[Freeipa-users] service account for ovirt
Martin Kosek
mkosek at redhat.com
Wed Nov 18 19:34:57 UTC 2015
On 11/18/2015 04:27 PM, Rob Verduijn wrote:
> 2015-11-18 15:51 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
>> On 11/18/2015 08:23 AM, Rob Verduijn wrote:
>>> Hello all,
>>>
>>> I've read a lot regarding service accounts on this mailinglist in the past.
>>> But it's rather unclear to me what is the current preffered method to
>>> create a service account for a service running on a different machine.
>>>
>>> In this case it would be a service account for ovirt so that freeipa
>>> users can authenticate in the ovirt portal using their freeipa
>>> credentials.
>>
>> It sounds like that you do not want system user account, but you are OK with
>> service account so that you can get a keytab for your oVirt instance. In that
>> case, simple
>>
>> $ ipa service-add HTTP/frontend.ovirt.test
>> and
>> $ ipa-getkeytab ...
>> should be enough, right?
>>
>> Maybe I just do not understand the use case.
>>
>>> I could ofcourse create an account and then apply a ldf to set its
>>> password expiration to the next millennium to make sure the password
>>> does not expire.
>>>
>>> Anybody who has a good suggestion on how to deal with this ?
>>>
>>> Cheers
>>> Rob Verduijn
>>>
>>
>
>
>
> Hello,
>
> I think some more context should clear this up a bit.
>
> according to the rhev administrator guide: (ovirt referes to rhev manuals a lot)
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html
>
> It talks about two options as a single sign on solution.
>
> On have the single sign on work for the portal, but then it won't work
> for the vm's.
> ( something about not being able to pass a password since the portal
> won't have one to pass )
>
> Or have the single sign on work for the vm's but than you have to sign
> in to the portal so it can pass on your credentials to the vm's.
>
> I guess there is some interesting technical challenge to deal with to
> merge those two cases.
>
> The first option requires privileges to browse the freeipa directory
> to look for user accounts.
> I do not know if that can be solved with something as simple as a
> keytab and a pricipal.
>
> My current working solution is an account with a very long password
> experation time in the freeipa directory
> ( a random 32 character/number password is being used for this )
>
> However something tells me that there is a more elegant solution.
> And I was wondering if anyone knows one.
Reading the HowTo, I think using normal FreeIPA POSIX user with password
policy, uid, home and all the rings and bells may be an over kill. You could
replica what is done with sudo system user for binding to LDAP for example:
# ldapmodify -D "cn=Directory Manager" -x -W
dn: uid=ovirt,cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: sudo
userPassword: $YOUR_PASSWORD
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
and use that as oVirt BIND user. As for keytab, you just would not use kadmin,
but rather add the service object with "service-add" and get the keytab with
"ipa-getkeytab".
Other than that, the HowTo was mostly about oVirt side of configuration.
If you succeed, it would nice to record your steps specific to FreeIPA in a
HowTo article on FreeIPA :-)
http://www.freeipa.org/page/HowTos
http://www.freeipa.org/page/HowTo/Writing_how_to_documentation_on_the_wiki
Martin
More information about the Freeipa-users
mailing list