Hi, please take a look at inline comments:
On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksi...@it-kb.ru> wrote: > Yes. Of course. Here are my configs. > > ============================================================ > ========================= > # cat /etc/ovirt-engine/aaa/ovirt-sso.conf > > > <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> > RewriteEngine on > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] > RequestHeader set X-Remote-User %{REMOTE_USER}s > AuthType Kerberos > AuthName "Kerberos Login" > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab > KrbAuthRealms AD.HOLDING.COM > #KrbMethodNegotiate on > #KrbMethodK5Passwd on > KrbMethodK5Passwd off > Require valid-user > </LocationMatch> > Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration: <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following: 1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "Kerberos Login" # Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure; Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> > > # ls -la /etc/httpd/conf.d/ovirt-* > > -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt- > engine-root-redirect.conf > lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf > -> /etc/ovirt-engine/aaa/ovirt-sso.conf > > > ============================================================ > ========================= > # cat /etc/ovirt-engine/aaa/ad.holding.com.properties > > include = <ad.properties> > vars.domain = ad.holding.com > pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} > pool.default.auth.simple.password = Passw0rd > pool.default.dc-resolve.enable = false > search.default.dc-resolve.enable = false > search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com > pool.default.serverset.type = failover > pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} > pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} > pool.default.serverset.failover.port = 636 > pool.default.serverset.failover.domain = ${global:vars.domain} > pool.default.ssl.enable = true > pool.default.ssl.protocol = TLSv1.2 > pool.default.ssl.truststore.file = ${local:_basedir}/${global: > vars.domain}.jks > pool.default.ssl.truststore.password = changeit > ============================================================ > ========================= > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties > > ovirt.engine.extension.name = ad.holding.com-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authz > config.profile.file.1 = ../aaa/ad.holding.com.properties > > ============================================================ > ========================= > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties > > ovirt.engine.extension.name = ad.holding.com-http-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.misc > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.misc.http.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name = ad.holding.com-http > ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz > ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping > config.artifact.name = HEADER > config.artifact.arg = X-Remote-User > > ============================================================ > ========================= > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping. > properties > > ovirt.engine.extension.name = ad.holding.com-http-mapping > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.misc > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Mapping > config.mapAuthRecord.type = regex > config.mapAuthRecord.regex.mustMatch = true > config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?< > suffix>.*?)@.*)|(?<realm>@.*))$ > config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm} > > > 03.10.2016, 09:56, "Martin Perina" <mper...@redhat.com>: > > > Ahh, so kerberos SSO works fine for API, but not for portals. Could you > please share your Apache configuration with oVirt kerberos configuration? > Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf > -- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings helpd...@actnet.se -- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings helpd...@actnet.se
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QZALCIV6D3YYY5YQXJOOJMQYUGT2Q6D4/