Red Hat Bugzilla – Bug 857129
RHDS configuration for use with RHEVM
Last modified: 2014-03-25 03:12:18 EDT
Description of problem:
Need to make sure we capture additional configuration steps for RHDS in the installation guide. Cite to RHDS docs as primary source for installing RHDS - concentrate on RHEV specific steps.
PM feel free to NACK if you feel this is better off as a KBase which we link from documentation.
Where can internal users obtain RHDS 9 for testing with RHEV? I notice it is not available under the default employee subscription.
I managed to install the memberOf plugin easily enough on my RHDS instance. I was wondering if you could give me some more information on how I would go about making RHDS a service in a Kerberos domain (let's say for arguments sake I'm using IPA as the Kerberos domain)? Is this the right procedure?:
Also can you clarify something for me - are both IPA and RHDS using 389 behind the scenes (this seems to be what the IDM guide says but just want to confirm)?
I assume that in your environment there is IdM or other KDC that manages the kerberos infrastructure. Then you need to have a kerberized service, in this case RHDS and then there is a client RHEV-M or user via RHEV-M that accesses to the RHDS.
So in this case:
1) The service (RHDS) needs to get a service principal ldap/hostname@REALMNAME
In IPA it can be done via UI that you reference or CLI to add service.
2) A keytab needs to be issued for this service. If you use IPA then you can use ipa-getkeytab utility to fetch a keytab for the service from IPA.
3) Install the keytab on the system where service is running, just copy keytab file on the RHDS system. You need to consult RHDS docs about the recommended place RHDS expects this keytab to be in.
4) Configure RHDS to recognize this keytab and accept GSSAPI authentication with Kerberos. After this is confgired I suggest you test it.
5) To test configuration use a user that has a Kerberos account in the same realm as the service (IPA realm in this case). Do kinit being that user from the system that is joined into IPA domain. Authenticate with the kerberos password. Then run ldapsearch against RHDS. For authentication use -Y GSSAPI and do not provide any password or user argument.
6) Teach RHEV-M (or other client you use) to use the same arguments when you connect to RHDS.
Now about RHDS and IPA. Yes IPA is built on top 389 DS and uses same packages as RHDS just configured a bit differently in some cases.
If you thus want to use the IPA as you DS server the steps 1-4 are not needed as IPA's DS instance already configured for Kerberos auth. You can just do steps 5-6.
Yeah, personally I generally just use IPA directly. Here though I am attempting to round up and document the extra hoops someone needs to jump through if they have RHDS and want to use it to auth to RHEV (which requires kerberos).
*** Bug 605507 has been marked as a duplicate of this bug. ***