ovirt-engine
Check status of ovirt-engine service. It should be in the running state.
[[email protected] ~]$ systemctl status ovirt-engine ● ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-01-22 02:42:14 EAT; 7s ago Main PID: 478243 (ovirt-engine.py) Tasks: 117 (limit: 101124) Memory: 733.4M CGroup: /system.slice/ovirt-engine.service ├─478243 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start └─478448 ovirt-engine --add-modules java.se -server -XX:+TieredCompilation -Xms3958M -Xmx3958M -Xss1M -Djava.awt.headless=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.serve> Jan 22 02:42:14 ovirt-manager.example.com systemd: Starting oVirt Engine... Jan 22 02:42:14 ovirt-manager.example.com systemd: Started oVirt Engine.
Step 5 – Assign FreeIPA Users/Groups Permissions on RHEV/oVirt
By default, new users created in FreeIPA are not authorized to access RHEV/oVirt environment. You need to grant permission to these user accounts before they can perform actions in the environment. Users in the virtualization environment have permissions that allow them to perform actions on objects such as data centers, clusters, hosts, networks, or virtual machines. A role is a set of permissions permitting access to objects at various levels.
Access ovirt/RHEV Administration portal on https://<RHEV-Manager-FQDN>/ovirt-engine and navigate to Administration > System Permissions > Add
Assign FreeIPA User permissions
Select “User” for Permission type, “FreeIPA” on Search Drop-down list, then input FreeIPA user to set permission for. Hit the Go button when done and select user found in the search list.
Select the Role to set for user under “Role to Assign” section.
With all information set, save the changes by pressing “OK“.
Assign FreeIPA Group permissions
The same process is used to assign permissions to a group. Only that this time you choose Group type.
Create a group on FreeIPA web portal – In this example it’s called ovirtadmins
Add users to the group
A user called computingpost has been added in the scenario shared in screenshot below.
Use Add button after user selection and move to the right section.
On oVirt/RHEV Manager, navigate to Administration > System Permissions > Add. Choose “Group” and “FreeIPA” under Search. You then input group name in search box and Go.
Tick on the selected group to modify. Assign a role to the group. Here we assigned the group “SuperUser” role.
Click “OK” to assign the group a role. Visit oVirt documentation on roles to understand all types available and descriptive permissions in the role.
Assigning Resource-specific Roles to Users
You can also assign user a role that only applies to a subset of resources, example is role specific to Data Center, Cluster, Networks e.t.c.
Data Center resource role:
Cluster resource role:
Network resource role:
Step 6 – Test access to oVirt/RHEV Portal using FreeIPA user
On RHEV Administration Portal, select “FreeIPA” profile we attached earlier.
Provide username and password to login with. Make sure this user has role assigned on RHEV/oVirt or is part of a group with a role that has correct access permissions.
You should now gain access to oVirt / RHEV Portal.
If you encounter authorization error like below, it simply means a role with relevant permissions was not configured for the user or group with the user attached.
In this article we’ve been able to integrate FreeIPA to oVirt/RHEV Virtualization platform. We also created user/group on FreeIPA and assigned roles, then tested login access on the portal. If this guide was of help to you, let us know through the comments section below. Feel free to check out more guides on RHEV/oVirt Virtualization platform in the links shared here.