17.2. Directory Users

⁠17.2. Directory Users

17.2.1. Directory Services Support in Red Hat Enterprise Virtualization
17.2.2. Configuring a Generic LDAP Provider
17.2.3. Single Sign-On to the Administration and User Portal

⁠17.2.1. Directory Services Support in Red Hat Enterprise Virtualization

During installation Red Hat Enterprise Virtualization Manager creates its own internal administration user, admin. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to Red Hat Enterprise Virtualization you must attach a directory server to the Manager. For diectory servers implemented prior to Red Hat Enterprise Virtualization 3.5, use the Domain Management Tool with the engine-manage-domains command to manage your domains. See the The Domain Management Tool section of the Red Hat Enterprise Virtualization Administration Guide for more information. With Red Hat Enterprise Virtualization 3.5, use the new generic LDAP provider implementation. See Configuring a Generic LDAP Provider section of the Red Hat Enterprise Virtualization Administration Guide for more information.

Once at least one directory server has been attached to the Manager, you can add users that exist in the directory server and assign roles to them using the Administration Portal. Users can be identified by their User Principal Name (UPN) of the form user@domain. Attachment of more than one directory server to the Manager is also supported.

The directory servers supported for use with Red Hat Enterprise Virtualization 3.5 are:

Active Directory
Identity Management (IdM)
Red Hat Directory Server 9 (RHDS 9)
OpenLDAP

You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:

A valid pointer record (PTR) for the directory server's reverse lookup address.
A valid service record (SRV) for LDAP over TCP port 389.
A valid service record (SRV) for Kerberos over TCP port 88.
A valid service record (SRV) for Kerberos over UDP port 88.

If these records do not exist in DNS then you cannot add the domain to the Red Hat Enterprise Virtualization Manager configuration using engine-manage-domains.

For more detailed information on installing and configuring a supported directory server, see the vendor's documentation:

Active Directory - http://technet.microsoft.com/en-us/windowsserver/dd448614.
Identity Management (IdM) - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
Red Hat Directory Server (RHDS) - http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/index.html
OpenLDAP - http://www.openldap.org/doc/

Important

A user with permissions to browse all users and groups must be created in the directory server specifically for use as the Red Hat Enterprise Virtualization administrative user. Do not use the administrative user for the directory server as the Red Hat Enterprise Virtualization administrative user.

Important

It is not possible to install Red Hat Enterprise Virtualization Manager (rhevm) and IdM (ipa-server) on the same system. IdM is incompatible with the mod_ssl package, which is required by Red Hat Enterprise Virtualization Manager.

Important

If you are using Active Directory as your directory server, and you want to use sysprep in the creation of Templates and Virtual Machines, then the Red Hat Enterprise Virtualization administrative user must be delegated control over the Domain to:

Join a computer to the domain
Modify the membership of a group

For information on creation of user accounts in Active Directory, see http://technet.microsoft.com/en-us/library/cc732336.aspx.

For information on delegation of control in Active Directory, see http://technet.microsoft.com/en-us/library/cc732524.aspx.

Note

Red Hat Enterprise Virtualization Manager uses Kerberos to authenticate with directory servers. The Red Hat Directory Server (RHDS) does not provide native support for Kerberos. If you are using RHDS as your directory server then you must ensure that the directory server is made a service within a valid Kerberos domain. To do this you must perform these steps while referring to the relevant directory server documentation:

Configure the memberOf plug-in for RHDS to allow group membership. In particular ensure that the value of the memberofgroupattr attribute of the memberOf plug-in is set to uniqueMember. In OpenLDAP, the memberOf functionality is not called a "plugin". It is called an "overlay" and requires no configuration after installation.
Consult the Red Hat Directory Server 9.0 Plug-in Guide for more information on configuring the memberOf plug-in.
Define the directory server as a service of the form ldap/hostname@REALMNAME in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters.
Generate a keytab file for the directory server in the Kerberos realm. The keytab file contains pairs of Kerberos principals and their associated encrypted keys. These keys allow the directory server to authenticate itself with the Kerberos realm.
Consult the documentation for your Kerberos principle for more information on generating a keytab file.
Install the keytab file on the directory server. Then configure RHDS to recognize the keytab file and accept Kerberos authentication using GSSAPI.
Consult the Red Hat Directory Server 9.0 Administration Guide for more information on configuring RHDS to use an external keytab file.
Test the configuration on the directory server by using the kinit command to authenticate as a user defined in the Kerberos realm. Once authenticated run the ldapsearch command against the directory server. Use the -Y GSSAPI parameters to ensure the use of Kerberos for authentication.

