OSVDC Series: IdM Integration of oVirt 3.6 and FreeIPA 4.3 - rharmonson/richtech GitHub Wiki
OSVDC: IdM Integration of oVirt 3.6 and FreeIPA 4.3
Published: DRAFT
Article 16 of the Open Source Virtual Data Center Series
Published September 28, 2016
Prerequisites
The primary components needed prior to proceeding through this article are:
- oVirt 3.6 Hosted-engine Appliance
- Dogtag Root Certificate Authority
- FreeIPA 4.3 Installation on Fedora 24 Minimal
- FreeIPA 4.3 client on Fedora 24 Workstation
Note that a FreeIPA Master used as the Root CA would work as well.
Process
- Obtain Kerberos token
- Validate LDAP service records
- Create group "svcaccounts"
- Create password policy
- Create user "svcldapbind"
- Add user into group
- Set user password
- Obtain Root CA certificate
- Install and setup ovirt-engine-extension-aaa-ldap
- Restart the Hosted-engine
Kerberos Token
Begin by using a terminal or SSH to FreeIPA client, then obtain a Kerberos token for "admin."
john@wsai ~]$ kinit admin
Password for [email protected]:
[john@wsai ~]$
Results
[john@wsai ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]
Valid starting Expires Service principal
09/26/2016 12:25:09 09/27/2016 12:25:03 krbtgt/[email protected]
[john@wsai ~]$
LDAP Service Records
Verify DNS and service records are resolving.
[john@wsai ~]$ dig _ldap._tcp.mydomain.net SRV
Results
; <<>> DiG 9.10.4-P2-RedHat-9.10.4-1.P2.fc24 <<>> _ldap._tcp.mydomain.net SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mydomain.net. IN SRV
;; ANSWER SECTION:
_ldap._tcp.mydomain.net. 86400 IN SRV 0 100 389 ds2.mydomain.net.
_ldap._tcp.mydomain.net. 86400 IN SRV 0 100 389 ds1.mydomain.net.
;; AUTHORITY SECTION:
mydomain.net. 86400 IN NS ds2.mydomain.net.
mydomain.net. 86400 IN NS ds1.mydomain.net.
;; ADDITIONAL SECTION:
ds1.mydomain.net. 1200 IN A 192.168.10.11
ds2.mydomain.net. 1200 IN A 192.168.10.12
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Mon Sep 26 13:09:08 PDT 2016
;; MSG SIZE rcvd: 214
[john@wsai ~]$
Group svcaccounts
Create a new group "svcaccounts" for use by service accounts.
[john@wsai ~]$ ipa group-add svcaccounts --desc="Service Account Group"
-------------------------
Added group "svcaccounts"
-------------------------
Group name: svcaccounts
Description: Service Account Group
GID: 261200001
[john@wsai ~]$
Password Policy
Create a new password policy for group "svcaccounts" using a password life of 365 days, password history of five, password length of 16 charactars, permit only 10 failures within one hour then lock the account for fifteen minutes. The 365 days is too long, really, so set it to meet your organization's password requirements.
[john@wsai ~]$ ipa pwpolicy-add svcaccounts --maxlife=365 --minlife=4 --history=5 --minlength=16 --maxfail=10 --failinterval=3600 --lockouttime=900 --priority=1
Group: svcaccounts
Max lifetime (days): 365
Min lifetime (hours): 4
History size: 5
Min length: 16
Priority: 1
Max failures: 10
Failure reset interval: 3600
Lockout duration: 900
[john@wsai ~]$
You can upate the pasword policy settings using pwpolicy-mod.
Create user account
Create the user account aka service account "svcldapbind."
[john@wsai ~]$ ipa user-add svcldapbind --first=svcldapbind --last=SVCAccount --password
Password:
Enter Password again to verify:
------------------------
Added user "svcldapbind"
------------------------
User login: svcldapbind
First name: svcldapbind
Last name: SVCAccount
Full name: svcldapbind SVCAccount
Display name: svcldapbind SVCAccount
Initials: sS
Home directory: /home/svcldapbind
GECOS: svcldapbind SVCAccount
Login shell: /bin/sh
Kerberos principal: [email protected]
Email address: [email protected]
UID: 261200003
GID: 261200003
Password: True
Member of groups: ipausers
Kerberos keys available: True
[john@wsai ~]$
Obtain user distinguished name (DN) using user-show and note the first value for "dn:" to use later.
