Configure oVirt / RHEV User Authentication using FreeIPA LDAP

Posted on 138 views

So you just finished setting up oVirt / RHEV Virtualization platform and would like to integrate it with FreeIPA LDAP for user authentication?. Before interacting with oVirt Virtualization management system, user accounts must be configured
and granted access rights. The user accounts can be local or from an LDAP store. These account sources are called user domains. Each user account has a form [email protected], this is referred to as User Principal Name (UPN). During installation process, a local domain called internal is created, which can contain local user accounts in the Virtualization platform.

An initial local user with full administrative control over oVirt Virtualization environment is created in the internal domain. This user has the UPN [email protected]. Additional Local user accounts and groups can be created as discussed in the guide below:

In a corporate environment, there is a need to configure external domain that gets user information from an external directory service such as OpenLDAP, FreeIPA, Microsoft Active Directory, and any other supported options. With external domain configured, the hassle of managing local user database is eliminated. You’ll only focus with privileges and permissions management for directory users.

freeipa-ovirt-rhev-integration-01-1024x338

From the administration standpoint, users and groups are created in a directory service (FreeIPA in our case). Once FreeIPA is attached to oVirt / RHEV as an external domain, users from FreeIPA directory service must be configured with roles that grants appropriate level of access on the Virtualization environment. You can grant some directory users administrative rights then use e [email protected] as an emergency administrative account in case of issues connecting to directory service.

In one of our guides, we discussed on attaching Windows Active Directory to oVirt/RHEV. The article is accessible on below link:

Note it’s also possible to attach more than one directory server to oVirt / RHEV. If more than one directory server is attached, then as administrator you can choose which one to authenticate against by selecting the correct domain at the login window.

Attach FreeIPA domain server to oVirt / RHEV

The requirements for this setup are:

  • Administrative access to working FreeIPA Server (deployed and configured)
  • Administrative access to oVirt / RHEV Portal
  • Access to oVirt Engine / RHEV Manager Command Line interface

We have few guides that can help with FreeIPA server if you don’t have one already:

On the side of oVirt Manager setup, refer to guides below:

Step 1 – Create a user for oVirt/RHEV on FreeIPA

FreeIPA is a free to use and open source centralized identity, policy, and authorization service. It provides an LDAP integration
interface Red Hat Enterprise Linux based systems. FreeIPA is an upstream project to Red Hat Enterprise Linux Identity Manager. In this setup, FreeIPA is used as an authentication source for your Red Hat Virtualization environment.

Login to FreeIPA Server and go to Identity > Active users > Add

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-01-1024x77

Create a user that will be used on oVirt/RHEV manager.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-02-1024x944

Update user password expiry time

For a new user created in FreeIPA, a password reset is required on first login. Since we’ll use this user as service account, let’s change expiration date to later date like 2030.

Get kerberos ticket for admin user.

[[email protected] ~]$ kinit admin
Password for [email protected]:

[[email protected] ~]$ klist
Ticket cache: KCM:1000
Default principal: [email protected]

Valid starting     Expires            Service principal
01/22/22 01:47:03  01/23/22 01:46:56  krbtgt/[email protected]

Set user expiry date to 31/12/2030

[[email protected] ~]$ ipa user-mod ovirtadmin --setattr=krbPasswordExpiration=20301231011529Z
--------------------------
Modified user "ovirtadmin"
--------------------------
  User login: ovirtadmin
  First name: oVirt
  Last name: Admin
  Home directory: /home/ovirtadmin
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20301231011529Z
  Email address: [email protected]
  UID: 1827000003
  GID: 1827000003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Test login on FreeIPA web portal as ovirtadmin user created.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-03-1024x231

Confirm expiry date for the password.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-04-1024x310

Step 3 – Create test user on FreeIPA Server

We need additional user account that will be used to validate successful FreeIPA attachment on RHEV/oVirt Manager server.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-05-1024x938

Step 3 – Install ovirt-engine-extension-aaa-ldap on oVirt/RHEV Manager

The ovirt-engine-extension-aaa-ldap is a software package created to provide integration support for LDAP directory services with oVirt/RHEV Manager.