⁠17.2.2. Configuring a Generic LDAP Provider

A generic LDAP provider is available to configure directory services for authenticating and authorizing users. The new provider implementation uses LDAP protocol to access the LDAP server and is fully customizable. To configure a generic LDAP provider, you must modify the configuration file for the authentication extension, the configuration file for the authorization extension, and the LDAP configuration file for the two extensions to point to.

Note

For a complete example of setting up LDAP and Kerberos for single sign-on to the Administration Portal and the User Portal , see Section 17.2.3.1, “Configuring LDAP and Kerberos for Single Sign-on”.

⁠

Procedure 17.1. Configuring a Generic LDAP Provider

On the Red Hat Enterprise Virtualization Manager, install the LDAP extension package:
```
# yum install ovirt-engine-extension-aaa-ldap
```
Copy the LDAP configuration template file into the /etc/ovirt-engine directory. Template files are available for active directories (ad) and other directory types (simple). This example uses the simple configuration template.
```
# cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. /etc/ovirt-engine
```

Edit the LDAP property configuration file by uncommenting an LDAP server type and updating the domain and passwords fields.

#  vi /etc/ovirt-engine/aaa/profile1.properties

⁠

Example 17.1. Example profile: LDAP server section

#
# Select one
#
include = <openldap.properties>
#include = <389ds.properties>
#include = <rhds.properties>
#include = <ipa.properties>
#include = <iplanet.properties>
#include = <rfc2307.properties>

#
# Server
#
vars.server = ldap1.company.com

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=company,dc=com
vars.password = 123456

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

To use TLS or SSL protocol to interact with the LDAP server, obtain the LDAP server's root CA certificate, and use it to create a public keystore file. Uncomment the following lines and specify the full path to the public keystore file and the password to access the file.

Note

For more information on creating a public keystore file, see Section E.2, “Setting Up SSL or TLS Connections between the Manager and an LDAP Server”.

⁠

Example 17.2. Example profile: keystore section

# Create keystore, import certificate chain and uncomment
# if using tls.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /full/path/to/myrootca.jks
pool.default.ssl.truststore.password = changeit

Review the authentication configuration file. The profile name is visible to users on the Administration Portal and the User Portal login pages. The configuration profile location must match the LDAP configuration file location. All fields can be left as default.

# vi /etc/ovirt-engine/extensions.d/profile1-authn.properties

⁠

Example 17.3. Example authentication configuration file

ovirt.engine.extension.name = profile1-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = profile1
ovirt.engine.aaa.authn.authz.plugin = profile1-authz
config.profile.file.1 = ../aaa/profile1.properties

Review the authorization configuration file. The configuration profile location must match the LDAP configuration file location. All fields can be left as default.

# vi /etc/ovirt-engine/extensions.d/profile1-authz.properties

⁠

Example 17.4. Example authorization configuration file

ovirt.engine.extension.name = profile1-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/profile1.properties

Ensure that the ownership and permissions of the configuration profile are appropriate:

# chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties

# chmod 600 /etc/ovirt-engine/aaa/profile1.properties

Restart the engine service.
```
# service ovirt-engine restart
```
The ldap1 profile you have created is now available on the Administration Portal and the User Portal login pages. To give the user accounts on the LDAP server appropriate permissions, for example to log in to the User Portal, see the Red Hat Enterprise Virtualization Manager User Tasks section of the Red Hat Enterprise Virtualization Administration Guide.

Note

For more information, see the LDAP authentication and authorization extension README file at /usr/share/doc/ovirt-engine-extension-aaa-ldap-version.

⁠17.2.3. Single Sign-On to the Administration and User Portal

With Red Hat Enterprise Virtualization 3.5, single sign-on to the Administration Portal and the User Portal is supported. With this feature enabled, users are able to log in to the User Portal or the Administration Portal using credentials obtained by single sign-on methods such as Kerberos. It is up to the administrator to configure which single sign-on method to use.

To enable single sign-on to the Administration Portal and the User Portal using Kerberos, see Section 17.2.3.1, “Configuring LDAP and Kerberos for Single Sign-on”.

Note

If single sign-on to the User Portal is enabled, single sign-on to virtual machines will not be possible. With single sign-on to the User Portal enabled, the User Portal does not need to accept a password, thus the password cannot be delegated to sign in to virtual machines.

