Integrating RHEV or Ovirt with Red Hat IDM for User Authentication | 1 Easy guide

Introduction

Integrate RHEV or Ovirt with the Red Hat IDM or FreeIPA for User Authentication, During the RHEV-Manager installation, the default user “admin” will be created.

In a production environment, we need to follow the security standards by avoid using the default user accounts. Similarly in the RHEV environment, we will not use the default admin account. Instead, we will authenticate with an account and set the role similar to the admin account. Moreover, this account will not be created locally in RHEV-Manager, Instead, it will be created on Red Hat IDM or FreeIPA and managed from a centralized location. Then, we will authenticate with the created user on the RHEV platform and associate with the required role.

Related Guides

We have an old guide that helps to integrate with AD

My Setup Version

The version of the RHEV Manager used in my home lab is the latest one “Red Hat Virtualization Manager Version 4.4.6.8-0.1.el8ev”.

Let’s see how to integrate RHEV with Red Hat IDM for User authentications.

Default Installation

Before starting with Integration we have only the default internal local domain in RHEV Manager.

Before Integrating with IDM copy
Before Integrating with IDM copy

Getting Information

Before starting with any future steps, we need to gather a few Information for authentication with our IDM/FreeIPA server.

The most privileged account of IDM is admin and we need it for setup purposes.

# ldapsearch -x uid=admin

Fetch the required information for upcoming steps.

uid=admin,cn=users,cn=compat,dc=linuxsysadmins,dc=local

We have three numbers of IDM servers, IDM master, and two replicas.

idm1.linuxsysadmins.local   # Master
idm2.linuxsysadmins.local   # Replica 1
idm3.linuxsysadmins.local   # Replica 2

Begin with the setup

Run the below Ovirt command to start with the setup.

# ovirt-engine-extension-aaa-ldap-setup

It will prompt to provide with multiple entries

  • Select the number “6” to authenticate with Red Hat IDM or FreeIPA server
  • Accept the default option “Yes” for DNS
  • Since I have 3 numbers of IDM setup I have opted for number 4 “Failover between multiple hosts”.
  • Type the FQDN of your available IDM servers.
  • Use startTLS for protocol.
  • It’s stirclty advice to use CA certificate, However, I’m using Insecure in my home lab setup.
  • Enter the Command Name (CN) entried fetched from LDAP, uid=admin,cn=users,cn=compat,dc=linuxsysadmins,dc=local
  • Confirm the Distinguished Name (DN)
  • Choose “No” for Virtual machine signle signon.
  • Set a profile name, I have used “linuxsysadmins.local” as my profile name.
  • Type the IDM “admin” account credentials
  • Finally, type the “Done“.

At the end of the result, we should see properties files created.

/etc/ovirt-engine/aaa/linuxsysadmins.local.properties

The full output is for your reference.

[root@rhevm ~]# ovirt-engine-extension-aaa-ldap-setup 
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20210708113233-4i7vu2.log
          Version: otopi-1.9.4 (otopi-1.9.4-1.el8ev)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 6
           
          NOTE:
          It is highly recommended to use DNS resolution for LDAP server.
          If for some reason you intend to use hosts or plain address disable DNS usage.
           
          Use DNS (Yes, No) [Yes]: 
          Available policy method:
           1 - Single server
           2 - DNS domain LDAP SRV record
           3 - Round-robin between multiple hosts
           4 - Failover between multiple hosts
          Please select: 4
          Please enter space separated list of hosts: idm1.linuxsysadmins.local idm2.linuxsysadmins.local  idm3.linuxsysadmins.local
[ INFO  ] Trying to resolve host 'idm1.linuxsysadmins.local'
[ INFO  ] Trying to resolve host 'idm2.linuxsysadmins.local'
[ INFO  ] Trying to resolve host 'idm3.linuxsysadmins.local'
           
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.
           
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): Insecure
[ INFO  ] Connecting to LDAP using 'ldap://idm1.linuxsysadmins.local:389'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): uid=admin,cn=users,cn=compat,dc=linuxsysadmins,dc=local
          Enter search user password: 
[ ERROR ] Please specify value
          Enter search user password: 
[ INFO  ] Attempting to bind using 'uid=admin,cn=users,cn=compat,dc=linuxsysadmins,dc=local'
          Please enter base DN (dc=linuxsysadmins,dc=local) [dc=linuxsysadmins,dc=local]: 
          Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
          Please specify profile name that will be visible to users : linuxsysadmins.local

[ INFO  ] Stage: Setup validation
           
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.
           
          Please provide credentials to test login flow:
          Enter user name: 
          Enter user password:
          [ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: linuxsysadmins.local
          The following files were created:
              /etc/ovirt-engine/aaa/linuxsysadmins.local.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20210708113233-4i7vu2.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[root@rhevm ~]#

The content of created properties files will contain the below information.

[root@rhevm ~]# cat /etc/ovirt-engine/aaa/linuxsysadmins.local.properties
include = <ipa.properties>

vars.user = uid=admin,cn=users,cn=compat,dc=linuxsysadmins,dc=local
vars.password = Redhat@123

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = failover
pool.default.serverset.failover.00.server = idm1.linuxsysadmins.local
pool.default.serverset.failover.01.server = idm2.linuxsysadmins.local
pool.default.serverset.failover.02.server = idm3.linuxsysadmins.local
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
[root@rhevm ~]#

Finally, restart the service.

# systemctl restart ovirt-engine

The command line part is done.

Configuring from the Web Interface

Login to the web Interface using default credentials admin and your password.

https://rhevm.linuxsysadmins.local/ovirt-engine/

Navigate to the “Administration” menu from the left side pane and select “configure“.

Administration and configure
Administration and configure

We should get a window similar to below to add the user.

Adding IDM User and Role

Click on System Permissions from the left side pane.

By default, we will have three numbers of users that come with the default installation. Before adding a new user from IDM we should get the below three users.

Click the Add at the right top corner to add the new user.

Before adding new IDM user
Before adding a new IDM user

We will get another pop-up window as shown below.

Set role to IDM user
Set role to IDM user
  1. Select the User radio button.
  2. select your domain profile name, In my case linuxsysadmins.local.
  3. Select the namespace.
  4. Type the username or it’s keyword
  5. Click “Go” to search the user.
  6. Once the user found it will be listed with First Name, Last Name and User Name. Select it by clicking on the check box.
  7. Select the role which you planned to assign for the specific user.
  8. Finally, click Ok to save the changes.

Now we could see an additional one more user with admin privilege.

After adding role to IDM user in RHEVM
After adding the role to IDM user in RHEVM

Logout from the default admin user session.

Test the New User

Now we could see the newly added profile to log in and use the IDM users.

Added new profile
Added new profile

Try to log in with the user created in the IDM server.

Authenticate with IDM user
Authenticate with IDM user

We could see the successful login events from the RHEV-Manager event section.

Successful login session events
Successful login session events

Additionally, we could see the active user session by navigating to

Administration --> User Sessions
RHEVM IDM user session
RHEVM IDM user session

That’s it, we have successfully integrated an IDM user with the RHEV Virtualization Environment.

Conclusion:

Integrating IDM or FreeIPA with the RHEV and Ovirt for User authentication is required in all types of environments. This helps to manage and track the user activity in the RHEVM and Ovirt Virtualization platform. Subscribe to the newsletter and stay tuned for more RHEV and OVirt related how-to-guides.