Use Active Directory for RHEV / oVirt User Authentication

Posted on 309 views

In this guide I’ll show you how to integrate oVirt or RHEV with Active Directory for Web console authentication. In Red Hat Virtualization / oVirt, there are two types of user authentication domains: local domain and external domain. During Manager installation a default local domain called the internal domain is created with a default user admin.

The Local user accounts can be created on local domains after installation. There is also an option of creating directory users by attaching external directory servers such as Red Hat Directory Server, Active Directory or OpenLDAP and using them as external domains.

The ovirt-engine-extension-aaa-ldap extension allows for configuration of external LDAP directory for user authentication. This extension supports many different LDAP server types, and an interactive setup script is provided to assist you with the setup for most LDAP types. Note that both the local and directory users need to be assigned with appropriate roles and permissions through the Administration Portal before they can function in the environment.

Setup Pre-requisites:

  • SSH root access to the RHEV / oVirt Manager machine
  • Internet access / Satellite or Foreman registration for package downloads
  • A domain name of the DNS or the LDAP server.
  • For secure connection between the LDAP server and the Manager, ensure that a PEM-encoded CA certificate has been prepared.
  • Have at least one set of account name and password ready to perform search and login queries to the LDAP server.

Step 1: Install LDAP extension package

We need to install ovirt-engine-extension-aaa-ldap package on the Red Hat Virtualization Manager.

sudo yum install ovirt-engine-extension-aaa-ldap-setup

Confirm dependencies and start installation:

Dependencies resolved.
 Package                                                         Architecture                     Version                                   Repository                                          Size
 ovirt-engine-extension-aaa-ldap-setup                           noarch                           1.4.0-1.el8                               ovirt-4.4                                           25 k
Installing dependencies:
 ovirt-engine-extension-aaa-ldap                                 noarch                           1.4.0-1.el8                               ovirt-4.4                                          126 k
 python3-ldap                                                    x86_64                           3.1.0-5.el8                               AppStream                                          226 k
 python3-pyasn1-modules                                          noarch                           0.3.7-6.el8                               AppStream                                          110 k
 unboundid-ldapsdk                                               noarch                           4.0.14-2.el8                              ovirt-4.4-centos-ovirt44                           4.0 M

Transaction Summary
Install  5 Packages

Total download size: 4.5 M
Installed size: 5.9 M
Is this ok [y/N]: y

More package details can be obtained with the rpm command after installation.

$ rpm -qi ovirt-engine-extension-aaa-ldap-setup

Step 2: Configure an External LDAP Provider

We’ll use an interactive step to configure an External LDAP Provider in RHEV Manager instance. Run the following command to start the interactive setup:

sudo ovirt-engine-extension-aaa-ldap-setup

For Active directory integration choose 3:

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911182615-fnpp55.log
          Version: otopi-1.9.2 (otopi-1.9.2-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3

Enter Active directory forest name. In the example we’re using Replace it with your Forest name.

Please enter Active Directory Forest name:
[ INFO  ] Resolving Global Catalog SRV record for
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.

Choose LDAP protocol to use:

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: plain

Set Search user bind DN and Password.

[ INFO  ] Resolving SRV record ''
[ INFO  ] Connecting to LDAP using 'ldap://'
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirtAdmin,DC=example,DC=net
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=oVirtAdmin,DC=example,DC=net'

Agree to VM Single Sign-On if you want this feature.

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes

Set profile name.

          Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.
          Please specify profile name that will be visible to users []:
[ INFO  ] Stage: Setup validation
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

Test connection and authentication with Directory user.

Please provide credentials to test login flow:
          Enter user name: [email protected]
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:

Confirm if it was successful. For any error check extension logs.

[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: 
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          Profile name is:
          The following files were created:
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911185444-e7rwcx.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

Your profile will be saved under /etc/ovirt-engine/aaa/ directory. Extensions properties are in the /etc/ovirt-engine/extensions.d directory.

$ ls -1 /etc/ovirt-engine/aaa/

$ ls /etc/ovirt-engine/extensions.d

Restart oVirt Engine Manager service.

sudo systemctl restart ovirt-engine.service

Check service status, it should be running.

$ systemctl status ovirt-engine.service 
 ovirt-engine.service - oVirt Engine
   Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-09-11 19:08:38 EAT; 30s ago
 Main PID: 999555 (
    Tasks: 345 (limit: 199735)
   Memory: 1.3G
   CGroup: /system.slice/ovirt-engine.service
           ├─999555 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ --redirect-output --systemd=notify start

Step 3: Assign User a Role on oVirt / RHEV Manager web interface

This user account doesn’t have privileges to manage all functions of oVirt. We need to assign this user privileges for SuperUser if you want it to work like any admin user account, else assign specific permissions.

Log in to the dashboard as the admin user, and navigate to Administration > Configure > System Permissions > Add


On the next window, select search profile and namespace. Then enter the name of the User to grant permissions and click the GO button.


Select the user to grant permissions and pick role to assign the click “OK” button.

Step 4: Test LDAP Login

In the oVirt Login Screen select the profile you created for Active Directory.


Input AD username and Password and hit the “Log in” button. You should get to Admin dashboard where you can perform different operations depending on your permissions.


In our next article we will cover more oVirt / RHEV administrative tasks. In the meantime check other relevant guides available in our website.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.