Use Active Directory for RHEV/oVirt user authentication

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

In this guide, I will show you how to integrate oVirt or RHEV with Active Directory for web console authentication. In Red Hat Virtualization / oVirt, there are two types of user authentication domains: local domain and external domain. During Manager installation, the default local domain is called internal The domain is created with the default user admin.

After installation, you can create a local user account on the local domain. There is also an option to create directory users by attaching an external directory server (such as Red Hat Directory Server, Active Directory or OpenLDAP) and using it as an external domain.

of ovirt-engine-extension-aaa-ldap The extension allows configuring an external LDAP directory for user authentication. The extension supports many different LDAP server types and provides an interactive installation script to help you install most LDAP types. Please note that both local users and directory users need to be assigned appropriate roles and permissions through the management portal before they can operate in the environment.

Set up prerequisites:

  • SSH root access to RHEV/oVirt Manager computer
  • Internet/satellite or foreman registration, download software package
  • The domain name of the DNS or LDAP server.
  • To ensure a secure connection between the LDAP server and the Manager, make sure that you have prepared the CA certificate encoded with PEM.
  • Prepare at least one account name and password to perform search and login queries on the LDAP server.

Step 1: Install the LDAP extension package

We need to install the ovirt-engine-extension-aaa-ldap package on Red Hat Virtualization Manager.

sudo yum install ovirt-engine-extension-aaa-ldap-setup

Confirm the dependencies and start the installation:

Dependencies resolved.
=====================================================================================================================================================================================================
 Package                                                         Architecture                     Version                                   Repository                                          Size
=====================================================================================================================================================================================================
Installing:
 ovirt-engine-extension-aaa-ldap-setup                           noarch                           1.4.0-1.el8                               ovirt-4.4                                           25 k
Installing dependencies:
 ovirt-engine-extension-aaa-ldap                                 noarch                           1.4.0-1.el8                               ovirt-4.4                                          126 k
 python3-ldap                                                    x86_64                           3.1.0-5.el8                               AppStream                                          226 k
 python3-pyasn1-modules                                          noarch                           0.3.7-6.el8                               AppStream                                          110 k
 unboundid-ldapsdk                                               noarch                           4.0.14-2.el8                              ovirt-4.4-centos-ovirt44                           4.0 M

Transaction Summary
=====================================================================================================================================================================================================
Install  5 Packages

Total download size: 4.5 M
Installed size: 5.9 M
Is this ok [y/N]: y

After installation, you can use the rpm command to get more package details.

$ rpm -qi ovirt-engine-extension-aaa-ldap-setup

Step 2: Configure the external LDAP provider

We will use interactive steps to configure the external LDAP Provider in the RHEV Manager instance. Run the following command to start interactive setup:

sudo ovirt-engine-extension-aaa-ldap-setup

For Active Directory integration, select 3:

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911182615-fnpp55.log
          Version: otopi-1.9.2 (otopi-1.9.2-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3

Enter the Active Directory forest name. In the example, we use example.net. Replace it with your forest name.

Please enter Active Directory Forest name: example.net
[ INFO  ] Resolving Global Catalog SRV record for example.net
           
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.

Select the LDAP protocol to be used:

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: plain

Set search user binding DN and password.

[ INFO  ] Resolving SRV record 'example.net'
[ INFO  ] Connecting to LDAP using 'ldap://server1.example.net:389'
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirtAdmin,DC=example,DC=net
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=oVirtAdmin,DC=example,DC=net'

If you need this feature, please agree to VM Single Sign-On.

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes

Set the profile name.

NOTE:
          Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.
           
          Please specify profile name that will be visible to users [example.net]: example.net
[ INFO  ] Stage: Setup validation
           
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

Test connection and authentication with directory users.

Please provide credentials to test login flow:
          Enter user name: [email protected]
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:

Confirm whether it is successful. For any errors, check the extended log.

[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: 
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: example.net
          The following files were created:
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911185444-e7rwcx.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

Your personal data will be stored in /etc/ovirt-engine/aaa/ table of Contents. The extension properties are located at /etc/ovirt-engine/extensions.d table of Contents.

$ ls -1 /etc/ovirt-engine/aaa/
internal.properties
example.net.properties

$ ls /etc/ovirt-engine/extensions.d
example.net-authn.properties
example.net-authz.properties

Restart the oVirt Engine manager service.

sudo systemctl restart ovirt-engine.service

Check the service status, it should be running.

$ systemctl status ovirt-engine.service 
● ovirt-engine.service - oVirt Engine
   Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-09-11 19:08:38 EAT; 30s ago
 Main PID: 999555 (ovirt-engine.py)
    Tasks: 345 (limit: 199735)
   Memory: 1.3G
   CGroup: /system.slice/ovirt-engine.service
           ├─999555 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start
.....

Step 3: Assign roles to users on the oVirt / RHEV Manager web interface

This user account does not have the authority to manage all the functions of oVirt. If you want SuperUser to work like any other user, we need to assign this user permission Administrator User account, otherwise assign specific permissions.

Log in to the dashboard as an administrator user and navigate to Management>Configuration>System Permission>Add

In the next window, select the search profile and namespace. Then enter the user name to be granted permission, and click go Button.

Use Active Directory for RHEV/oVirt user authentication

Select the user to be granted permission, then select the role to assign and click “it is good“Button.

Step 4: Test LDAP login

In the oVirt login screen, select the profile you created for Active Directory.

Use Active Directory for RHEV/oVirt user authentication

Enter the AD username and password, then click “log in” Button. You should enter the management console and perform different operations according to your permissions.

Use Active Directory for RHEV/oVirt user authentication

In our next article, we will introduce more oVirt/RHEV management tasks. In the meantime, please check other relevant guidelines on our website.

How to install standalone oVirt Engine on CentOS 8

How to terminate/abort tasks in oVirt/RHEV

How to add NFS data, ISO and export storage domains to oVirt/RHEV

Install oVirt Guest Agent on CentOS 8 | RHEL 8

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

Sidebar