Yes. Of course. Here are my configs. ===================================================================================== # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM #KrbMethodNegotiate on #KrbMethodK5Passwd on KrbMethodK5Passwd off Require valid-user </LocationMatch> # ls -la /etc/httpd/conf.d/ovirt-* -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-engine-root-redirect.conf lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf ===================================================================================== # cat /etc/ovirt-engine/aaa/ad.holding.com.properties include = <ad.properties> vars.domain = ad.holding.com pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} pool.default.auth.simple.password = Passw0rd pool.default.dc-resolve.enable = false search.default.dc-resolve.enable = false search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com pool.default.serverset.type = failover pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} pool.default.serverset.failover.port = 636 pool.default.serverset.failover.domain = ${global:vars.domain} pool.default.ssl.enable = true pool.default.ssl.protocol = TLSv1.2 pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks pool.default.ssl.truststore.password = changeit ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties ovirt.engine.extension.name = ad.holding.com-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/ad.holding.com.properties ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties ovirt.engine.extension.name = ad.holding.com-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ad.holding.com-http ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties ovirt.engine.extension.name = ad.holding.com-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm} 03.10.2016, 09:56, "Martin Perina" <mper...@redhat.com>: > Ahh, so kerberos SSO works fine for API, but not for portals. Could you > please share your Apache configuration with oVirt kerberos configuration? > Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings helpd...@actnet.se -- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings helpd...@actnet.se _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SGID226K6TJVJWLLEJJPEREBUBYTRL4Y/