⁠17.2.3.1. Configuring LDAP and Kerberos for Single Sign-on

This example assumes the following:

The existing Key Distribution Center (KDC) server uses the MIT version of Kerberos 5.
You have administrative rights to the KDC server.
The Kerberos client is installed on the Red Hat Enterprise Virtualization Manager and user machines.
The kadmin utility is used to create Kerberos service principals and keytab files.

This procedure involves the following components:

On the KDC server

Create a service principal and a keytab file for the Apache service on the Red Hat Enterprise Virtualization Manager.

On the Red Hat Enterprise Virtualization Manager

Install the Manager's authentication and authorization extension packages and the Apache Kerberos authentication module.
Configure the extension files.

⁠

Procedure 17.2. Configuring Kerberos for the Apache Service

On the KDC server, use the kadmin utility to create a service principal for the Apache service on the Red Hat Enterprise Virtualization Manager. The service principal is a reference ID to the KDC for the Apache service.
```
# kadmin
kadmin> addprinc -randkey HTTP/fqdn-of-rhevm@REALM.COM
```
Generate a keytab file for the Apache service. The keytab file stores the shared secret key.
```
kadmin> ktadd -k /tmp/http.keytab HTTP/fqdn-of-rhevm@REALM.COM
```
```
kadmin> quit
```
Copy the keytab file from the KDC server to the Red Hat Enterprise Virtualization Manager:
```
# scp /tmp/http.keytab root@rhevm.example.com:/etc/httpd
```

⁠

Procedure 17.3. Configuring Single Sign-on to the User Portal or Administration Portal

On the Red Hat Enterprise Virtualization Manager, ensure that the ownership and permissions for the keytab are appropriate:
```
# chown apache /etc/httpd/http.keytab
```
```
# chmod 400 /etc/httpd/http.keytab
```
Install the authentication extension package, LDAP extension package, and the mod_auth_kerb authentication module:
```
# yum install ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_kerb
```
Copy the SSO configuration template file into the /etc/ovirt-engine directory. Template files are available for Active Directory (ad-sso) and other directory types (simple-sso). This example uses the simple SSO configuration template
```
# cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/. /etc/ovirt-engine
```
Create a symbolic link for the /etc/httpd/conf.d directory for Apache to use the SSO configuration files:
```
# ln -s /etc/ovirt-engine/aaa/ovirt-sso.conf /etc/httpd/conf.d
```

Edit the authentication method file for Apache to use Kerberos for authentication:

# vi /etc/ovirt-engine/aaa/ovirt-sso.conf

⁠

Example 17.5. Example authentication method file

<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType Kerberos
    AuthName "Kerberos Login"
    Krb5Keytab /etc/httpd/http.keytab
    KrbAuthRealms REALM.COM
    Require valid-user
</LocationMatch>

Edit the LDAP property configuration file by uncommenting an LDAP server type and updating the domain and passwords fields:

#  vi /etc/ovirt-engine/aaa/profile1.properties

⁠

Example 17.6. Example profile: LDAP server section

#
# Select one
#
include = <openldap.properties>
#include = <389ds.properties>
#include = <rhds.properties>
#include = <ipa.properties>
#include = <iplanet.properties>
#include = <rfc2307.properties>

#
# Server
#
vars.server = ldap1.company.com

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=company,dc=com
vars.password = 123456

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

Note

For more information on creating a public keystore file, see Section E.2, “Setting Up SSL or TLS Connections between the Manager and an LDAP Server”.

⁠

Example 17.7. Example profile: keystore section

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /full/path/to/myrootca.jks
pool.default.ssl.truststore.password = changeit

# vi /etc/ovirt-engine/extensions.d/profile1-http-authn.properties

⁠

Example 17.8. Example authentication configuration file

ovirt.engine.extension.name = profile1-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = profile1-http
ovirt.engine.aaa.authn.authz.plugin = profile1-authz
ovirt.engine.aaa.authn.mapping.plugin = http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

Review the authorization configuration file. The configuration profile location must match the LDAP configuration file location. All fields can be left as default.

#  vi /etc/ovirt-engine/extensions.d/profile1-authz.properties

⁠

Example 17.9. Example authorization configuration file

ovirt.engine.extension.name = profile1-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/profile1.properties

Ensure that the ownership and permissions of the configuration profile are appropriate:

# chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties

# chmod 600 /etc/ovirt-engine/aaa/profile1.properties

Restart the Apache service and the engine service:

# service httpd restart

# service ovirt-engine restart