14.2. Directory Users

⁠14.2. Directory Users

14.2.1. Directory Services Support in Red Hat Enterprise Virtualization

⁠14.2.1. Directory Services Support in Red Hat Enterprise Virtualization

During installation Red Hat Enterprise Virtualization Manager creates its own internal administration user, admin. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to Red Hat Enterprise Virtualization you will need to attach a directory server to the Manager using the Domain Management Tool, engine-manage-domains.

Once at least one directory server has been attached to the Manager you will be able to add users that exist in the directory server and assign roles to them using the Administration Portal. Users will be identified by their User Principal Name (UPN) of the form user@domain. Attachment of more than one directory server to the Manager is also supported.

The directory servers supported for use with Red Hat Enterprise Virtualization 3.3 are:

Active Directory
Identity Management (IdM)
Red Hat Directory Server 9 (RHDS 9)
OpenLDAP

You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:

A valid pointer record (PTR) for the directory server's reverse look-up address.
A valid service record (SRV) for LDAP over TCP port 389.
A valid service record (SRV) for Kerberos over TCP port 88.
A valid service record (SRV) for Kerberos over UDP port 88.

If these records do not exist in DNS then you will be unable to add the domain to the Red Hat Enterprise Virtualization Manager configuration using engine-manage-domains.

For more detailed information on installing and configuring a supported directory server, see the vendor's documentation:

Active Directory - http://technet.microsoft.com/en-us/windowsserver/dd448614.
Identity Management (IdM) - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
Red Hat Directory Server (RHDS) - http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/index.html
OpenLDAP - http://www.openldap.org/doc/

Important

A user must be created in the directory server specifically for use as the Red Hat Enterprise Virtualization administrative user. Do not use the administrative user for the directory server as the Red Hat Enterprise Virtualization administrative user.

Important

It is not possible to install Red Hat Enterprise Virtualization Manager (rhevm) and IdM (ipa-server) on the same system. IdM is incompatible with the mod_ssl package, which is required by Red Hat Enterprise Virtualization Manager.

Important

If you are using Active Directory as your directory server, and you wish to use sysprep in the creation of Templates and Virtual Machines, then the Red Hat Enterprise Virtualization administrative user must be delegated control over the Domain to:

Join a computer to the domain
Modify the membership of a group

For information on creation of user accounts in Active Directory, see http://technet.microsoft.com/en-us/library/cc732336.aspx.

For information on delegation of control in Active Directory, see http://technet.microsoft.com/en-us/library/cc732524.aspx.

Note

Red Hat Enterprise Virtualization Manager uses Kerberos to authenticate with directory servers. RHDS does not provide native support for Kerberos. If you are using RHDS as your directory server then you must ensure that the directory server is made a service within a valid Kerberos domain. To do this you will need to perform these steps while referring to the relevant directory server documentation:

Configure the memberOf plug-in for RHDS to allow group membership. In particular ensure that the value of the memberofgroupattr attribute of the memberOf plug-in is set to uniqueMember. In OpenLDAP, the memberOf functionality is not called a "plugin". It is called an "overlay" and requires no configuration after installation.
Consult the Red Hat Directory Server 9.0 Plug-in Guide for more information on configuring the memberOf plug-in.
Define the directory server as a service of the form ldap/hostname@REALMNAME in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters.
Generate a keytab file for the directory server in the Kerberos realm. The keytab file contains pairs of Kerberos principals and their associated encrypted keys. These keys will allow the directory server to authenticate itself with the Kerberos realm.
Consult the documentation for your Kerberos principle for more information on generating a keytab file.
Install the keytab file on the directory server. Then configure RHDS to recognize the keytab file and accept Kerberos authentication using GSSAPI.
Consult the Red Hat Directory Server 9.0 Administration Guide for more information on configuring RHDS to use an external keytab file.
Test the configuration on the directory server by using the kinit command to authenticate as a user defined in the Kerberos realm. Once authenticated run the ldapsearch command against the directory server. Use the -Y GSSAPI parameters to ensure the use of Kerberos for authentication.

Report a bug