[ovirt-devel] How to create FreeIPA user for ovirt engine (engine-manage-domains)?

[David Jaša]

Hi,

Pretty much any documentation around oVirt use of domains uses an
undefined user (engine-manage-domains ... --user=[USER]) and maybe
because of that, virtually all the ovirt tutorials that feature
FreeIPA/IdM use "admin" user of FreeIPA (engine-manage-domains ...
--provider=freeipa --user=admin). This leads to pretty scary situation
of administrator password for your identity management system being
stored for use by another system (ovirt-engine).

So, the right way to do things should be use of a "service user" for
engine that would have just enough privileges in FreeIPA to work
correctly. So my questions are:

1. what are the necessary permissions for such a service user?

2. how to create such an user? Can it be done throught IPA web UI or
does one need to go through the ldif/ldapmodify route?

Best regards,

David