[john@ds1 ~]$ ipa user-show svcldapbind --all
dn: uid=svcldapbind,cn=users,cn=accounts,dc=mydomain,dc=net
User login: svcldapbind
First name: svcldapbind
Last name: SVCAccount
Full name: svcldapbind SVCAccount
Display name: svcldapbind SVCAccount
Initials: sS
Home directory: /home/svcldapbind
GECOS: svcldapbind SVCAccount
Login shell: /bin/sh
Kerberos principal: [email protected]
Email address: [email protected]
UID: 261200003
GID: 261200003
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers, svcaccounts
Kerberos keys available: True
ipauniqueid: 8d680e3d-843c-11e6-a4da-001a4a160321
krbextradata: AALDjOlXa3GlbWluZEBJTlRSQU5FVC5IQVJNT05TT15xTkVUAA==
krblastpwdchange: 20160926210155Z
krblastsuccessfulauth: 20160926210155Z
krbloginfailedcount: 0
krbpasswordexpiration: 20170926210155Z
krbpwdpolicyreference: cn=svcaccounts,cn=MYDOMAIN.NET,cn=kerberos,dc=mydomain,dc=net
krbticketflags: 128
mepmanagedentry: cn=svcldapbind,cn=groups,cn=accounts,dc=mydomain,dc=net
objectclass: ipaSshGroupOfPubKeys, ipaobject, mepOriginEntry, person, top, ipasshuser,
inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser,
posixaccount
Add to Group
To apply the password policy, add user svcldapbind to group svcaccounts.
[john@wsai ~]$ ipa group-add-member svcaccounts --user=svcldapbind
Group name: svcaccounts
Description: Service Account Group
GID: 261200001
Member users: svcldapbind
-------------------------
Number of members added 1
Set Password
[john@wsai ~]$ kinit svcldapbind
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
Nifty password generator found at the URL below, but note it does not support SSL.
http://passwordsgenerator.net/
Root CA Certificate
Obtain the public certificate file for your Root CA. You may find the ovirt-engine-extension-aaa-ldap README to be very helpful.
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
I am using an external Root CA using Dogtag. As such I use the following syntax to export the certificate.
[root@ca ~]# pki ca-cert-show 1 --output rootca.pem
Results
-----------------
Certificate "0x1"
-----------------
Serial Number: 0x1
Issuer: CN=CA Signing Certificate,O=mydomain.net Security Domain
Subject: CN=CA Signing Certificate,O=mydomain.net Security Domain
Status: VALID
Not Before: Wed Sep 07 05:56:18 PDT 2016
Not After: Sun Sep 07 05:56:18 PDT 2036
Alternatively, you may use
[root@ca ~]# pki ca-cert-show "CA Signing Certificate" --output rootca.pem
After obtaining the Root CA certificate, connect to the oVirt engine and and copy the PEM certificate file.
[john@ca ~]$ scp rootca.pem [email protected]:~/
[email protected]'s password:
rootca.pem 100% 1404 1.4KB/s 00:00
In preparation for setup, move the file to /tmp. Note the contents of /tmp are lost on shutdown.
Note
Update oVirt Hosted-engine to resolve against FreeIPA DNS hosts, otherwise, service record lookups will fail. However, if your FreeIPA hosts are managed by the oVirt Hosted-engine, you may need to update the Hosted-engine's /etc/hosts file to resolve cluster nodes and other dependencies in the absence of DNS.
TEST!
Install the LDAP extenstion package.
