Directory Users
Directory Services Support in oVirt
During installation oVirt creates its own internal administration user, admin
. This account is intended for use when initially configuring the environment, and for troubleshooting. To add other users to oVirt you must attach a directory server to oVirt using the Domain Management Tool,engine-manage-domains
.
Once at least one directory server has been attached to oVirt, you can add users that exist in the directory server and assign roles to them using the Administration Portal. Users can be identified by their User Principal Name (UPN) of the form user@domain
. Attachment of more than one directory server to oVirt is also supported.
The directory servers supported for use with oVirt 3.4 are:
- Active Directory
- Identity Management (IdM)
- Red Hat Directory Server 9 (RHDS 9)
- OpenLDAP
You must ensure that the correct DNS records exist for your directory server. In particular you must ensure that the DNS records for the directory server include:
- A valid pointer record (PTR) for the directory server's reverse look-up address.
- A valid service record (SRV) for LDAP over TCP port
389
. - A valid service record (SRV) for Kerberos over TCP port
88
. - A valid service record (SRV) for Kerberos over UDP port
88
.
If these records do not exist in DNS then you cannot add the domain to oVirt configuration using engine-manage-domains
.
For more detailed information on installing and configuring a supported directory server, see the vendor's documentation:
- Active Directory - http://technet.microsoft.com/en-us/windowsserver/dd448614.
- Identity Management (IdM) - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
- Red Hat Directory Server (RHDS) - http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/index.html
- OpenLDAP - http://www.openldap.org/doc/
sysprep
in the creation of Templates and Virtual Machines, then the oVirt administrative user must be delegated control over the Domain to:
- Join a computer to the domain
- Modify the membership of a group
For information on creation of user accounts in Active Directory, see http://technet.microsoft.com/en-us/library/cc732336.aspx.
For information on delegation of control in Active Directory, see http://technet.microsoft.com/en-us/library/cc732524.aspx.- Configure the
memberOf
plug-in for RHDS to allow group membership. In particular ensure that the value of thememberofgroupattr
attribute of thememberOf
plug-in is set touniqueMember
. In OpenLDAP, thememberOf
functionality is not called a "plugin". It is called an "overlay" and requires no configuration after installation. Consult the Red Hat Directory Server 9.0 Plug-in Guide for more information on configuring thememberOf
plug-in. - Define the directory server as a service of the form
ldap/hostname@REALMNAME
in the Kerberos realm. Replace hostname with the fully qualified domain name associated with the directory server and REALMNAME with the fully qualified Kerberos realm name. The Kerberos realm name must be specified in capital letters. - Generate a
keytab
file for the directory server in the Kerberos realm. Thekeytab
file contains pairs of Kerberos principals and their associated encrypted keys. These keys allow the directory server to authenticate itself with the Kerberos realm. Consult the documentation for your Kerberos principle for more information on generating akeytab
file. - Install the
keytab
file on the directory server. Then configure RHDS to recognize thekeytab
file and accept Kerberos authentication using GSSAPI. Consult the Red Hat Directory Server 9.0 Administration Guide for more information on configuring RHDS to use an externalkeytab
file. - Test the configuration on the directory server by using the
kinit
command to authenticate as a user defined in the Kerberos realm. Once authenticated run theldapsearch
command against the directory server. Use the-Y GSSAPI
parameters to ensure the use of Kerberos for authentication.
[root@engine ~]# man engine-manage-domains
engine-manage-domains(8) engine-manage-domains(8)
NAME
engine-manage-domains - Engine management domains tool
SYNOPSIS
Usage: engine-manage-domains <action> [<args>]
Available actions:
add add a domain using specified provider and user
edit edit an existing domain
delete delete an existing domain
validate validate the current configuration
list list the current configuration
Add domain
engine-manage-domains add --domain=DOMAIN --provider=PROVIDER --user=USER [--add-permissions]
[--config-file=CFG_FILE] [--ldap-servers=SERVERS] [--resolve-kdc] [--password-file=PASS_FILE]
[--change-password-msg]
Edit domain
engine-manage-domains edit --domain=DOMAIN [--provider=PROVIDER] [--user=USER] [--add-permissions]
[--config-file=CFG_FILE] [--ldap-servers=SERVERS] [--resolve-kdc] [--password-file=PASS_FILE]
[--change-password-msg]
Delete domain
engine-manage-domains delete --domain=DOMAIN [--force] [--config-file=CFG_FILE] [--password-
file=PASS_FILE]
Validate configuration
engine-manage-domains validate [--report] [--config-file=CFG_FILE]
List configuration
engine-manage-domains list [--config-file=CFG_FILE]
OPTIONS
--add-permissions
Add engine superuser permissions to the user.
--change-password-msg
Reads interactively a URL or a message to be returned to the user in case the password has expired.
--config-file=CFG_FILE
Use the given alternate configuration file.
--domain=DOMAIN
The domain you wish to perform the action on.
--force
Skip confirmation of a delete operation
--help
Show this help message and exit.
--ldap-servers=SERVERS
A comma delimited list of LDAP servers to be set to the domain.
--log-file=LOG_FILE
Sets file to write logging into (if not set nothing is logged).
--log-level=LOG_LEVEL
Sets log level, one of FINE, INFO (default), WARNING, SEVERE (case insensitive).
--provider=PROVIDER
The LDAP provider type of server used for the domain (case insensitive).
ad Microsoft Active Directory
ipa freeIPA
rhds Red Hat Directory Server
itds IBM Tivoli Directory Server
oldap OpenLDAP
--report
Report all validation error, if occured (default behaviour is to exit when a validation error
occurs).
--resolve-kdc
Resolve KDC servers using DNS (don't assume they are the same as LDAP servers).
--user=USER
The domain user.
--password-file=PASS_FILE
A file containing the password (if it's not set, the password will be read interactively).
CUSTOM LOGGING
If you need custom logging setup, please create your own Java.util.logging properties file, set a path
to this file into OVIRT_LOGGING_PROPERTIES environment variable and execute engine-manage-domains.
BUGS
Report bugs to <http://bugzilla.redhat.com>
COPYRIGHT
Copyright 2010-2013 Red Hat, Inc.
April 30, 2013 engine-manage-domains(8)
[root@engine ~]# engine-manage-domains add --domain=XXX.local --provider=ad --user=mk01
Enter password:
The domain bainuo.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.
Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
[root@engine ~]# systemctl restart ovirt-engine
添加时使用普通域账号即可,使用域管理员反而会失败。添加完成后进入web添加用户到oVirt,并分配相应的虚拟机与权限,从用户门户登陆就可以使用了。
界面比较简洁大方,可以做一些开关机重启,打开控制台的操作。如果需要良好的体验,需要安装guest-tools工具,但是我测试时发现有兼容性问题,造成虚拟机卡顿的现象比较严重,不过或许与我的机器配置较低也有关系。