Hi, I've managed to get it work. What I've done is to first run "engine-manage-domains delete" to remove the domain and add it again using the new aaa extension tool "ovirt-engine-extension-aaa-ldap-setup". It's not a good idea to mix these two methods, I guess. Restart the engine after each change. To get rid of the double authentication for the webadmin portal I changed in /etc/httpd/conf.d/ovirt-sso.conf
"<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>" to "<LocationMatch ^(/ovirt-engine/api|/api)>" So Kerberos SSO will be used for the API only. Furthermore I've given the user the role "superuser". Best regards Marcel On 14.04.2016 11:44, Marcel Galke wrote: > Hi, > > I'm using curl and I followed steps in [1] and double checked the > permissions. > I've tested API access vs. webadmin access (see below). > > $ curl -v --negotiate -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE > # Result: HTTP 401 > $ kinit > $ curl -v --negotiate -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result: > HTTP 200 > $ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k > https://server8.funfurt.de/api/vms # Result: HTTP 401 > > Therfore I believe httpd config is fine. > For engine.log and and properties file see attachment. > I've also attached console output from curl. > > Thanks and regards > Marcel > > On 14.04.2016 08:11, Ondra Machacek wrote: >> On 04/14/2016 08:06 AM, Ondra Machacek wrote: >>> On 04/13/2016 10:43 PM, Marcel Galke wrote: >>>> Hello, >>>> >>>> I need to automatically create a list of all the VMs and the storage >>>> path to their disks in the data center for offline storage for desaster >>>> recovery. We have oVirt 3.6 and IPA 4.2.0. >>>> To achieve this my idea was to query the API using Kerberos >>>> authentication and a keytab. This could then run as cronjob. >>>> Using username and password is not an option. >>>> >>>> To configure oVirt for use with IPA I've run engine-manage-domains but >>>> the result is not exactly what I'm looking for (despite from the fact, >>>> that I can add direcotry users etc.). >>>> Next I tried the generic LDAP provider as per documentation >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html >>>> >>>> >>> >>> Just to be sure did you followed these steps[1]? >>> If yes and it don't work, it would be nice if you can share a properties >>> files you have and engine.log(the part when engine starts). Please also >>> ensure twice you have correct permissions on properties files, keytab >>> and apache confiig. >>> >>> Also ensure your browser is correctly setup. Example for firefox[2]. >> >> Sorry, I've just realized you use API. >> So do you use SDKs or curl? Make sure you use kerberos properly in both >> cases. >> For cur its: curl --negotiate >> For SDKs[1], there is a parameter 'kerberos=true' in creation of api >> object. >> >> [1] >> http://www.ovirt.org/develop/release-management/features/infra/kerberos-support-in-sdks-and-cli/ >> >> >>> >>> It don't work only for API or for UserPortal and Webadmin as well? Or >>> you set it up only for API? >>> >>> [1] >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal >>> >>> >>> [2] >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html >>> >>> >>> >>>> >>>> It was quite easy to get Apache to authenticate against IPA, but I did >>>> not manage to access the API. Each try ended with an "HTTP/1.1 401 >>>> Unauthorized". >>>> At the moment Apache authentication appears first and then the RESTAPI >>>> auth dialog comes up. >>>> Some facts about my setup: >>>> oVirt Host: >>>> -OS: CentOS 6.7 >>>> -Engine Version: 3.6 >>>> IPA Host: >>>> -OS: CentOS 7.2 >>>> -IPA Version: 4.2.0 >>>> >>>> >>>> I might mix some things up. Please help me to find out how to achieve my >>>> goal. I can provide more information if required. >>>> >>>> Thanks a lot! >>>> >>>> >>>> Best regards >>>> Marcel >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users