主页
产品
Red Hat Virtualization
4.0
管理指南
15.3.3. 配置外部 LDAP 提供程序(Manual 方法)

15.3.3. 配置外部 LDAP 提供程序(Manual 方法)

ovirt-engine-extension-aaa-ldap 扩展使用 LDAP 协议访问目录服务器并完全可自定义。除非您要对开发人员门户或管理门户功能启用单点登录，否则不需要 Kerberos 身份验证。

如果上一节中的交互式设置方法没有涵盖您的用例，您可以手动修改配置文件来附加 LDAP 服务器。以下流程使用通用详情。具体值取决于您的设置。

过程 15.3. 手动配置外部 LDAP 提供程序

在 Red Hat Virtualization Manager 上安装 LDAP 扩展软件包：
```
yum install ovirt-engine-extension-aaa-ldap
```
```
# yum install ovirt-engine-extension-aaa-ldap
```
Copy to Clipboard Toggle word wrap
将 LDAP 配置模板文件复制到 /etc/ovirt-engine 目录中。模板文件可用于活动目录(ad)和其他目录类型(简单)。这个示例使用 simple 配置模板。
```
cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. /etc/ovirt-engine
```
```
# cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. /etc/ovirt-engine
```
Copy to Clipboard Toggle word wrap

重命名配置文件，使其与管理门户和客户门户网站登录页面中用户可见的配置集名称匹配：

mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties
mv /etc/ovirt-engine/extensions.d/profile1-authn.properties /etc/ovirt-engine/extensions.d/example-authn.properties
mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties

# mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authn.properties /etc/ovirt-engine/extensions.d/example-authn.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties

Copy to Clipboard

Toggle word wrap

通过取消注释 LDAP 服务器类型并更新 domain 和 password 字段来编辑 LDAP 属性配置文件：

 vi /etc/ovirt-engine/aaa/example.properties

#  vi /etc/ovirt-engine/aaa/example.properties

Copy to Clipboard

Toggle word wrap

例 15.1. 配置文件示例：LDAP 服务器部分

Select one
Server
Search user and its password.

# Select one
#
include = <openldap.properties>
#include = <389ds.properties>
#include = <rhds.properties>
#include = <ipa.properties>
#include = <iplanet.properties>
#include = <rfc2307-389ds.properties>
#include = <rfc2307-rhds.properties>
#include = <rfc2307-openldap.properties>
#include = <rfc2307-edir.properties>
#include = <rfc2307-generic.properties>

# Server
#
vars.server = ldap1.company.com

# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=company,dc=com
vars.password = 123456

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

Copy to Clipboard

Toggle word wrap

要使用 TLS 或 SSL 协议与 LDAP 服务器交互，请获取 LDAP 服务器的 root CA 证书，并使用它来创建公共密钥存储文件。取消注释以下行，并指定用于访问该文件的公共密钥存储文件的完整路径。

注意

有关创建公共密钥存储文件的更多信息，请参阅第 D.2 节 “在 Manager 和 LDAP 服务器之间设置 SSL 或 TLS 连接”。

例 15.2. profile: keystore 部分示例

Create keystore, import certificate chain and uncomment
if using tls.

# Create keystore, import certificate chain and uncomment
# if using tls.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /full/path/to/myrootca.jks
pool.default.ssl.truststore.password = password

Copy to Clipboard

Toggle word wrap

查看身份验证配置文件。该配置集名称对管理门户中的用户可见，开发人员门户登录页面由 ovirt.engine.aaa.authn.profile.name 定义。配置配置文件位置必须与 LDAP 配置文件位置匹配。所有字段都可以保留为默认值。

vi /etc/ovirt-engine/extensions.d/example-authn.properties

# vi /etc/ovirt-engine/extensions.d/example-authn.properties

Copy to Clipboard

Toggle word wrap

例 15.3. 身份验证配置文件示例

ovirt.engine.extension.name = example-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = example
ovirt.engine.aaa.authn.authz.plugin = example-authz
config.profile.file.1 = ../aaa/example.properties

ovirt.engine.extension.name = example-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = example
ovirt.engine.aaa.authn.authz.plugin = example-authz
config.profile.file.1 = ../aaa/example.properties

Copy to Clipboard

Toggle word wrap

检查授权配置文件。配置配置文件位置必须与 LDAP 配置文件位置匹配。所有字段都可以保留为默认值。

vi /etc/ovirt-engine/extensions.d/example-authz.properties

# vi /etc/ovirt-engine/extensions.d/example-authz.properties

Copy to Clipboard

Toggle word wrap

例 15.4. 授权配置文件示例

ovirt.engine.extension.name = example-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/example.properties

ovirt.engine.extension.name = example-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/example.properties

Copy to Clipboard

Toggle word wrap

确保配置配置文件的所有权和权限适当：

chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties

# chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties

Copy to Clipboard

Toggle word wrap

chmod 600 /etc/ovirt-engine/aaa/example.properties

# chmod 600 /etc/ovirt-engine/aaa/example.properties

Copy to Clipboard

Toggle word wrap

重启引擎服务：

systemctl restart ovirt-engine.service

# systemctl restart ovirt-engine.service

Copy to Clipboard

Toggle word wrap

您创建的示例配置集现在在管理门户中和 User Portal 登录页面中可用。要在 LDAP 服务器上指定用户帐户，例如登录到客户门户网站，请参阅第 15.6 节 “从管理门户管理用户任务”。

注意

如需更多信息，请参阅位于 /usr/share/doc/ovirt-engine-extension-aaa-ldap-version 的 LDAP 身份验证和授权扩展 README 文件。

返回顶部

15.3.3. 配置外部 LDAP 提供程序(Manual 方法)

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links