Login to your RHEV Manager / oVirt Engine instance and install ovirt-engine-extension-aaa-ldap package.

sudo yum install ovirt-engine-extension-aaa-ldap

This package we just installed contains the oVirt Engine LDAP Users Management Extension to manage users stored in LDAP server.

$ which ovirt-engine-extension-aaa-ldap-setup
/usr/bin/ovirt-engine-extension-aaa-ldap-setup

The script above is used to configure LDAP integration with oVirt/RHEV Manager. In the next discussion we shall explore how this configuration is accomplished.

Step 4 – Attach FreeIPA identity service to oVirt/RHEV Manager

Before we begin the configuration, the following information is required:

  • The fully qualified DNS domain name of the FreeIPA server (Should be resolvable from RHEV Manager machine)
  • For a secure communication, the public TLS/SSL CA certificate that validates the LDAP server’s TLS certificate, in PEM format is also required
  • FreeIPA directory server administrator password
  • Obtain base distinguished name (DN) of FreeIPA server
  • A FreeIPA user account configured used to perform search and login queries

The details used in this example are:

FreeIPA Server FQDN: ipa.example.com
FreeIPA public TLS/SSL CA certificate: http://ipa.example.com/ipa/config/ca.crt
Search user DN: uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com
Profile name visible to users: FreeIPA

With all the prerequisites met, we run the ovirt-engine-extension-aaa-ldap-setup to interactively configure RHEV Manager server to use FreeIPA as external domain for user information.

[[email protected] ~]$ sudo ovirt-engine-extension-aaa-ldap-setup

Choose IPA from LDAP implementations list – 6

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20220122022922-qkjrka.log
          Version: otopi-1.9.6 (otopi-1.9.6-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 6

Use DNS resolution for FreeIPA server if you have it configured with a valid A record.

NOTE:
          It is highly recommended to use DNS resolution for LDAP server.
          If for some reason you intend to use hosts or plain address disable DNS usage.

          Use DNS (Yes, No) [Yes]: Yes

Select Policy method for your LDAP server setup. In our setup, we have a single server hence the choice of the first option 1.

Available policy method:
           1 - Single server
           2 - DNS domain LDAP SRV record
           3 - Round-robin between multiple hosts
           4 - Failover between multiple hosts
          Please select: 1

Provide the hostname fqdn of your FreeIPA Server.

Please enter host address: ipa.example.com

Select access protocol to access LDAP server. A default installation of FreeIPA has CA certificate and you can choose startTLS.

[ INFO  ] Trying to resolve host 'ipa.example.com'

          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.

          Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS

Select URL as the PEM CA Certificate pull method and provide URL address for CA cert.

Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL
          URL: http://ipa.example.com/ipa/config/ca.crt
[ INFO  ] Connecting to LDAP using 'ldap://ipa.example.com:389'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded

Confirm connection is successful, and enter User search DN and Password for search user account.

Enter search user DN: uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com
Enter search user password: 

Verify details and press  to continue.

[ INFO  ] Attempting to bind using 'uid=ovirtadmin,cn=users,cn=accounts,dc=example,dc=com'
          Please enter base DN (dc=example,dc=com) [dc=example,dc=com]:

Type Yes to indicate that you will use single sign-on for virtual machines.

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes

Specify the name of the profile for the external domain.

Please specify profile name that will be visible to users [ipa.example.com]: FreeIPA
[ INFO  ] Stage: Setup validation

Use the user account created in Step 3 to test successful integration between FreeIPA and oVirt/RHEV Manager.

NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

          Please provide credentials to test login flow:
          Enter user name: computingpost
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output: ...
[ INFO  ] Login sequence executed successfully

To complete the configuration, press Enter to use Done as the default selection or manually type Done.

Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: FreeIPA
          The following files were created:
              /etc/ovirt-engine/aaa/FreeIPA.jks
              /etc/ovirt-engine/aaa/FreeIPA.properties
              /etc/ovirt-engine/extensions.d/FreeIPA.properties
              /etc/ovirt-engine/extensions.d/FreeIPA-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20220122022922-qkjrka.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

After completing the configuration changes, a restart of the ovirt-engine service on oVirt/RHEV Manager server is required before being able to use the new profile:

sudo systemctl restart ovirt-engine

Check status of ovirt-engine service. It should be in the running state.

[[email protected] ~]$ systemctl status ovirt-engine
 ovirt-engine.service - oVirt Engine
   Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-01-22 02:42:14 EAT; 7s ago
 Main PID: 478243 (ovirt-engine.py)
    Tasks: 117 (limit: 101124)
   Memory: 733.4M
   CGroup: /system.slice/ovirt-engine.service
           ├─478243 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start
           └─478448 ovirt-engine --add-modules java.se -server -XX:+TieredCompilation -Xms3958M -Xmx3958M -Xss1M -Djava.awt.headless=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.serve>

Jan 22 02:42:14 ovirt-manager.example.com systemd[1]: Starting oVirt Engine...
Jan 22 02:42:14 ovirt-manager.example.com systemd[1]: Started oVirt Engine.

Step 5 – Assign FreeIPA Users/Groups Permissions on RHEV/oVirt

By default, new users created in FreeIPA are not authorized to access RHEV/oVirt environment. You need to grant permission to these user accounts before they can perform actions in the environment. Users in the virtualization environment have permissions that allow them to perform actions on objects such as data centersclustershostsnetworks, or virtual machines. A role is a set of permissions permitting access to objects at various levels.

Access ovirt/RHEV Administration portal on https:///ovirt-engine and navigate to Administration > System Permissions > Add

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-06-1024x184

Assign FreeIPA User permissions

Select “User” for Permission type, “FreeIPA” on Search Drop-down list, then input FreeIPA user to set permission for. Hit the Go button when done and select user found in the search list.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-07-1024x283

Select the Role to set for user under “Role to Assign” section.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-08-1024x269

With all information set, save the changes by pressing “OK“.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-09-1024x649

Assign FreeIPA Group permissions

The same process is used to assign permissions to a group. Only that this time you choose Group type.

Create a group on FreeIPA web portal – In this example it’s called ovirtadmins

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-10-1024x739

Add users to the group

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-11-1024x176

A user called computingpost has been added in the scenario shared in screenshot below.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-12-1024x565

Use Add button after user selection and move to the right section.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-13-1024x517

On oVirt/RHEV Manager, navigate to Administration > System Permissions > Add. Choose “Group” and “FreeIPA” under Search. You then input group name in search box and Go.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-14-1024x335

Tick on the selected group to modify. Assign a role to the group. Here we assigned the group “SuperUser” role.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-15-1024x493

Click “OK” to assign the group a role. Visit oVirt documentation on roles to understand all types available and descriptive permissions in the role.

Assigning Resource-specific Roles to Users

You can also assign user a role that only applies to a subset of resources, example is role specific to Data Center, Cluster, Networks e.t.c.

Data Center resource role:

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-19-1024x192

Cluster resource role:

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-20-1024x160

Network resource role:

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-21-1024x194

Step 6 – Test access to oVirt/RHEV Portal using FreeIPA user

On RHEV Administration Portal, select “FreeIPA” profile we attached earlier.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-16-1024x834

Provide username and password to login with. Make sure this user has role assigned on RHEV/oVirt or is part of a group with a role that has correct access permissions.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-17-1024x811

You should now gain access to oVirt / RHEV Portal.

install-ovirt-manager-rocky-almalinux-05-1024x263

If you encounter authorization error like below, it simply means a role with relevant permissions was not configured for the user or group with the user attached.

oVirt-RHEV-User-Authentication-using-FreeIPA-LDAP-Server-18-1024x153

In this article we’ve been able to integrate FreeIPA to oVirt/RHEV Virtualization platform. We also created user/group on FreeIPA and assigned roles, then tested login access on the portal. If this guide was of help to you, let us know through the comments section below. Feel free to check out more guides on RHEV/oVirt Virtualization platform in the links shared here.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.