Bug 857129 - RHDS configuration for use with RHEVM
RHDS configuration for use with RHEVM
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gordon
: 605507 (view as bug list)
Depends On:
Blocks: 604914 616321
  Show dependency treegraph
Reported: 2012-09-13 12:11 EDT by Stephen Gordon
Modified: 2014-03-25 03:12 EDT (History)
8 users (show)

See Also:
Fixed In Version: Red_Hat_Enterprise_Virtualization-Installation_Guide-3.1-web-en-US-3.1.0-14.el6eng
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-04 12:26:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Gordon 2012-09-13 12:11:57 EDT
Description of problem:

Need to make sure we capture additional configuration steps for RHDS in the installation guide. Cite to RHDS docs as primary source for installing RHDS - concentrate on RHEV specific steps.

Source material:

Comment 1 Stephen Gordon 2012-09-13 12:12:55 EDT
PM feel free to NACK if you feel this is better off as a KBase which we link from documentation.
Comment 2 Stephen Gordon 2012-09-25 13:57:18 EDT
Hi Dmitri,

Where can internal users obtain RHDS 9 for testing with RHEV? I notice it is not available under the default employee subscription.


Comment 5 Stephen Gordon 2012-09-27 10:19:07 EDT

I managed to install the memberOf plugin easily enough on my RHDS instance. I was wondering if you could give me some more information on how I would go about making RHDS a service in a Kerberos domain (let's say for arguments sake I'm using IPA as the Kerberos domain)? Is this the right procedure?:


Also can you clarify something for me - are both IPA and RHDS using 389 behind the scenes (this seems to be what the IDM guide says but just want to confirm)?


Comment 6 Dmitri Pal 2012-09-27 12:06:00 EDT
I assume that in your environment there is IdM or other KDC that manages the kerberos infrastructure. Then you need to have a kerberized service, in this case RHDS and then there is a client RHEV-M or user via RHEV-M that accesses to the RHDS.

So in this case:
1) The service (RHDS) needs to get a service principal ldap/hostname@REALMNAME
In IPA it can be done via UI that you reference or CLI to add service.
2) A keytab needs to be issued for this service. If you use IPA then you can use ipa-getkeytab utility to fetch a keytab for the service from IPA.
3) Install the keytab on the system where service is running, just copy keytab file on the RHDS system. You need to consult RHDS docs about the recommended place RHDS expects this keytab to be in.
4) Configure RHDS to recognize this keytab and accept GSSAPI authentication with Kerberos. After this is confgired I suggest you test it.
5) To test configuration use a user that has a Kerberos account in the same realm as the service (IPA realm in this case). Do kinit being that user from the system that is joined into IPA domain. Authenticate with the kerberos password. Then run ldapsearch against RHDS. For authentication use -Y GSSAPI and do not provide any password or user argument. 
6) Teach RHEV-M (or other client you use) to use the same arguments when you connect to RHDS.

Now about RHDS and IPA. Yes IPA is built on top 389 DS and uses same packages as RHDS just configured a bit differently in some cases.
If you thus want to use the IPA as you DS server the steps 1-4 are not needed as IPA's DS instance already configured for Kerberos auth. You can just do steps 5-6.

Comment 7 Stephen Gordon 2012-09-27 12:24:52 EDT
Yeah, personally I generally just use IPA directly. Here though I am attempting to round up and document the extra hoops someone needs to jump through if they have RHDS and want to use it to auth to RHEV (which requires kerberos).
Comment 10 Stephen Gordon 2012-10-30 15:27:22 EDT
*** Bug 605507 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.