----- Original Message ----- > From: "David Jaša" <dj...@redhat.com> > To: devel@ovirt.org > Sent: Wednesday, July 1, 2015 4:49:26 PM > Subject: [ovirt-devel] How to create FreeIPA user for ovirt engine > (engine-manage-domains)? > > Hi, > > Pretty much any documentation around oVirt use of domains uses an > undefined user (engine-manage-domains ... --user=[USER]) and maybe > because of that, virtually all the ovirt tutorials that feature > FreeIPA/IdM use "admin" user of FreeIPA (engine-manage-domains ... > --provider=freeipa --user=admin). This leads to pretty scary situation > of administrator password for your identity management system being > stored for use by another system (ovirt-engine).
Please do not use the legacy provider, use the new one. http://wiki.ovirt.org/Features/AAA https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > So, the right way to do things should be use of a "service user" for > engine that would have just enough privileges in FreeIPA to work > correctly. So my questions are: > > 1. what are the necessary permissions for such a service user? Perform queries to locate the user details of these that are trying to login. No special permission is required. > 2. how to create such an user? Can it be done throught IPA web UI or > does one need to go through the ldif/ldapmodify route? I have no idea, you should ask IPA people how to create user. Regards, Alon Bar-Lev. _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel
