This is quick note on how to configure an oVirt Manager or RHV Manager to use the FreeIPA to provide user external authentication.

Here’s my servers’ information:

  1. IPA server: (CentOS 8.3.2011)
  2. oVirt Hosted-Engine: (CentOS 8.3.2011)
  3. IPA user: ovirtadmin

First, open SSH connection to ovirtm as root and ensure that ovirt-engine-extension-aaa-ldap-setup package is installed. Here is a tip to figure out the name of this package - I’d search for ovirt*ldap.

[root@ovirtm ~]# dnf search ovirt*ldap
ovirt-engine-extension-aaa-ldap.noarch : oVirt Engine LDAP Users Management Extension
[root@ovirtm ~]# dnf list ovirt-engine-extension-aaa-ldap
Last metadata expiration check: 0:40:44 ago on Fri 25 Dec 2020 11:36:59 PM AEDT.
Installed Packages

Then run ovirt-engine-extension-aaa-ldap-setup command.

[root@ovirtm ~]# ovirt-engine-extension-aaa-ldap-setup 
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20201226001930-al5bfl.log
          Version: otopi-1.9.2 (otopi-1.9.2-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 

Select number 6, obviously.

          Please select: 6
          It is highly recommended to use DNS resolution for LDAP server.
          If for some reason you intend to use hosts or plain address disable DNS usage.
          Use DNS (Yes, No) [Yes]: 

I don’t want to use DNS, so I select No.

          Use DNS (Yes, No) [Yes]: No
          Available policy method:
           1 - Single server
           2 - DNS domain LDAP SRV record
           3 - Round-robin between multiple hosts
           4 - Failover between multiple hosts
          Please select: 1
          Please enter host address:
[ INFO  ] Trying to resolve host ''
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): URL

Hint: We can find the link to the ca.crt by visiting the FreeIPA website.

[ INFO  ] Connecting to LDAP using 'ldap://'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):

Here we need to provide the dn of the FreeIPA user. Tip: The easiest way to find the dn of the user is to run ipa user-find ovirtadmin --all | grep dn command (on the FreeIPA server).

          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): uid=ovirtadmin,cn=users,cn=accounts,dc=angkorian,dc=io
          Enter search user password:
[ INFO  ] Attempting to bind using 'uid=ovirtadmin,cn=users,cn=accounts,dc=angkorian,dc=io'
          Please enter base DN (dc=angkorian,dc=io) [dc=angkorian,dc=io]: 
          Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
          Please specify profile name that will be visible to users []: 
[ INFO  ] Stage: Setup validation
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.
          Please provide credentials to test login flow:
          Enter user name: ovirtadmin
          Enter user password:      
[ INFO  ] Executing login sequence...
          Login output:
[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: [Hit ENTER]

Make sure to restart the ovirt-engine on the ovirtm node.

[root@ovirtm ~]# systemctl restart ovirt-engine

Go back to the oVirt Manager’s web portal, refresh the page, and try to login with the FreeIPA user. Make sure to select the FreeIPA profile from the list instead of the default internal.

If you see the following message, congratulation you’ve successfully completed configuring the oVirt Manager to use FreeIPA server as an external authentication.

Warning alert:The user is not authorized to perform login 

Maybe in the future, I’ll write another blog post on how to setup the user access/privileges for the FreeIPA user. As for now, ovirtadmin user cannot do anything, hence the above warning message.