Yes. Of course. Here are my configs. ===================================================================================== # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM #KrbMethodNegotiate on #KrbMethodK5Passwd on KrbMethodK5Passwd off Require valid-user </LocationMatch> # ls -la /etc/httpd/conf.d/ovirt-* -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-engine-root-redirect.conf lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf ===================================================================================== # cat /etc/ovirt-engine/aaa/ad.holding.com.properties include = <ad.properties> vars.domain = ad.holding.com pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} pool.default.auth.simple.password = Passw0rd pool.default.dc-resolve.enable = false search.default.dc-resolve.enable = false search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com pool.default.serverset.type = failover pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} pool.default.serverset.failover.port = 636 pool.default.serverset.failover.domain = ${global:vars.domain} pool.default.ssl.enable = true pool.default.ssl.protocol = TLSv1.2 pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks pool.default.ssl.truststore.password = changeit ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties ovirt.engine.extension.name = ad.holding.com-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/ad.holding.com.properties ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties ovirt.engine.extension.name = ad.holding.com-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ad.holding.com-http ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties ovirt.engine.extension.name = ad.holding.com-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm} 03.10.2016, 09:56, "Martin Perina" <mper...@redhat.com>: > Ahh, so kerberos SSO works fine for API, but not for portals. Could you > please share your Apache configuration with oVirt kerberos configuration? > Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users