[ovirt-devel] How to create FreeIPA user for ovirt engine (engine-manage-domains)?

Alon Bar-Lev alonbl at redhat.com
Thu Jul 2 10:11:45 UTC 2015



----- Original Message -----
> From: "David Jaša" <djasa at redhat.com>
> To: devel at ovirt.org
> Sent: Wednesday, July 1, 2015 4:49:26 PM
> Subject: [ovirt-devel] How to create FreeIPA user for ovirt engine	(engine-manage-domains)?
> 
> Hi,
> 
> Pretty much any documentation around oVirt use of domains uses an
> undefined user (engine-manage-domains ... --user=[USER]) and maybe
> because of that, virtually all the ovirt tutorials that feature
> FreeIPA/IdM use "admin" user of FreeIPA (engine-manage-domains ...
> --provider=freeipa --user=admin). This leads to pretty scary situation
> of administrator password for your identity management system being
> stored for use by another system (ovirt-engine).

Please do not use the legacy provider, use the new one.
http://wiki.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD

> So, the right way to do things should be use of a "service user" for
> engine that would have just enough privileges in FreeIPA to work
> correctly. So my questions are:
> 
> 1. what are the necessary permissions for such a service user?

Perform queries to locate the user details of these that are trying to login. No special permission is required.

> 2. how to create such an user? Can it be done throught IPA web UI or
> does one need to go through the ldif/ldapmodify route?

I have no idea, you should ask IPA people how to create user.

Regards,
Alon Bar-Lev.



More information about the Devel mailing list