On Tue, Oct 4, 2016 at 5:16 PM, <aleksey.maksimov@it-kb.ru> wrote:
Martin, thanks for the help. It works.
Glad to hear that, thanks. Martin
Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
</If> </LocationMatch>
Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI AuthName "Kerberos Login"
# Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
03.10.2016, 15:01, "Martin Perina" <mperina@redhat.com>: href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If> </LocationMatch>