Hi all, I found that for some reason it is hard to find a working example for integrating ovirt3.5 with freeipa using the generic aaa ldap extension. Here's what I did to get it to work: The ovirt os is centos 6 x86_64 All the latest patches have been applied. the ovirt machinet can be a member of the freeipa domain but this is not required for the ovirt-freeipa authentication to work. personally I think its nice to have the ovirt machine under freeipa supervision as wel. the freeipa os is centos7 x*86_64 All the latest patches have been applied. The ovirt environment is configured, up and running. There are two ways of single sign on for ovirt. see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat... This howto is for the first option you require a search account in the freeipa domain. add a user account to the freeipa domain login with that account so it asks you to set a new password for it then reset the experation date for the password to somewhere in the far future with the procedure below # # Add the search account for ovirt to the freeipa domain. # # executed these commands on the freeipa server as root. # # first set the variables export SUFFIX='dc=example,dc=com' export OVIRT_SERVER=ovirt.example.com export FREEIPA_DOMAIN=EXAMPLE.COM export USERNAME=ovirt export YOUR_PASSWORD='top_secret_random_very_long_password' # create an ldif file cat > resetexperation.ldif << EOF dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20380119031407Z EOF # apply the ldif file # the password requested is the directory admin password, this is NOT the same account as the freeipa admin ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif # for the second option also : # add the service for http to freeipa kinit admin ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN # # The following commands are executed as root on the ovirt-engine machine. # # # first install the required package : # yum install -y ovirt-engine-extension-aaa-ldap # # ovirt configuration files # examples can be found here : # /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. # mkdir /etc/ovirt-engine/aaa mkdir /etc/ovirt-engine/extenstions.d # # set the vars again ( exports do not work between vm's) # export SUFFIX='dc=example,dc=com' export YOUR_PASSWORD='top_secret_random_very_long_password' export FREEIPA_SERVER=freeipa.example.com export PROFILE_NAME=profile1 # # create the config files # cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF include = <ipa.properties> vars.server = $FREEIPA_SERVER vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX vars.password = $YOUR_PASSWORD pool.default.serverset.single.server = \${global:vars.server} pool.default.auth.simple.bindDN = \${global:vars.user} pool.default.auth.simple.password = \${global:vars.password} EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME ovirt.engine.aaa.authn.authz.plugin = $PROFILE_NAME-authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF # # change owner and permissions of the profile file # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties chmod 400 /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties # # restart the ovirt engine # service ovirt-engine restart # # done you can now add freeipa users to the rhevm portal in the users menu # after the users have been added you can assign permissions for them on the vm's # Cheers Rob Verduijn