2015-11-18 15:51 GMT+01:00 Martin Kosek <[email protected]>: > On 11/18/2015 08:23 AM, Rob Verduijn wrote: >> Hello all, >> >> I've read a lot regarding service accounts on this mailinglist in the past. >> But it's rather unclear to me what is the current preffered method to >> create a service account for a service running on a different machine. >> >> In this case it would be a service account for ovirt so that freeipa >> users can authenticate in the ovirt portal using their freeipa >> credentials. > > It sounds like that you do not want system user account, but you are OK with > service account so that you can get a keytab for your oVirt instance. In that > case, simple > > $ ipa service-add HTTP/frontend.ovirt.test > and > $ ipa-getkeytab ... > should be enough, right? > > Maybe I just do not understand the use case. > >> I could ofcourse create an account and then apply a ldf to set its >> password expiration to the next millennium to make sure the password >> does not expire. >> >> Anybody who has a good suggestion on how to deal with this ? >> >> Cheers >> Rob Verduijn >> >
Hello, I think some more context should clear this up a bit. according to the rhev administrator guide: (ovirt referes to rhev manuals a lot) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html It talks about two options as a single sign on solution. On have the single sign on work for the portal, but then it won't work for the vm's. ( something about not being able to pass a password since the portal won't have one to pass ) Or have the single sign on work for the vm's but than you have to sign in to the portal so it can pass on your credentials to the vm's. I guess there is some interesting technical challenge to deal with to merge those two cases. The first option requires privileges to browse the freeipa directory to look for user accounts. I do not know if that can be solved with something as simple as a keytab and a pricipal. My current working solution is an account with a very long password experation time in the freeipa directory ( a random 32 character/number password is being used for this ) However something tells me that there is a more elegant solution. And I was wondering if anyone knows one. Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
