Objectives

After completing this section, you should be able to configure Red Hat Virtualization to authenticate users based on information from an external LDAP server.

Describing Users in Red Hat Virtualization

To interact with the Red Hat Virtualization management system, user accounts must be configured and granted access rights. These accounts come from various sources called user domains. Users are identified by their User Principal Name (UPN), which has the form username@domain.

By default, the initial installation of Red Hat Virtualization creates a local domain called internal, which can contain local user accounts. An initial local user is created in this domain, with the UPN admin@internal, that has full administrative control of the Red Hat Virtualization environment.

While the ovirt-aaa-jdbc-tool command can create additional local users, it is recommended to configure an external domain that gets information about users from an external directory service such as Red Hat Enterprise Linux (RHEL) Identity Manager (IdM), Microsoft Active Directory, OpenLDAP, or one of the many other supported options. These users are referred to as directory users. This approach allows simplified user and group management from an operational standpoint by using the same single source of truth for Red Hat Virtualization user information that the IT organization uses for other account management.

In a real-world situation, a centralized directory server handles the directory users. A dedicated security team is responsible for managing the user accounts in the directory server. When there is a requirement of new users, the authorized security team should be contacted with a request to create the new user accounts in the centralized directory server. Because authorization to perform administrative operations on the directory server is restricted, administrative access to the database of user accounts is unavailable.

Administratively, users and groups are created in the directory service. After the directory service is attached to Red Hat Virtualization as an external domain, the users from that service must be configured in Red Hat Virtualization with roles that grant them appropriate levels of access to the Red Hat Virtualization environment.

Directory users can be granted administrative rights. The admin@internal account is generally better used as an emergency administration account if there is a problem with the connection to the directory service.

Attachment of more than one directory server to the Red Hat Virtualization environment is also possible and supported. If there is more than one directory server attached, then administrators can choose which one they want to authenticate against by selecting the correct domain from the login menu.

Figure 4.1: Red Hat Virtualization Authentication Provider

Configuring an External LDAP Provider

The ovirt-engine-extension-aaa-ldap software package provides support for the integration of generic Lightweight Directory Access Protocol (LDAP) directory services with Red Hat Virtualization Manager. This includes Red Hat Enterprise Linux Identity Manager, Microsoft Active Directory, OpenLDAP, and a number of other LDAP servers.

Configuring Red Hat Virtualization Manager to use an LDAP-based directory service as an external domain is straightforward. A helper package named ovirt-engine-extension-aaa-ldap-setup provides a configuration script, and must be installed on your Red Hat Virtualization Manager server. This helper package also installs ovirt-engine-extension-aaa-ldap as a dependency. Finally, the ovirt-engine-extension-aaa-ldap-setup script is used to configure LDAP integration with Red Hat Virtualization Manager.

The following discussion explores how this configuration is accomplished for two use cases. The first example discusses how to configure Red Hat Enterprise Linux Identity Manager as a directory source. The second example does the same with Microsoft Active Directory.

Attaching Red Hat Enterprise Linux Identity Manager

Red Hat Enterprise Linux Identity Manager is an open source centralized identity, policy, and authorization service included with Red Hat Enterprise Linux that provides an LDAP integration interface. This service is based on the upstream FreeIPA project. Use a Red Hat Enterprise Linux Identity Manager as an authentication source for your Red Hat Virtualization environment.

Gather the following prerequisite information before starting the configuration process:

After all the prerequisites are met, ensure that the ovirt-engine-extension-aaa-ldap-setup package is installed on the Red Hat Virtualization Manager server. The ovirt-engine-extension-aaa-ldap-setup package provides the ovirt-engine-extension-aaa-ldap-setup script, which allows you to interactively configure the Red Hat Virtualization Manager server to use the Red Hat Enterprise Linux Identity Manager as an external domain that serves information about the users.

Running the ovirt-engine-extension-aaa-ldap-setup command results in an interactive prompt that is used to provide answers to the questions presented. The first required input is the LDAP implementation to use. Every LDAP implementation has a number to identify it. For example, the Active Directory option is identified by the number 3, and the IPA option is identified by the number 6. To select Red Hat Enterprise Linux Identity Manager, type 6 (IPA).

[root@rhvm-demo ~]# ovirt-engine-extension-aaa-ldap-setup
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20190715235438-zjoext.log
          Version: otopi-1.8.2 (otopi-1.8.2-1.el7ev)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 6

In the same interactive prompt, displayed by the ovirt-engine-extension-aaa-ldap-setup command, specify whether to use DNS to resolve the name of your Red Hat Enterprise Linux Identity Manager server. Normally, the correct answer is Yes.

NOTE:
It is highly recommended to use DNS resolution for LDAP server.
If for some reason you intend to use hosts or plain address disable DNS usage.

Use DNS (Yes, No) [Yes]: Enter

Specify how the Red Hat Virtualization Manager server should find the Red Hat Enterprise Linux Identity Manager server. Select from the following four options:

To select the Single server option, type 1. If you select the Single server option, specify the fully qualified domain name of the Red Hat Enterprise Linux Identity Manager server.

Available policy method:
 1 - Single server
 2 - DNS domain LDAP SRV record
 3 - Round-robin between multiple hosts
 4 - Failover between multiple hosts
Please select: 1
Please enter host address: identity-server.example.net

At the interactive prompt displayed by the ovirt-engine-extension-aaa-ldap-setup command, specify the protocol to use when communicating with the directory server. To protect the LDAP connection with the directory server, it is recommended to use the StartTLS protocol.

