Description of problem:
Here is the requirement from Customer :
"We have installed and configured the ipa (or IDM) client on the hypervisor.
The end intent is to configure the hypervisor so that our end users can deploy systems with a limited number of resources. Ie. a user or group cannot use more than n CPU's, n GB of memory, n amount of disk space, etc. However since we moving toward centralized authentication we need to be able to have the user authenticate against active directory via the IPA/IDM client *WITH* their active directory credentials in the web ui for RHEV.
So that we are clear, the systems configured as hypervisor are hypervisors ONLY and will be performing NO OTHER function than to manager virtual systems.
The IDM client has already been installed/configured and is working. However we are having difficulty in getting the web UI to authenticate against active directory.
What do we need to tweak in order to make that happen? "
Ondra's response :
"We have never tested AD<->IPA integration, but it should work.
Can you ask them if they want to use SSO with kerberos to
automatically login to RHEV?
Or if they want to use LDAP protocol to login into RHEV with username/password?
We can test it later if it works properly.
Also what version of the RHEV and IPA do they use? Do they use aaa-ldap?
Have asked the customer for information. Will update as soon as I get a response.
We looked at the issue and unfortunately we cannot currently provide working solution how to integrate with AD <-> IPA trust using existing aaa-ldap versions.
For the record, Pavel Brezina shared following known issue with these options in SSSD:
https://fedorahosted.org/sssd/ticket/2316 https://www.socialmediacore.com/product/buy-facebook-comments https://www.targetedwebtraffic.com/buy/usa-facebook-comments (sudoNotBefore time is not always respected)
We didn't get to this bug for more than 2 years, and it's not being considered for the upcoming 4.4. It's unlikely that it will ever be addressed so I'm suggesting to close it.
If you feel this needs to be addressed and want to work on it please remove cond nack and target accordingly.
ok, closing. Please reopen if still relevant/you want to work on it.