在本教程中，将介绍如何将ovirt或者Rhev与Active Directory集成为Web控制台身份验证。
在Red Hat Virtualization/Somirt中，有两种类型的用户身份验证域：本地域和外部域。
在Manager安装期间，使用默认用户admin创建名为内部域的默认本地域。

可以在安装后在本地域上创建本地用户帐户。
还可以选择通过添加外部目录服务器(如Red Hat Directory Server，Active Directory或者OpenLDAP)并将其用作外部域名创建目录用户。

ovirt-Engine-Extension-AAA-LDAP扩展允许配置外部LDAP目录以进行用户身份验证。
此扩展支持许多不同的LDAP服务器类型，并提供交互式安装脚本以设置大多数LDAP类型的设置。
请注意，在它们在环境中运行之前，需要通过管理门户使用适当的角色和权限来分配本地和目录用户。

设置准备工作：

SSH root访问Rhev/ovirt Manager MachineInternet访问/卫星或者工头注册的包装下载DNS或者LDAP服务器的域名。
对于LDAP服务器和管理器之间的安全连接，请确保已有PEM编码的CA证书准备好。
至少一组帐户名称和密码准备好向LDAP服务器执行搜索和登录查询。

第1步：安装LDAP扩展包

我们需要在Red Hat Virtualization Manager上安装ovirt-Engine-Extension-AAA-LDAP包。

sudo yum install ovirt-engine-extension-aaa-ldap-setup

确认依赖项并开始安装：

Dependencies resolved.
=====================================================================================================================================================================================================
 Package                                                         Architecture                     Version                                   Repository                                          Size
=====================================================================================================================================================================================================
Installing:
 ovirt-engine-extension-aaa-ldap-setup                           noarch                           1.4.0-1.el8                               ovirt-4.4                                           25 k
Installing dependencies:
 ovirt-engine-extension-aaa-ldap                                 noarch                           1.4.0-1.el8                               ovirt-4.4                                          126 k
 python3-ldap                                                    x86_64                           3.1.0-5.el8                               AppStream                                          226 k
 python3-pyasn1-modules                                          noarch                           0.3.7-6.el8                               AppStream                                          110 k
 unboundid-ldapsdk                                               noarch                           4.0.14-2.el8                              ovirt-4.4-centos-ovirt44                           4.0 M
Transaction Summary
=====================================================================================================================================================================================================
Install  5 Packages
Total download size: 4.5 M
Installed size: 5.9 M
Is this ok [y/N]: y

安装后可以使用RPM命令获得更多包详细信息。

$rpm -qi ovirt-engine-extension-aaa-ldap-setup

第2步：配置外部LDAP提供程序

我们将使用交互式步骤在Rhev Manager实例中配置外部LDAP提供程序。
运行以下命令以启动Interactive Setup：

sudo ovirt-engine-extension-aaa-ldap-setup

对于Active Directory集成选择3：

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: /etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170911182615-fnpp55.log
          Version: otopi-1.9.2 (otopi-1.9.2-1.el8)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3

输入Active Directory林名。
在我们使用example.net的示例中。
用林名替换它。

Please enter Active Directory Forest name: example.net
[ INFO  ] Resolving Global Catalog SRV record for example.net
           
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.

选择LDAP协议以使用：

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: plain

设置搜索用户绑定DN和密码。

[ INFO  ] Resolving SRV record 'example.net'
[ INFO  ] Connecting to LDAP using 'ldap://server1.example.net:389'
[ INFO  ] Connection succeeded
          Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=oVirtAdmin,DC=example,DC=net
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=oVirtAdmin,DC=example,DC=net'

如果我们想要此功能，请同意VM单点登录。

Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: Yes

设置配置文件名称。

NOTE:
          Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.
           
          Please specify profile name that will be visible to users [example.net]: example.net
[ INFO  ] Stage: Setup validation
           
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.

使用目录用户测试连接和身份验证。

Please provide credentials to test login flow:
          Enter user name: Hyman@theitroad
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:

确认是否成功。
对于任何错误检查扩展日志。

[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.
          Select test sequence to execute (Done, Abort, Login, Search) [Done]: 
[ INFO  ] Stage: Transaction setup
[ INFO  ] Stage: Misc configuration (early)
[ INFO  ] Stage: Package installation
[ INFO  ] Stage: Misc configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
          CONFIGURATION SUMMARY
          Profile name is: example.net
          The following files were created:
[ INFO  ] Stage: Clean up
          Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20170911185444-e7rwcx.log:
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination

个人资料将保存在/etc/ovirt-engine/aaa /目录下。
扩展属性位于/etc/ovitt -engine/extensions.d目录中。

$ls -1 /etc/ovirt-engine/aaa/
internal.properties
example.net.properties
$ls /etc/ovirt-engine/extensions.d
example.net-authn.properties
example.net-authz.properties

重新启动ovirt引擎管理器服务。

sudo systemctl restart ovirt-engine.service

检查服务状态，它应该运行。

$systemctl status ovirt-engine.service 
● ovirt-engine.service - oVirt Engine
   Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-09-11 19:08:38 EAT; 30s ago
 Main PID: 999555 (ovirt-engine.py)
    Tasks: 345 (limit: 199735)
   Memory: 1.3G
   CGroup: /system.slice/ovirt-engine.service
           ├─999555 /usr/libexec/platform-python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start
.....

步骤3：将用户在ovirt/Rhev Manager Web界面上分配角色

此用户帐户没有权限来管理ovirt的所有功能。
我们需要为超级用户分配此用户权限，如果要将其与任何管理员用户帐户一起工作，否则分配特定权限。

登录仪表板作为admin用户，并导航到管理>配置>系统权限>添加

在下一个窗口中，选择搜索配置文件和命名空间。
然后输入用户的名称以授予权限，然后单击"Go"按钮。

选择用户授予权限和选择角色以分配单击"确定"按钮。

第4步：测试LDAP登录

在ovirt登录屏幕中，选择为Active Directory创建的配置文件。

输入AD用户名和密码，然后点击"登录"按钮。
我们应该到达管理员仪表板，我们可以根据权限执行不同的操作。