...output omitted...
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: Enter

The StartTLS protocol requires the PEM-encoded CA certificate that validates the Red Hat Enterprise Linux Identity Manager server's TLS server certificate. You can provide this in a number of different ways: as a URL, a local file, inline through the tool, or from the system-wide CA configuration. Red Hat does not recommend selecting Insecure because that selection disables validation of the server's TLS certificate, which may lead to the integration of a compromised Red Hat Enterprise Linux Identity Manager server. To download the certificate from a remote location, type URL, and then specify the URL of the certificate at the subsequent prompt.

...output omitted...
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure):: URL
URL: http://identity-server.example.net/ipa/config/ca.crt
...output omitted...

While using the Red Hat Enterprise Linux Identity Manager, you must specify the distinguished name (DN) of the LDAP user to the ovirt-engine-extension-aaa-ldap-setup script. The Red Hat Virtualization Manager uses this LDAP user to authenticate itself to the directory server, and to search the directory for information. After specifying the DN of the LDAP user, enter the password of the LDAP user (or if anonymous search is allowed, leave the password blank).

Enter search user DN (for example, uid=username,dc=example,dc=com or leave empty for anonymous): uid=rhvadmin,cn=users,cn=accounts,dc=example,dc=net
Enter search user password: redhat
...output omitted...

While using the Red Hat Enterprise Linux Identity Manager, you must also specify the base DN to the ovirt-engine-extension-aaa-ldap-setup script that Red Hat Virtualization Manager uses when searching the LDAP directory.

Please enter base DN (dc=example,dc=net) [dc=example,dc=net]: Enter

The ovirt-engine-extension-aaa-ldap-setup script also prompts you to configure single sign-on on virtual machines using the users provided by the directory servers configured for this external domain. If prompted, enter Yes and look at the Additional Configuration instructions from the Red Hat Virtualization Virtual Machine Management Guide at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/virtual_machine_management_guide/.

Specify a meaningful profile name to ovirt-engine-extension-aaa-ldap-setup for the new external domain. A meaningful profile name helps you to easily identify and categorize the external domain when you have multiple external domains configured. The profile name displays in the menu on the login page for the Administration Portal. This profile name is the domain part of username@domain.

Please specify profile name that will be visible to users [identity-server.example.net]: example.net

The ovirt-engine-extension-aaa-ldap-setup script prompts you for the username and password of a valid user, the Red Hat Enterprise Linux Identity Manager provides. This username and password are used to attempt authentication as that user in order to test whether the connection to the server is working. When you are finished testing, type Done and the script exits.

[ INFO  ] Stage: Setup validation

NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

Please provide credentials to test login flow:
Enter user name: idmuser1
Enter user password: redhat
[ INFO  ] Executing login sequence...
...output omitted...
[ INFO  ] Login sequence executed successfully
Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
Abort if output is incorrect.
Select test sequence to execute (Done, Abort, Login, Search) [Done]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: lab.example.com
          The following files were created:
              /etc/ovirt-engine/aaa/lab.example.com.jks
              /etc/ovirt-engine/aaa/lab.example.com.properties
              /etc/ovirt-engine/extensions.d/lab.example.com-authz.properties
              /etc/ovirt-engine/extensions.d/lab.example.com-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20190702121518-kusgin.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

After making the configuration changes, restart the ovirt-engine service on the Red Hat Virtualization Manager server.

[root@rhvm-demo ~]# systemctl restart ovirt-engine

Attaching Microsoft Active Directory

RHV also supports using Microsoft Active Directory as an authentication source. Gather the following prerequisite information before starting the configuration process:

When all the prerequisites are met, start the integration process. On your Red Hat Virtualization Manager server, use the same ovirt-engine-extension-aaa-ldap-setup script to integrate the Microsoft Active Directory service in the Red Hat Virtualization environment. For Microsoft Active Directory, type 3 when the ovirt-engine-extension-aaa-ldap-setup script prompts you to select an LDAP implementation from those available.

You must specify your Microsoft Active Directory forest name to the ovirt-engine-extension-aaa-ldap-setup script.

You must also select the secure protocol for accessing your Microsoft Active Directory server, and specify the method used to obtain a CA certificate. Again, Red Hat recommends that you use the StartTLS protocol and provide a PEM-encoded CA certificate that can validate the Active Directory server certificate. Red Hat recommends that you do not select the Insecure option.

While using the Microsoft Active Directory, you must specify the distinguished name (DN) of the Microsoft Active Directory user to the ovirt-engine-extension-aaa-ldap-setup script. This user should have permission to browse all users and groups on the Microsoft Active Directory server. The Red Hat Virtualization Manager uses this Microsoft Active Directory user to authenticate itself to the directory server and search the directory for information. Enter the user's password (or if anonymous search is allowed, leave the password blank).

Specify a meaningful profile name to ovirt-engine-extension-aaa-ldap-setup for the new external domain. This profile name displays in the menu on the login page for the Administration Portal.

The ovirt-engine-extension-aaa-ldap-setup script prompts you for the username and password of a valid user that the Microsoft Active Directory server provides, in order to test whether the connection to the server is working. After testing completes, enter Done and the script exits.

After making the configuration changes, restart the ovirt-engine service on the Red Hat Virtualization Manager server.

[root@rhvm-demo ~]# systemctl restart ovirt-engine