[root@eng ~]# yum install ovirt-engine-extension-aaa-ldap-setup
Results
=====================================================================================================
Package Arch Version Repository Size
=====================================================================================================
Installing:
ovirt-engine-extension-aaa-ldap-setup noarch 1.1.4-1.el7 ovirt-3.6 35 k
Installing for dependencies:
ovirt-engine-extension-aaa-ldap noarch 1.1.4-1.el7 ovirt-3.6 105 k
python-ldap x86_64 2.4.15-2.el7 base 159 k
unboundid-ldapsdk noarch 3.0.0-1.el7 centos-ovirt36 1.7 M
Transaction Summary
=====================================================================================================
Install 1 Package (+3 Dependent packages)
Total download size: 1.9 M
Installed size: 2.7 M
Is this ok [y/d/N]:
Execute the ovirt-engine-extension-aaa-ldap interactive setup.
[root@eng ~]# ovirt-engine-extension-aaa-ldap-setup
Results
[root@eng ~]# ovirt-engine-extension-aaa-ldap-setup
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160926230431-eskjpo.log
Version: otopi-1.4.2 (otopi-1.4.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Please specify profile name that will be visible to users: mydomain.net
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 4
NOTE:
It is highly recommended to use DNS resolution for LDAP server.
If for some reason you intend to use hosts or plain address disable DNS usage.
Use DNS (Yes, No) [Yes]:
Available policy method:
1 - Single server
2 - DNS domain LDAP SRV record
3 - Round-robin between multiple hosts
4 - Failover between multiple hosts
Please select: 2
Please enter DNS domain: mydomain.net
[ INFO ] Trying to resolve domain 'mydomain.net'
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
File path: /tmp/rootca.pem
[ INFO ] Resolving SRV record 'mydomain.net'
[ INFO ] Connecting to LDAP using 'ldap://ds1.mydomain.net:389'
[ INFO ] Executing startTLS
[ INFO ] Connection succeeded
Enter search user DN (empty for anonymous): uid=svcldapbind,cn=users,cn=accounts,dc=mydomain,dc=net
Enter search user password:
[ INFO ] Attempting to bind using 'uid=svcldapbind,cn=users,cn=accounts,dc=mydomain,dc=net'
[ INFO ] Stage: Setup validation
NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Enter user name: admin
Enter user password:
[ INFO ] Executing login sequence...
Login output:
2016-09-26 23:21:50 INFO ========================================================================
2016-09-26 23:21:50 INFO ============================ Initialization ============================
2016-09-26 23:21:50 INFO ========================================================================
2016-09-26 23:21:50 INFO Loading extension 'mydomain.net-authn'
2016-09-26 23:21:50 INFO Extension 'mydomain.net-authn' loaded
2016-09-26 23:21:50 INFO Loading extension 'mydomain.net-authz'
2016-09-26 23:21:50 INFO Extension 'mydomain.net-authz' loaded
2016-09-26 23:21:50 INFO Extension 'mydomain.net-authz' loaded
2016-09-26 23:21:50 INFO Initializing extension 'mydomain.net-authn'
2016-09-26 23:21:50 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] Creating LDAP pool 'authz'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] Creating LDAP pool 'authn'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:21:51 INFO Extension 'mydomain.net-authn' initialized
2016-09-26 23:21:51 INFO Initializing extension 'mydomain.net-authz'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] Creating LDAP pool 'authz'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:21:51 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] Available Namespaces: [dc=mydomain,dc=net]
2016-09-26 23:21:51 INFO Extension 'mydomain.net-authz' initialized
2016-09-26 23:21:51 INFO Start of enabled extensions list
2016-09-26 23:21:51 INFO Instance name: 'mydomain.net-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmprzOG1q/extensions.d/mydomain.net-authn.properties', Initialized: 'true'
2016-09-26 23:21:51 INFO Instance name: 'mydomain.net-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmprzOG1q/extensions.d/mydomain.net-authz.properties', Initialized: 'true'
2016-09-26 23:21:51 INFO End of enabled extensions list
2016-09-26 23:21:51 INFO ========================================================================
2016-09-26 23:21:51 INFO ============================== Execution ===============================
