Bug 857129
Summary: | RHDS configuration for use with RHEVM | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Stephen Gordon <sgordon> |
Component: | Documentation | Assignee: | Stephen Gordon <sgordon> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.1.0 | CC: | acathrow, dpal, dyasny, jskeoch, rnelson, sburgess, yeylon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Red_Hat_Enterprise_Virtualization-Installation_Guide-3.1-web-en-US-3.1.0-14.el6eng | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-04 17:26:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 604914, 616321 |
Description
Stephen Gordon
2012-09-13 16:11:57 UTC
PM feel free to NACK if you feel this is better off as a KBase which we link from documentation. Hi Dmitri, Where can internal users obtain RHDS 9 for testing with RHEV? I notice it is not available under the default employee subscription. Thanks, Steve Dmitri, I managed to install the memberOf plugin easily enough on my RHDS instance. I was wondering if you could give me some more information on how I would go about making RHDS a service in a Kerberos domain (let's say for arguments sake I'm using IPA as the Kerberos domain)? Is this the right procedure?: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-services.html#adding-service-entry Also can you clarify something for me - are both IPA and RHDS using 389 behind the scenes (this seems to be what the IDM guide says but just want to confirm)? Thanks, Steve I assume that in your environment there is IdM or other KDC that manages the kerberos infrastructure. Then you need to have a kerberized service, in this case RHDS and then there is a client RHEV-M or user via RHEV-M that accesses to the RHDS. So in this case: 1) The service (RHDS) needs to get a service principal ldap/hostname@REALMNAME In IPA it can be done via UI that you reference or CLI to add service. 2) A keytab needs to be issued for this service. If you use IPA then you can use ipa-getkeytab utility to fetch a keytab for the service from IPA. 3) Install the keytab on the system where service is running, just copy keytab file on the RHDS system. You need to consult RHDS docs about the recommended place RHDS expects this keytab to be in. 4) Configure RHDS to recognize this keytab and accept GSSAPI authentication with Kerberos. After this is confgired I suggest you test it. 5) To test configuration use a user that has a Kerberos account in the same realm as the service (IPA realm in this case). Do kinit being that user from the system that is joined into IPA domain. Authenticate with the kerberos password. Then run ldapsearch against RHDS. For authentication use -Y GSSAPI and do not provide any password or user argument. 6) Teach RHEV-M (or other client you use) to use the same arguments when you connect to RHDS. Now about RHDS and IPA. Yes IPA is built on top 389 DS and uses same packages as RHDS just configured a bit differently in some cases. If you thus want to use the IPA as you DS server the steps 1-4 are not needed as IPA's DS instance already configured for Kerberos auth. You can just do steps 5-6. HTH. Yeah, personally I generally just use IPA directly. Here though I am attempting to round up and document the extra hoops someone needs to jump through if they have RHDS and want to use it to auth to RHEV (which requires kerberos). *** Bug 605507 has been marked as a duplicate of this bug. *** |