[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

Tue, 14 May 2019 13:29:18 -0700 

Hi,

please take a look at inline comments:

On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksi...@it-kb.ru> wrote:

> Yes. Of course. Here are my configs.
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
>
> ​​
> <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
>         RewriteEngine on
>         RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>         RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>         RequestHeader set X-Remote-User %{REMOTE_USER}s
>         AuthType Kerberos
>         AuthName "Kerberos Login"
>         Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
>         KrbAuthRealms AD.HOLDING.COM
>         #KrbMethodNegotiate on
>         #KrbMethodK5Passwd on
>         KrbMethodK5Passwd off
>         Require valid-user
> </LocationMatch>
>

​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in
4.0 we have quite new OAuth base SSO, so you need to use following
configuration:

<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s
    AuthType Kerberos
    AuthName "Kerberos Login"
    Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
    KrbAuthRealms AD.HOLDING.COM
    KrbMethodK5Passwd off
    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>
​

​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
need to do following:

  1. yum install mod_session mod_auth_gssapi
  2. Use following Apache configuration ​


​<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType GSSAPI
    AuthName "Kerberos Login"

    # Modify to match installation
    GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>​

​


>
> # ls -la /etc/httpd/conf.d/ovirt-*
>
> -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-
> engine-root-redirect.conf
> lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf
> -> /etc/ovirt-engine/aaa/ovirt-sso.conf
>
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
>
> include = <ad.properties>
> vars.domain = ad.holding.com
> pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
> pool.default.auth.simple.password = Passw0rd
> pool.default.dc-resolve.enable = false
> search.default.dc-resolve.enable = false
> search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
> pool.default.serverset.type = failover
> pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
> pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
> pool.default.serverset.failover.port = 636
> pool.default.serverset.failover.domain = ${global:vars.domain}
> pool.default.ssl.enable = true
> pool.default.ssl.protocol = TLSv1.2
> pool.default.ssl.truststore.file = ${local:_basedir}/${global:
> vars.domain}.jks
> pool.default.ssl.truststore.password = changeit
>

============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
>
> ovirt.engine.extension.name = ad.holding.com-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authz
> config.profile.file.1 = ../aaa/ad.holding.com.properties
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
>
> ovirt.engine.extension.name = ad.holding.com-http-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
> ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
> ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
> config.artifact.name = HEADER
> config.artifact.arg = X-Remote-User
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.
> properties
>
> ovirt.engine.extension.name = ad.holding.com-http-mapping
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Mapping
> config.mapAuthRecord.type = regex
> config.mapAuthRecord.regex.mustMatch = true
> config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<
> suffix>.*?)@.*)|(?<realm>@.*))$
> config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
>
>
> 03.10.2016, 09:56, "Martin Perina" <mper...@redhat.com>:
>
> > ​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
> please share your Apache configuration with oVirt kerberos configuration?
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QZALCIV6D3YYY5YQXJOOJMQYUGT2Q6D4/

Reply via email to