2016-09-26 23:21:51 INFO ========================================================================
2016-09-26 23:21:51 INFO Profile='mydomain.net' authn='mydomain.net-authn' authz='mydomain.net-authz' mapping='null'
2016-09-26 23:21:51 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='admin'
2016-09-26 23:21:51 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
2016-09-26 23:21:51 INFO --- Begin AuthRecord ---
2016-09-26 23:21:51 INFO AAA_AUTHN_AUTH_RECORD_PRINCIPAL: admin
2016-09-26 23:21:51 INFO --- End AuthRecord ---
2016-09-26 23:21:51 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='admin'
2016-09-26 23:21:51 INFO API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
2016-09-26 23:21:51 INFO --- Begin PrincipalRecord ---
2016-09-26 23:21:51 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: admin
2016-09-26 23:21:51 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Administrator
2016-09-26 23:21:51 INFO AAA_LDAP_UNBOUNDID_DN: uid=admin,cn=users,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_AUTHZ_PRINCIPAL_ID: c0753cca-7d5d-11e6-9893-001a4a160156
2016-09-26 23:21:51 INFO AAA_AUTHZ_PRINCIPAL_NAME: admin
2016-09-26 23:21:51 INFO --- Begin GroupRecord ---
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Account administrators group
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_ID: c0795102-7d5d-11e6-bf28-001a4a160156
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_LDAP_UNBOUNDID_DN: cn=admins,cn=groups,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_NAME: admins
2016-09-26 23:21:51 INFO --- End GroupRecord ---
2016-09-26 23:21:51 INFO --- Begin GroupRecord ---
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Trusts administrators group
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_ID: 8c319490-7d62-11e6-984d-001a4a160156
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_LDAP_UNBOUNDID_DN: cn=trust admins,cn=groups,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:21:51 INFO AAA_AUTHZ_GROUP_NAME: trust admins
2016-09-26 23:21:51 INFO --- End GroupRecord ---
2016-09-26 23:21:51 INFO --- End PrincipalRecord ---
[ INFO ] Login sequence executed successfully
Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
Abort if output is incorrect.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: svcldap*
Resolve Groups (Yes, No) [No]: Yes
[ INFO ] Executing search sequence...
Login output:
2016-09-26 23:22:28 INFO ========================================================================
2016-09-26 23:22:28 INFO ============================ Initialization ============================
2016-09-26 23:22:28 INFO ========================================================================
2016-09-26 23:22:28 INFO Loading extension 'mydomain.net-authn'
2016-09-26 23:22:28 INFO Extension 'mydomain.net-authn' loaded
2016-09-26 23:22:28 INFO Loading extension 'mydomain.net-authz'
2016-09-26 23:22:28 INFO Extension 'mydomain.net-authz' loaded
2016-09-26 23:22:28 INFO Initializing extension 'mydomain.net-authn'
2016-09-26 23:22:28 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] Creating LDAP pool 'authz'
2016-09-26 23:22:28 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:22:28 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] Creating LDAP pool 'authn'
2016-09-26 23:22:28 INFO [ovirt-engine-extension-aaa-ldap.authn::mydomain.net-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:22:28 INFO Extension 'mydomain.net-authn' initialized
2016-09-26 23:22:28 INFO Initializing extension 'mydomain.net-authz'
2016-09-26 23:22:28 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] Creating LDAP pool 'authz'
2016-09-26 23:22:29 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.3.5.13 B2016.221.207'
2016-09-26 23:22:29 INFO [ovirt-engine-extension-aaa-ldap.authz::mydomain.net-authz] Available Namespaces: [dc=mydomain,dc=net]
2016-09-26 23:22:29 INFO Extension 'mydomain.net-authz' initialized
2016-09-26 23:22:29 INFO Start of enabled extensions list
2016-09-26 23:22:29 INFO Instance name: 'mydomain.net-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmprzOG1q/extensions.d/mydomain.net-authn.properties', Initialized: 'true'
2016-09-26 23:22:29 INFO Instance name: 'mydomain.net-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.4', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmprzOG1q/extensions.d/mydomain.net-authz.properties', Initialized: 'true'
2016-09-26 23:22:29 INFO End of enabled extensions list
2016-09-26 23:22:29 INFO ========================================================================
2016-09-26 23:22:29 INFO ============================== Execution ===============================
2016-09-26 23:22:29 INFO ========================================================================
2016-09-26 23:22:29 INFO --- Begin QueryFilterRecord ---
2016-09-26 23:22:29 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2016-09-26 23:22:29 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2016-09-26 23:22:29 INFO --- Begin QueryFilterRecord ---
2016-09-26 23:22:29 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2016-09-26 23:22:29 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_NAME: svcldap*
2016-09-26 23:22:29 INFO --- End QueryFilterRecord ---
2016-09-26 23:22:29 INFO --- End QueryFilterRecord ---
2016-09-26 23:22:29 INFO API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=mydomain,dc=net'
2016-09-26 23:22:29 INFO API: <--Authz.InvokeCommands.QUERY_OPEN
2016-09-26 23:22:29 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-09-26 23:22:29 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1
2016-09-26 23:22:29 INFO --- Begin PrincipalRecord ---
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: svcldapbind
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: SVCAccount
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_EMAIL: [email protected]
2016-09-26 23:22:29 INFO AAA_LDAP_UNBOUNDID_DN: uid=svcldapbind,cn=users,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_ID: 8d680f2c-842b-11e6-a4da-001a4a160156
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: svcldapbind SVCAccount
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_NAME: svcldapbind
2016-09-26 23:22:29 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: svcldapbind
2016-09-26 23:22:29 INFO --- Begin GroupRecord ---
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Default group for all users
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_ID: c07b3134-7d5d-11e6-b74b-001a4a160156
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_LDAP_UNBOUNDID_DN: cn=ipausers,cn=groups,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_NAME: ipausers
2016-09-26 23:22:29 INFO --- End GroupRecord ---
2016-09-26 23:22:29 INFO --- Begin GroupRecord ---
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Service Account Group
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_ID: 1e208c34-8426-11e6-8ae4-001a4a160156
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_LDAP_UNBOUNDID_DN: cn=svcaccounts,cn=groups,cn=accounts,dc=mydomain,dc=net
2016-09-26 23:22:29 INFO AAA_AUTHZ_GROUP_NAME: svcaccounts
2016-09-26 23:22:29 INFO --- End GroupRecord ---
2016-09-26 23:22:29 INFO --- End PrincipalRecord ---
2016-09-26 23:22:29 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE
2016-09-26 23:22:29 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END
2016-09-26 23:22:29 INFO API: -->Authz.InvokeCommands.QUERY_CLOSE
2016-09-26 23:22:29 INFO API: <--Authz.InvokeCommands.QUERY_CLOSE
[ INFO ] Search sequence executed successfully
Please make sure that entity details are correct and that depending on the type of the query group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
Abort if output is incorrect
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done
[ INFO ] Stage: Transaction setup
[ INFO ] Stage: Misc configuration
[ INFO ] Stage: Package installation
[ INFO ] Stage: Misc configuration
[ INFO ] Stage: Transaction commit
[ INFO ] Stage: Closing up
CONFIGURATION SUMMARY
Profile name is: mydomain.net
The following files were created:
/etc/ovirt-engine/aaa/mydomain.net.jks
/etc/ovirt-engine/aaa/mydomain.net.properties
/etc/ovirt-engine/extensions.d/mydomain.net-authz.properties
/etc/ovirt-engine/extensions.d/mydomain.net-authn.properties
[ INFO ] Stage: Clean up
Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20160926230431-eskjpo.log:
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[root@eng ~]#
Restart ovirt-engine service:
[root@eng ~]# systemctl restart ovirt-engine
Refresh your browser and the "mydomain.net" profile is now available for use.
References
Create Groups
Password Policy
Create User
SSL & TLS
External LDAP Provider
Next
Next article in the series is Secure Remote Access with SoftEther VPN Server and Client 4.2.