----- Original Message -----

From: "David Jaša" <djasa@redhat.com> To: devel@ovirt.org Sent: Wednesday, July 1, 2015 4:49:26 PM Subject: [ovirt-devel] How to create FreeIPA user for ovirt engine (engine-manage-domains)?

Hi,

Pretty much any documentation around oVirt use of domains uses an undefined user (engine-manage-domains ... --user=[USER]) and maybe because of that, virtually all the ovirt tutorials that feature FreeIPA/IdM use "admin" user of FreeIPA (engine-manage-domains ... --provider=freeipa --user=admin). This leads to pretty scary situation of administrator password for your identity management system being stored for use by another system (ovirt-engine).

Please do not use the legacy provider, use the new one. http://wiki.ovirt.org/Features/AAA https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...

So, the right way to do things should be use of a "service user" for engine that would have just enough privileges in FreeIPA to work correctly. So my questions are:

1. what are the necessary permissions for such a service user?

Perform queries to locate the user details of these that are trying to login. No special permission is required.

2. how to create such an user? Can it be done throught IPA web UI or does one need to go through the ldif/ldapmodify route?

I have no idea, you should ask IPA people how to create user. Regards, Alon Bar-Lev.