[Ovirt-devel] ovirt and freeipa

Michael DeHaan mdehaan at redhat.com
Thu Apr 9 19:34:50 UTC 2009 

Mike McGrath wrote:
> So if we have an organization that, for any reason, cannot run freeipa.
> They cannot use ovirt.  Freeipa is a false requirement for cloud and
> virtualization.
>
> The web frontend already uses basic auth, by doing this it makes it easy
> to swap auth out with many of the apache mod_auth modules allowing people
> to pick whatever auth mechanism they want.
>
> Use case:
>
> 1) Admin uses mod_auth_postgres
> 2) User exists in postgres logs in to ovirtwui
> 3) ovirt creates the user if it doesn't exist
> 4) admin can then create permissions and things for the user
>
> How hard would it to be the above?
>
>         -Mike "lets find some stuff to take out before we add" McGrath
>
> _______________________________________________
> Ovirt-devel mailing list
> Ovirt-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/ovirt-devel
>   

+1.

There's also a likelihood that an ovirt userbase could have an existing 
kerberos server they want to use, or don't want an LDAP
server. Are those supportable now?

 From experience, organizations tend to be picky about site-specific 
details, and supporting multiple systems provides a greater
chance of adoption. Thus it is very nice to support auth, via say, pam, 
or Apache (including what Mike mentions, but also
doing basic auth for demos), or something that allows for configuring 
options.

The other question is that if they must also set up FreeIPA, is a user 
is more likely to get frustrated during the demo or not install it?

Ideally, "yum install" and having a guest up and running in 30 minutes 
should be a good goal to have.

That was one of the major reasons, I think, why virt-factory didn't take 
off -- they had to understand Puppet + virt, at a time when they
really wanted to wrap their heads around one new thing. So FreeIPA + 
OVirt is also two new things, in much the same kind of way.

Providing simple options as well as the IPA options would probably help 
reach a wider install base, and also make setting it up for a proof
of concept/demo easier too, I think.

If I could just say, point it at an existing kerberos source and allow 
only these 7 users access, even, that would be useful.

--Michael

More information about the ovirt-devel mailing list