Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting
Martin, thanks for the help. It works.
03.10.2016, 15:01, "Martin Perina" <mperina(a)redhat.com>:
Ahh, this is the issue. Above configuration is valid for oVirt 3.x,
but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
Require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>
Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite
old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
1. yum install mod_session mod_auth_gssapi
2. Use following Apache configuration
<LocationMatch
^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI
AuthName "Kerberos Login"
# Modify to match installation
GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
Require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>