[Freeipa-users] service account for ovirt

Rob Verduijn rob.verduijn at gmail.com
Wed Nov 18 15:27:11 UTC 2015 

2015-11-18 15:51 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
> On 11/18/2015 08:23 AM, Rob Verduijn wrote:
>> Hello all,
>>
>> I've read a lot regarding service accounts on this mailinglist in the past.
>> But it's rather unclear to me what is the current preffered method to
>> create a service account for a service running on a different machine.
>>
>> In this case it would be  a service account for ovirt so that freeipa
>> users can authenticate in the ovirt portal using their freeipa
>> credentials.
>
> It sounds like that you do not want system user account, but you are OK with
> service account so that you can get a keytab for your oVirt instance. In that
> case, simple
>
> $ ipa service-add HTTP/frontend.ovirt.test
> and
> $ ipa-getkeytab ...
> should be enough, right?
>
> Maybe I just do not understand the use case.
>
>> I could ofcourse create an account and then apply a ldf to set its
>> password expiration to the next millennium to make sure the password
>> does not expire.
>>
>> Anybody who has a good suggestion on how to deal with this ?
>>
>> Cheers
>> Rob Verduijn
>>
>



Hello,

I think some more context should clear this up a bit.

according to the rhev administrator guide: (ovirt referes to rhev manuals a lot)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html

It talks about two options as a single sign on solution.

On have the single sign on work for the portal, but then it won't work
for the vm's.
( something about not being able to pass a password since the portal
won't have one to pass )

Or have the single sign on work for the vm's but than you have to sign
in to the portal so it can pass on your credentials to the vm's.

 I guess there is some interesting technical challenge to deal with to
merge those two cases.

The first option requires privileges to browse the freeipa directory
to look for user accounts.
I do not know if that can be solved with something as simple as a
keytab and a pricipal.

My current working solution is an account with a very long password
experation time in the freeipa directory
( a random 32 character/number password is being used for this )

However something tells me that there is a more elegant solution.
And I was wondering if anyone knows one.

Cheers
Rob Verduijn

More information about the Freeipa-users mailing list