ovirt添加域与用户

Directory Users

Directory Services Support in oVirt

During installation oVirt creates its own internal administration user, admin. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to oVirt you must attach a directory server to oVirt using the Domain Management Tool,engine-manage-domains.

Once at least one directory server has been attached to oVirt, you can add users that exist in the directory server and assign roles to them using the Administration Portal. Users can be identified by their User Principal Name (UPN) of the form user@domain. Attachment of more than one directory server to oVirt is also supported.

The directory servers supported for use with oVirt 3.4 are:

• Active Directory
• Identity Management (IdM)
• Red Hat Directory Server 9 (RHDS 9)
• OpenLDAP

You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:

• A valid pointer record (PTR) for the directory server's reverse look-up address.
• A valid service record (SRV) for LDAP over TCP port 389.
• A valid service record (SRV) for Kerberos over TCP port 88.
• A valid service record (SRV) for Kerberos over UDP port 88.

If these records do not exist in DNS then you cannot add the domain to oVirt configuration using engine-manage-domains.

For more detailed information on installing and configuring a supported directory server, see the vendor's documentation:

• Active Directory - http://technet.microsoft.com/en-us/windowsserver/dd448614.
• Identity Management (IdM) - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
• Red Hat Directory Server (RHDS) - http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/index.html
• OpenLDAP - http://www.openldap.org/doc/

Important: A user must be created in the directory server specifically for use as the oVirt administrative user. Do  not use the administrative user for the directory server as the oVirt administrative user.

Important: It is not possible to install oVirt (rhevm) and IdM (ipa-server) on the same system. IdM is incompatible with the mod_ssl package, which is required by oVirt.

Important: If you are using Active Directory as your directory server, and you want to use  sysprep in the creation of Templates and Virtual Machines, then the oVirt administrative user must be delegated control over the Domain to:

• Join a computer to the domain
• Modify the membership of a group

For information on creation of user accounts in Active Directory, see http://technet.microsoft.com/en-us/library/cc732336.aspx.

For information on delegation of control in Active Directory, see  http://technet.microsoft.com/en-us/library/cc732524.aspx.

Note: oVirt uses Kerberos to authenticate with directory servers. RHDS does not provide native support for Kerberos. If you are using RHDS as your directory server then you must ensure that the directory server is made a service within a valid Kerberos domain. To do this you must perform these steps while referring to the relevant directory server documentation:

• Configure the memberOf plug-in for RHDS to allow group membership. In particular ensure that the value of the memberofgroupattr attribute of the memberOf plug-in is set to uniqueMember. In OpenLDAP, the memberOf functionality is not called a "plugin". It is called an "overlay" and requires no configuration after installation. Consult the Red Hat Directory Server 9.0 Plug-in Guide for more information on configuring thememberOf plug-in.
• Define the directory server as a service of the form ldap/hostname@REALMNAME in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters.
• Generate a keytab file for the directory server in the Kerberos realm. The keytab file contains pairs of Kerberos principals and their associated encrypted keys. These keys allow the directory server to authenticate itself with the Kerberos realm. Consult the documentation for your Kerberos principle for more information on generating a keytab file.
• Install the keytab file on the directory server. Then configure RHDS to recognize the keytab file and accept Kerberos authentication using GSSAPI. Consult the Red Hat Directory Server 9.0 Administration Guide for more information on configuring RHDS to use an external keytab file.
• Test the configuration on the directory server by using the kinit command to authenticate as a user defined in the Kerberos realm. Once authenticated run the ldapsearch command against the directory server. Use the -Y GSSAPI parameters to ensure the use of Kerberos for authentication.

engine-manage-domains使用说明

[root@engine ~]# man engine-manage-domains
engine-manage-domains(8)                                                              engine-manage-domains(8)


NAME
       engine-manage-domains - Engine management domains tool


SYNOPSIS
       Usage: engine-manage-domains <action> [<args>]


       Available actions:
           add         add a domain using specified provider and user
           edit        edit an existing domain
           delete      delete an existing domain
           validate    validate the current configuration
           list        list the current configuration


       Add domain
           engine-manage-domains  add  --domain=DOMAIN  --provider=PROVIDER  --user=USER   [--add-permissions]
           [--config-file=CFG_FILE]   [--ldap-servers=SERVERS]   [--resolve-kdc]   [--password-file=PASS_FILE]
           [--change-password-msg]


       Edit domain
           engine-manage-domains edit --domain=DOMAIN [--provider=PROVIDER] [--user=USER]  [--add-permissions]
           [--config-file=CFG_FILE]   [--ldap-servers=SERVERS]   [--resolve-kdc]   [--password-file=PASS_FILE]
           [--change-password-msg]


       Delete domain
           engine-manage-domains   delete   --domain=DOMAIN  [--force]  [--config-file=CFG_FILE]  [--password-
           file=PASS_FILE]


       Validate configuration
           engine-manage-domains validate [--report] [--config-file=CFG_FILE]


       List configuration
           engine-manage-domains list [--config-file=CFG_FILE]


OPTIONS
       --add-permissions
           Add engine superuser permissions to the user.


       --change-password-msg
           Reads interactively a URL or a message to be returned to the user in case the password has expired.


       --config-file=CFG_FILE
           Use the given alternate configuration file.


       --domain=DOMAIN
           The domain you wish to perform the action on.


       --force
           Skip confirmation of a delete operation


       --help
           Show this help message and exit.


       --ldap-servers=SERVERS
           A comma delimited list of LDAP servers to be set to the domain.


       --log-file=LOG_FILE
           Sets file to write logging into (if not set nothing is logged).


       --log-level=LOG_LEVEL
           Sets log level, one of FINE, INFO (default), WARNING, SEVERE (case insensitive).


       --provider=PROVIDER
           The LDAP provider type of server used for the domain (case insensitive).
               ad        Microsoft Active Directory
               ipa       freeIPA
               rhds      Red Hat Directory Server
               itds      IBM Tivoli Directory Server
               oldap     OpenLDAP


       --report
           Report all validation error, if occured (default behaviour is  to  exit  when  a  validation  error
           occurs).


       --resolve-kdc
           Resolve KDC servers using DNS (don't assume they are the same as LDAP servers).


       --user=USER
           The domain user.


       --password-file=PASS_FILE
           A file containing the password (if it's not set, the password will be read interactively).


CUSTOM LOGGING
       If  you need custom logging setup, please create your own Java.util.logging properties file, set a path
       to this file into OVIRT_LOGGING_PROPERTIES environment variable and execute engine-manage-domains.


BUGS
       Report bugs to <http://bugzilla.redhat.com>


COPYRIGHT
       Copyright 2010-2013 Red Hat, Inc.


                                                April 30, 2013                        engine-manage-domains(8)

[root@engine ~]# engine-manage-domains  add  --domain=XXX.local  --provider=ad  --user=mk01
Enter password:
The domain bainuo.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.
Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
[root@engine ~]# systemctl restart ovirt-engine

添加时使用普通域账号即可，使用域管理员反而会失败。添加完成后进入web添加用户到oVirt，并分配相应的虚拟机与权限，从用户门户登陆就可以使用了。

界面比较简洁大方，可以做一些开关机重启，打开控制台的操作。如果需要良好的体验，需要安装guest-tools工具，但是我测试时发现有兼容性问题，造成虚拟机卡顿的现象比较严重，不过或许与我的机器配置较低也有关系。