[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

Martin Perina mperina at redhat.com
Mon Oct 3 08:00:59 EDT 2016


Hi,

please take a look at inline comments:

On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksimov at it-kb.ru> wrote:

> Yes. Of course. Here are my configs.
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
>
> ​​
> <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
>         RewriteEngine on
>         RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>         RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>         RequestHeader set X-Remote-User %{REMOTE_USER}s
>         AuthType Kerberos
>         AuthName "Kerberos Login"
>         Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
>         KrbAuthRealms AD.HOLDING.COM
>         #KrbMethodNegotiate on
>         #KrbMethodK5Passwd on
>         KrbMethodK5Passwd off
>         Require valid-user
> </LocationMatch>
>

​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in
4.0 we have quite new OAuth base SSO, so you need to use following
configuration:

<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s
    AuthType Kerberos
    AuthName "Kerberos Login"
    Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
    KrbAuthRealms AD.HOLDING.COM
    KrbMethodK5Passwd off
    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>
​

​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
need to do following:

  1. yum install mod_session mod_auth_gssapi
  2. Use following Apache configuration ​


​<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s

    AuthType GSSAPI
    AuthName "Kerberos Login"

    # Modify to match installation
    GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

    Require valid-user
    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
  </If>
</LocationMatch>​

​


>
> # ls -la /etc/httpd/conf.d/ovirt-*
>
> -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-
> engine-root-redirect.conf
> lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf
> -> /etc/ovirt-engine/aaa/ovirt-sso.conf
>
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
>
> include = <ad.properties>
> vars.domain = ad.holding.com
> pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
> pool.default.auth.simple.password = Passw0rd
> pool.default.dc-resolve.enable = false
> search.default.dc-resolve.enable = false
> search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
> pool.default.serverset.type = failover
> pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
> pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
> pool.default.serverset.failover.port = 636
> pool.default.serverset.failover.domain = ${global:vars.domain}
> pool.default.ssl.enable = true
> pool.default.ssl.protocol = TLSv1.2
> pool.default.ssl.truststore.file = ${local:_basedir}/${global:
> vars.domain}.jks
> pool.default.ssl.truststore.password = changeit
>

============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
>
> ovirt.engine.extension.name = ad.holding.com-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authz
> config.profile.file.1 = ../aaa/ad.holding.com.properties
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
>
> ovirt.engine.extension.name = ad.holding.com-http-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
> ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
> ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
> config.artifact.name = HEADER
> config.artifact.arg = X-Remote-User
>
> ============================================================
> =========================
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.
> properties
>
> ovirt.engine.extension.name = ad.holding.com-http-mapping
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Mapping
> config.mapAuthRecord.type = regex
> config.mapAuthRecord.regex.mustMatch = true
> config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<
> suffix>.*?)@.*)|(?<realm>@.*))$
> config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
>
>
> 03.10.2016, 09:56, "Martin Perina" <mperina at redhat.com>:
>
> > ​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
> please share your Apache configuration with oVirt kerberos configuration?
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161003/cf4d60a0/attachment.html>


More information about the Users mailing list