<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 4, 2016 at 5:16 PM, <span dir="ltr"><<a href="mailto:aleksey.maksimov@it-kb.ru" target="_blank">aleksey.maksimov@it-kb.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Martin, thanks for the help. It works.<br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Glad to hear that, thanks.<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Martin<br></div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
03.10.2016, 15:01, "Martin Perina" <<a href="mailto:mperina@redhat.com">mperina@redhat.com</a>>:<br>
> Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:<br>
><br>
> <LocationMatch ^/ovirt-engine/sso/(<wbr>interactive-login-negotiate|<wbr>oauth/token-http-auth)|^/<wbr>ovirt-engine/api><br>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i"><br>
> RewriteEngine on<br>
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br>
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]<br>
> RequestHeader set X-Remote-User %{REMOTE_USER}s<br>
> AuthType Kerberos<br>
> AuthName "Kerberos Login"<br>
> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab<br>
> KrbAuthRealms <a href="http://AD.HOLDING.COM" rel="noreferrer" target="_blank">AD.HOLDING.COM</a><br>
> KrbMethodK5Passwd off<br>
> Require valid-user<br>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-<wbr>unauthorized\"/><body><a href=\"/ovirt-engine/sso/<wbr>login-unauthorized\">Here</a><<wbr>/body></html>"<br>
> </If><br>
> </LocationMatch><br>
> <br>
><br>
> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:<br>
><br>
> 1. yum install mod_session mod_auth_gssapi<br>
> 2. Use following Apache configuration <br>
><br>
> <LocationMatch ^/ovirt-engine/sso/(<wbr>interactive-login-negotiate|<wbr>oauth/token-http-auth)|^/<wbr>ovirt-engine/api><br>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i"><br>
> RewriteEngine on<br>
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br>
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]<br>
> RequestHeader set X-Remote-User %{REMOTE_USER}s<br>
><br>
> AuthType GSSAPI<br>
> AuthName "Kerberos Login"<br>
><br>
> # Modify to match installation<br>
> GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.<wbr>keytab<br>
> GssapiUseSessions On<br>
> Session On<br>
> SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;<br>
><br>
> Require valid-user<br>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-<wbr>unauthorized\"/><body><a href=\"/ovirt-engine/sso/<wbr>login-unauthorized\">Here</a><<wbr>/body></html>"<br>
> </If><br>
> </LocationMatch><br>
</blockquote></div><br></div></div>