主页
产品
Red Hat Virtualization
4.0
管理指南
15.3.2. 附加 Active Directory

15.3.2. 附加 Active Directory

先决条件：

您需要知道 Active Directory 林名称。林名称也称为根域名。
您需要添加可将 Active Directory 林名称解析为 Manager 上的 /etc/resolv.conf 文件的 DNS 服务器，或者记下 Active Directory DNS 服务器，并在交互式设置脚本提示时输入它们。
要在 LDAP 服务器和管理器之间设置安全连接，请确保已准备好 PEM 编码的 CA 证书。如需更多信息，请参阅第 D.2 节 “在 Manager 和 LDAP 服务器之间设置 SSL 或 TLS 连接”。
除非支持匿名搜索，否则需要有权限浏览所有用户和组的用户，才能用作搜索用户。请注意搜索用户的可分辨名称(DN)。不要将管理用户用于 Active Directory。
至少一组帐户名称和密码可以向 Active Directory 执行搜索和登录查询。

过程 15.2. 配置外部 LDAP 提供程序

在 Red Hat Virtualization Manager 上安装 LDAP 扩展软件包：
```
yum install ovirt-engine-extension-aaa-ldap-setup
```
```
# yum install ovirt-engine-extension-aaa-ldap-setup
```
Copy to Clipboard Toggle word wrap
运行 ovirt-engine-extension-aaa-ldap-setup 以启动交互式设置：
```
ovirt-engine-extension-aaa-ldap-setup
```
```
# ovirt-engine-extension-aaa-ldap-setup
```
Copy to Clipboard Toggle word wrap
指定一个配置集名称。配置集名称对登录页面的用户可见。这个示例使用 redhat.com。
```
Please specify profile name that will be visible to users:redhat.com
```
```
Please specify profile name that will be visible to users:redhat.com
```
Copy to Clipboard Toggle word wrap
图 15.2. 管理门户登录页面

View larger image

注意
首次登录时，用户需要从下拉列表中选择所需的配置集。然后，信息会存储在浏览器 Cookie 中，并在下次用户登录时预先选择这些信息。

输入对应的数字来选择 LDAP 类型。此步骤后 LDAP 相关问题因不同的 LDAP 类型而异。

Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 3

Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IPA
5 - Novell eDirectory RFC-2307 Schema
6 - OpenLDAP RFC-2307 Schema
7 - OpenLDAP Standard Schema
8 - Oracle Unified Directory RFC-2307 Schema
9 - RFC-2307 Schema (Generic)
10 - RHDS
11 - RHDS RFC-2307 Schema
12 - iPlanet
Please select: 3

Copy to Clipboard

Toggle word wrap

输入 Active Directory 林名称。如果您的管理器的 DNS 无法解析林名称，脚本会提示您输入由空格分隔的活动目录 DNS 服务器名称列表。

Please enter Active Directory Forest name: ad-example.redhat.com
[ INFO  ] Resolving Global Catalog SRV record for ad-example.redhat.com
[ INFO  ] Resolving LDAP SRV record for ad-example.redhat.com

Please enter Active Directory Forest name: ad-example.redhat.com
[ INFO  ] Resolving Global Catalog SRV record for ad-example.redhat.com
[ INFO  ] Resolving LDAP SRV record for ad-example.redhat.com

Copy to Clipboard

Toggle word wrap

选择 LDAP 服务器支持的安全连接方法，并指定获取 PEM 编码的 CA 证书的方法。file 选项允许您提供证书的完整路径。URL 选项允许您指定证书的 URL。使用 inline 选项在终端中粘贴证书的内容。system 选项允许您指定所有 CA 文件的位置。insecure 选项允许您在不安全的模式中使用 startTLS。

NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
Please enter the password:

NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
Please enter the password:

Copy to Clipboard

Toggle word wrap

注意

LDAPS 代表轻量级目录访问协议覆盖安全套接字链接。对于 SSL 连接，请选择 ldaps 选项。

有关创建 PEM 编码的 CA 证书的更多信息，请参阅第 D.2 节 “在 Manager 和 LDAP 服务器之间设置 SSL 或 TLS 连接”。

输入搜索用户可分辨名称(DN)。用户必须具有相应的权限，才能浏览目录服务器上的所有用户和组。搜索用户必须是 LDAP 注解。如果允许匿名搜索，请在没有任何输入的情况下按 Enter 键。
```
Enter search user DN (empty for anonymous): uid=user1,ou=Users,dc=test,dc=redhat,dc=com
Enter search user password:
```
```
Enter search user DN (empty for anonymous): uid=user1,ou=Users,dc=test,dc=redhat,dc=com
Enter search user password:
```
Copy to Clipboard Toggle word wrap

测试搜索和登录功能，以确保 LDAP 服务器正确连接到您的 Red Hat Virtualization 环境。对于登录查询，请输入帐户名称和密码。对于搜索查询，请为用户帐户选择 Principal，然后选择 Group for group accounts。如果您希望返回用户帐户的组帐户信息，对于 Resolve Groups 选择 Yes。选择 Done 以完成设置。在屏幕输出中创建并显示三个配置文件。

NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Enter search user name: testuser1
Enter search user password:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: testuser1
Resolve Groups (Yes, No) [No]: 
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: redhat.com
          The following files were created:
              /etc/ovirt-engine/aaa/redhat.com.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authz.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20160114064955-1yar9i.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

NOTE:
It is highly recommended to test drive the configuration before applying it into engine.
Perform at least one Login sequence and one Search sequence.
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
Enter search user name: testuser1
Enter search user password:
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Search
Select entity to search (Principal, Group) [Principal]:
Term to search, trailing '*' is allowed: testuser1
Resolve Groups (Yes, No) [No]: 
[ INFO  ] Executing login sequence...
...
Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Done
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: redhat.com
          The following files were created:
              /etc/ovirt-engine/aaa/redhat.com.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authz.properties
              /etc/ovirt-engine/extensions.d/redhat.com-authn.properties
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20160114064955-1yar9i.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

Copy to Clipboard

Toggle word wrap

您创建的配置集现在包括在管理门户和开发人员门户登录页面中。要在 LDAP 服务器上分配适当的角色和权限，例如登录到客户门户网站，请参阅第 15.6 节 “从管理门户管理用户任务”。

注意

如需更多信息，请参阅位于 /usr/share/doc/ovirt-engine-extension-aaa-ldap-version 的 LDAP 身份验证和授权扩展 README 文件。

返回顶部

15.3.2. 附加 Active Directory

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links