<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi,<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">please take a look at inline comments:<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 3, 2016 at 9:15 AM, <span dir="ltr"><<a href="mailto:aleksey.maksimov@it-kb.ru" target="_blank">aleksey.maksimov@it-kb.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Yes. Of course. Here are my configs.<br>
<br>
==============================<wbr>==============================<wbr>=========================<br>
# cat /etc/ovirt-engine/aaa/ovirt-<wbr>sso.conf<br>
<br>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline"></div><LocationMatch ^(/ovirt-engine/(webadmin|<wbr>userportal|api)|/api)><br>
RewriteEngine on<br>
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br>
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]<br>
RequestHeader set X-Remote-User %{REMOTE_USER}s<br>
AuthType Kerberos<br>
AuthName "Kerberos Login"<br>
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab<br>
KrbAuthRealms <a href="http://AD.HOLDING.COM" rel="noreferrer" target="_blank">AD.HOLDING.COM</a><br>
#KrbMethodNegotiate on<br>
#KrbMethodK5Passwd on<br>
KrbMethodK5Passwd off<br>
Require valid-user<br>
</LocationMatch><br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:<br><br><LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api><br> <If "req('Authorization') !~ /^(Bearer|Basic)/i"><br> RewriteEngine on<br> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]<br> RequestHeader set X-Remote-User %{REMOTE_USER}s<br> AuthType Kerberos<br> AuthName "Kerberos Login"<br> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab<br> KrbAuthRealms <a href="http://AD.HOLDING.COM" rel="noreferrer" target="_blank">AD.HOLDING.COM</a><br> KrbMethodK5Passwd off<br>
Require valid-user<br> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline"> </If><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">
</LocationMatch><br></div> <br><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:<br><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"> 1. yum install mod_session mod_auth_gssapi<br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"> 2. Use following Apache configuration <br><br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api><br> <If "req('Authorization') !~ /^(Bearer|Basic)/i"><br> RewriteEngine on<br> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]<br> RequestHeader set X-Remote-User %{REMOTE_USER}s<br><br> AuthType GSSAPI<br> AuthName "Kerberos Login"<br><br> # Modify to match installation<br> GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab<br> GssapiUseSessions On<br> Session On<br> SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;<br> <br> Require valid-user<br> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"<br> </If><br></LocationMatch></div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"></div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
# ls -la /etc/httpd/conf.d/ovirt-*<br>
<br>
-rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-<wbr>engine-root-redirect.conf<br>
lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.<wbr>conf -> /etc/ovirt-engine/aaa/ovirt-<wbr>sso.conf<br>
<br>
<br>
==============================<wbr>==============================<wbr>=========================<br>
# cat /etc/ovirt-engine/aaa/ad.<wbr>holding.com.properties<br>
<br>
include = <ad.properties><br>
vars.domain = <a href="http://ad.holding.com" rel="noreferrer" target="_blank">ad.holding.com</a><br>
pool.default.auth.simple.<wbr>bindDN = s-oVirt-LS@${global:vars.<wbr>domain}<br>
pool.default.auth.simple.<wbr>password = Passw0rd<br>
pool.default.dc-resolve.enable = false<br>
search.default.dc-resolve.<wbr>enable = false<br>
search.ad-resolve-upn.search-<wbr>request.baseDN = DC=ad,DC=holding,DC=com<br>
pool.default.serverset.type = failover<br>
pool.default.serverset.<wbr>failover.00.server = kom-dc01.${global:vars.domain}<br>
pool.default.serverset.<wbr>failover.01.server = kom-dc02.${global:vars.domain}<br>
pool.default.serverset.<wbr>failover.port = 636<br>
pool.default.serverset.<wbr>failover.domain = ${global:vars.domain}<br>
pool.default.ssl.enable = true<br>
pool.default.ssl.protocol = TLSv1.2<br>
pool.default.ssl.truststore.<wbr>file = ${local:_basedir}/${global:<wbr>vars.domain}.jks<br>
pool.default.ssl.truststore.<wbr>password = changeit<br>
</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
==============================<wbr>==============================<wbr>=========================<br>
# cat /etc/ovirt-engine/extensions.<wbr>d/ad.holding.com-authz.<wbr>properties<br>
<br>
<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> = ad.holding.com-authz<br>
ovirt.engine.extension.<wbr>bindings.method = jbossmodule<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.module = org.ovirt.engine-extensions.<wbr>aaa.ldap<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.class = org.ovirt.engineextensions.<wbr>aaa.ldap.AuthzExtension<br>
ovirt.engine.extension.<wbr>provides = org.ovirt.engine.api.<wbr>extensions.aaa.Authz<br>
config.profile.file.1 = ../aaa/<a href="http://ad.holding.com">ad.holding.com</a>.<wbr>properties<br>
<br>
==============================<wbr>==============================<wbr>=========================<br>
# cat /etc/ovirt-engine/extensions.<wbr>d/ad.holding.com-http-authn.<wbr>properties<br>
<br>
<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> = ad.holding.com-http-authn<br>
ovirt.engine.extension.<wbr>bindings.method = jbossmodule<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.module = org.ovirt.engine-extensions.<wbr>aaa.misc<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.class = org.ovirt.engineextensions.<wbr>aaa.misc.http.AuthnExtension<br>
ovirt.engine.extension.<wbr>provides = org.ovirt.engine.api.<wbr>extensions.aaa.Authn<br>
<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.<wbr>profile.name</a> = ad.holding.com-http<br>
ovirt.engine.aaa.authn.authz.<wbr>plugin = ad.holding.com-authz<br>
ovirt.engine.aaa.authn.<wbr>mapping.plugin = ad.holding.com-http-mapping<br>
<a href="http://config.artifact.name" rel="noreferrer" target="_blank">config.artifact.name</a> = HEADER<br>
config.artifact.arg = X-Remote-User<br>
<br>
==============================<wbr>==============================<wbr>=========================<br>
# cat /etc/ovirt-engine/extensions.<wbr>d/ad.holding.com-http-mapping.<wbr>properties<br>
<br>
<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> = ad.holding.com-http-mapping<br>
ovirt.engine.extension.<wbr>bindings.method = jbossmodule<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.module = org.ovirt.engine-extensions.<wbr>aaa.misc<br>
ovirt.engine.extension.<wbr>binding.jbossmodule.class = org.ovirt.engineextensions.<wbr>aaa.misc.mapping.<wbr>MappingExtension<br>
ovirt.engine.extension.<wbr>provides = org.ovirt.engine.api.<wbr>extensions.aaa.Mapping<br>
config.mapAuthRecord.type = regex<br>
config.mapAuthRecord.regex.<wbr>mustMatch = true<br>
config.mapAuthRecord.regex.<wbr>pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<<wbr>suffix>.*?)@.*)|(?<realm>@.*))<wbr>$<br>
config.mapAuthRecord.regex.<wbr>replacement = ${user}${at}${suffix}${realm}<br>
<br>
<br>
03.10.2016, 09:56, "Martin Perina" <<a href="mailto:mperina@redhat.com">mperina@redhat.com</a>>:<br>
<br>
> Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-<wbr>sso.conf<br>
</blockquote></div><br></div></div>