19.3.2. 附加 Active Directory

在 Red Hat Virtualization Manager 中，安装 LDAP 扩展软件包：

# yum install ovirt-engine-extension-aaa-ldap-setup

运行 ovirt-engine-extension-aaa-ldap-setup 来启动交互式设置：

# ovirt-engine-extension-aaa-ldap-setup

输入对应数字来选择 LDAP 类型。此步骤后 LDAP 相关问题对于不同的 LDAP 类型是不同的。

Available LDAP implementations:
 1 - 389ds
 2 - 389ds RFC-2307 Schema
 3 - Active Directory
 4 - IBM Security Directory Server
 5 - IBM Security Directory Server RFC-2307 Schema
 6 - IPA
 7 - Novell eDirectory RFC-2307 Schema
 8 - OpenLDAP RFC-2307 Schema
 9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3

输入 Active Directory 林名称。如果 Manager 的 DNS 无法解析林名称，该脚本会提示您输入一个空格分隔的 Active Directory DNS 服务器名称列表。

Please enter Active Directory Forest name: ad-example.redhat.com
[ INFO  ] Resolving Global Catalog SRV record for ad-example.redhat.com
[ INFO  ] Resolving LDAP SRV record for ad-example.redhat.com

选择 LDAP 服务器支持的安全连接方法，并指定获取 PEM 编码的 CA 证书的方法。file 选项允许您提供证书的完整路径。URL 选项允许您指定证书的 URL。使用 inline 选项，将证书的内容粘贴到终端中。system 选项允许您指定所有 CA 文件的位置。insecure 选项允许您在不安全模式中使用 startTLS。

NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
Please enter the password:

输入搜索用户可分辨名称(DN)。用户必须具有权限才能浏览目录服务器上的所有用户和组。搜索用户必须是 LDAP 注解。如果允许匿名搜索，请按 Enter 键，无需输入。

Enter search user DN (empty for anonymous): cn=user1,ou=Users,dc=test,dc=redhat,dc=com
Enter search user password:

指定是否为虚拟机使用单点登录。此功能默认是启用的，但如果启用了对管理门户的单点登录，则无法使用。该脚本提醒您配置集名称必须与域名匹配。在虚拟机管理指南中，您仍需要遵循 为虚拟机配置单点登录 的说明 。

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:

指定配置集名称。配置集名称对登录页面上的用户可见。这个示例使用 redhat.com。

Please specify profile name that will be visible to users:redhat.com

图 19.2. 管理门户登录页面

测试搜索和登录功能，以确保您的 LDAP 服务器已正确地连接到您的 Red Hat Virtualization 环境。对于登录查询，请输入帐户名称和密码。对于搜索查询，为用户帐户选择 Principal，然后选择 Group for group for group。如果您希望返回用户帐户的组帐户信息，对于 Resolve Groups 选择 Yes。选择 Done 以完成设置。会创建三个配置文件，并显示在屏幕输出中。

NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Enter search user name: testuser1
Enter search user password:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: testuser1
Resolve Groups (Yes, No) [No]:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: redhat.com
          The following files were created:
              /etc/ovirt-engine/aaa/redhat.com.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authz.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20160114064955-1yar9i.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination