使用Active Directory进行RHEV / oVirt用户身份验证


您可以通过以下链接以PDF格式下载本文来支持我们。

将指南下载为PDF



本指南说明了如何将oVirt或RHEV与Active Directory集成以进行Web控制台身份验证。 Red Hat Virtualization / oVirt具有两种类型的用户身份验证域:本地域和外部域。在Manager安装期间,默认本地域是 内部 使用默认用户admin创建域。

安装后可以在本地域中创建本地用户帐户。您还可以选择通过连接外部目录服务器(例如Red Hat Directory Server,Active Directory和OpenLDAP)并将它们用作外部域来创建目录用户。

ovirt-engine-extension-aaa-ldap 该扩展允许您配置用于用户身份验证的外部LDAP目录。该扩展支持许多不同的LDAP服务器类型,并提供交互式设置脚本来帮助设置大多数LDAP类型。请记住,本地用户和目录用户都必须通过管理门户分配适当的角色和权限,然后才能在环境中工作。

设置先决条件:

  • 通过SSH路由访问RHEV / oVirt Manager计算机
  • 卫星或领班注册以访问互联网/下载软件包
  • DNS或LDAP服务器域名。
  • 确保已准备好PEM编码的CA证书,以在LDAP服务器和Manager之间建立安全连接。
  • 准备好至少一组帐户名和密码,以对LDAP服务器执行搜索和登录查询。

步骤1:安装LDAP扩展程序包

您需要在Red Hat Virtualization Manager上安装ovirt-engine-extension-aaa-ldap软件包。

sudo yum install ovirt-engine-extension-aaa-ldap-setup

检查依赖关系并开始安装。

Dependencies resolved.
=====================================================================================================================================================================================================
 Package                                                         Architecture                     Version                                   Repository                                          Size
=====================================================================================================================================================================================================
Installing:
 ovirt-engine-extension-aaa-ldap-setup                           noarch                           1.4.0-1.el8                               ovirt-4.4                                           25 k
Installing dependencies:
 ovirt-engine-extension-aaa-ldap                                 noarch                           1.4.0-1.el8                               ovirt-4.4                                          126 k
 python3-ldap                                                    x86_64                           3.1.0-5.el8                               AppStream                                          226 k
 python3-pyasn1-modules                                          noarch                           0.3.7-6.el8                               AppStream                                          110 k
 unboundid-ldapsdk                                               noarch                           4.0.14-2.el8                              ovirt-4.4-centos-ovirt44                           4.0 M

Transaction Summary
=====================================================================================================================================================================================================
Install  5 Packages

Total download size: 4.5 M
Installed size: 5.9 M
Is this ok [y/N]: y

安装后,可以使用rpm命令获取软件包的详细信息。

$ rpm -qi ovirt-engine-extension-aaa-ldap-setup

步骤2:设置外部LDAP提供程序

使用交互式过程在RHEV Manager实例上配置外部LDAP提供程序。运行以下命令以启动交互式设置。

sudo ovirt-engine-extension-aaa-ldap-setup

对于Active Directory集成, 3:

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911182615-fnpp55.log
          Version: otopi-1.9.2 (otopi-1.9.2-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3

输入Active Directory林名称。在使用的示例中 example.net..替换为林名称。

Please enter Active Directory Forest name: example.net
[ INFO  ] Resolving Global Catalog SRV record for example.net
           
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.

选择要使用的LDAP协议:

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: plain

设置搜索用户的绑定DN和密码。

[ INFO  ] Resolving SRV record 'example.net'
[ INFO  ] Connecting to LDAP using 'ldap://server1.example.net:389'
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirtAdmin,DC=example,DC=net
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=oVirtAdmin,DC=example,DC=net'

如果需要此功能,请同意VM单点登录。

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes

设置配置文件名称。

NOTE:
          Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.
           
          Please specify profile name that will be visible to users [example.net]: example.net
[ INFO  ] Stage: Setup validation
           
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

测试与目录用户的连接和身份验证。

Please provide credentials to test login flow:
          Enter user name: [email protected]
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:

检查是否成功。检查扩展日志以进行错误检查。

[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: 
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: example.net
          The following files were created:
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20200911185444-e7rwcx.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

您的个人资料将保存在下面 / etc / ovirt-engine / aaa / 目录。扩展属性 /etc/ovirt-engine/extensions.d 目录。

$ ls -1 /etc/ovirt-engine/aaa/
internal.properties
example.net.properties

$ ls /etc/ovirt-engine/extensions.d
example.net-authn.properties
example.net-authz.properties

o重新启动Virt Engine管理器服务。

sudo systemctl restart ovirt-engine.service

检查服务状态。它应该正在运行。

$ systemctl status ovirt-engine.service 
● ovirt-engine.service - oVirt Engine
   Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-09-11 19:08:38 EAT; 30s ago
 Main PID: 999555 (ovirt-engine.py)
    Tasks: 345 (limit: 199735)
   Memory: 1.3G
   CGroup: /system.slice/ovirt-engine.service
           ├─999555 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start
.....

步骤3:在oVirt / RHEV Manager网络界面中为用户分配角色

该用户帐户无权管理oVirt的所有功能。必须将此用户特权分配给超级用户才能使其正常运行。 管理员 分配用户帐户,否则分配特定权限。

以管理员用户身份登录到仪表板,然后转到以下位置 管理>配置>系统特权>添加

在下一个窗口中,选择搜索配置文件和名称空间。然后输入您要授予的用户名 按钮。

使用Active Directory进行RHEV / oVirt用户身份验证

选择您要授予的用户,然后选择您要分配的角色,单击““按钮。

步骤4:测试LDAP登录

在oVirt登录屏幕上,选择您为Active Directory创建的配置文件。

使用Active Directory进行RHEV / oVirt用户身份验证

输入您的AD用户名和密码, “登录” 按钮。您需要访问管理仪表板,您可以在其中根据您的权限执行不同的操作。

使用Active Directory进行RHEV / oVirt用户身份验证

以下文章描述了更多的oVirt / RHEV管理任务。同时,请查看我们网站上的其他相关指南。

如何在CentOS 8上安装独立的oVirt Engine

如何使用oVirt / RHEV杀死/中止任务

如何添加NFS数据,ISO,将存储域导出到oVirt / RHEV

在CentOS 8 | RHEL 8上安装oVirt Guest Agent


您可以通过以下链接以PDF格式下载本文来支持我们。

将指南下载为PDF



Sidebar