<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: auto; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">I have a production were hard coded password are avoided. We prefer to use kerberos. We also provided a SSO for Web UI using <a href="http://jasig.github.io/cas/4.2.x/index.html" style="color: rgb(104, 0, 148); text-decoration: none; margin-top: auto;" class="">CAS</a>. We use ActiveDirectory for user backend.</p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">So I wanted a oVirt installation that will use kerberos for API authentication. For the web ui, kerberos is not always the best solution, so I wanted to integrated it in our CAS.</p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">The Apache part was easy to setup.</p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">I will show only subpart of the whole Apache setup and only authentication related part</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class=""># The CAS modules
LoadModule authz_user_module /usr/lib64/httpd/modules/mod_authz_user.so
# Needed because auth_cas_module forget to link openssl
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
LoadModule auth_cas_module /usr/lib64/httpd/modules/mod_auth_cas.so
# For the kerberos authentication on the API
LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so
LoadModule session_module /usr/lib64/httpd/modules/mod_session.so
LoadModule session_cookie_module /usr/lib64/httpd/modules/mod_session_cookie.so
CASLoginURL <a href="https://sso/cas/login" class="">https://sso/cas/login</a>
CASValidateSAML On
CASValidateURL <a href="https://sso/cas/samlValidate" class="">https://sso/cas/samlValidate</a>
<VirtualHost *:443>
RequestHeader unset X-Remote-User early
<LocationMatch ^/api($|/)>
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$
RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:.../httpd.keytab
Require valid-user
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
</LocationMatch>
<LocationMatch ^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$)>
AuthType CAS
Require valid-user
CASAuthNHeader X-Remote-User
</LocationMatch>
</VirtualHost>
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">The authn file <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" class="">/etc/ovirt-engine/extensions.d/apachesso-authn.properties</code> is :</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">ovirt.engine.extension.name = apachesso-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = apachesso
ovirt.engine.aaa.authn.authz.plugin = DOMAIN-authz
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">And the authz file <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" class="">/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties</code> is:</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">ovirt.engine.extension.name = DOMAIN-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/DOMAIN.properties
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">I had some difficulties with AD backend. A straightforward solution would have been :</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">include = <ad.properties>
vars.domain = DOMAIN
vars.user = BINDDN
vars.password = BINDPWD
vars.forest = <a href="http://domain.com" class="">domain.com</a>
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = .../domain.jks
pool.default.ssl.truststore.password =
# Only TLSv1.2 is secure nowadays
pool.default.ssl.startTLSProtocol = TLSv1.2
# long time out should be avoided
pool.default.connection-options.connectTimeoutMillis = 500
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">But if fails. We have a special setup with about 100 domain controlers and only two of them can be reached from the ovirt engine. So my first try was so defined them directly in the configuration file:</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">pool.default.serverset.type = failover
pool.default.serverset.failover.1.server = <a href="http://dcX.domain.com" class="">dcX.domain.com</a>
pool.default.serverset.failover.2.server = <a href="http://dcY.domain.com" class="">dcY.domain.com</a>
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">But that fails. Server-engine was still using a lot of unreachable domain controler. After some digging I found that other part of the ldap extension use a different serverset, I don’t know why it don’t reuse the default pool. It’s called <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" class="">pool.default.dc-resolve</code> (it should be called <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px;" class="">pool.dc-resolve</code>, as it’s not the default but a custom one), so I added in my configuration:</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = <a href="http://dcX.domain.com" class="">dcX.domain.com</a>
pool.default.dc-resolve.serverset.failover.2.server = <a href="http://dcY.domain.com" class="">dcY.domain.com</a>
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">But there is a better solution. Ondra Machacek point it to me. In Active Directory, there is something called a “site”, with a subset of all the domain controler in it. It can be found under <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" class="">CN=Sites,CN=Configuration,DC=DOMAIN,...</code></p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">To list them:</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">ldapsearch -H <a href="ldap://somedc" class="">ldap://somedc</a> -b CN=Sites,CN=Configuration,DC=DOMAIN -s one -o ldif-wrap=no cn
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">The information to write down is the cn returned</p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">You get a list of all domain, just pick the right one, remove all the serverset configuration and add :</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = ^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = GOOD_SITE._sites.${domain}
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">The entry <code style="font-size: 12px; font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" class="">_sites.${domain}</code> don’t exist in the DNS, so to check that your regex is good, try instead:</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">dig +short _ldap._tcp.GOOD_SITE._sites.${domain} srv
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">It should return only reachable domain controlers.</p><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">So the final /etc/ovirt-engine/aaa/DOMAIN.properties was :</p><pre style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: border-box; overflow: auto; position: relative;" class=""><code style="font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: pre; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; -webkit-box-shadow: none; box-shadow: none; display: inline; padding: 0px; border: none; margin-top: auto;" class="">include = <ad.properties>
vars.domain = DOMAIN
vars.user = BINDDN
vars.password = BINDPWD
vars.forest = <a href="http://domain.com" class="">domain.com</a>
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = .../domain.jks
pool.default.ssl.truststore.password =
pool.default.ssl.startTLSProtocol = TLSv1.2
pool.default.connection-options.connectTimeoutMillis = 500
pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = ^(?<domain>.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = GOOD_SITE._sites.${domain}
</code></pre><p style="-webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: collapse; margin-top: 15px; margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" class="">With this setup, my <a href="https://github.com/fbacchella/ovirtcmd" style="color: rgb(104, 0, 148); text-decoration: none; margin-top: auto;" class="">python client</a> can connect to ovirt-engine using kerberos ticket, web users are authenticated using CAS. And there is no need to duplicate user base.</p><div class=""><br class=""></div></body></html>