Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting
On Tue, Oct 4, 2016 at 5:16 PM, <aleksey.maksimov(a)it-kb.ru> wrote:
Martin, thanks for the help. It works.
Glad to hear that, thanks.
Martin
03.10.2016, 15:01, "Martin Perina" <mperina(a)redhat.com>:
> Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but
in 4.0 we have quite new OAuth base SSO, so you need to use following
configuration:
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|
oauth/token-http-auth)|^/ovirt-engine/api>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> KrbAuthRealms AD.HOLDING.COM
> KrbMethodK5Passwd off
> Require valid-user
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> </If>
> </LocationMatch>
>
>
> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
need to do following:
>
> 1. yum install mod_session mod_auth_gssapi
> 2. Use following Apache configuration
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|
oauth/token-http-auth)|^/ovirt-engine/api>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
>
> AuthType GSSAPI
> AuthName "Kerberos Login"
>
> # Modify to match installation
> GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> GssapiUseSessions On
> Session On
> SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
>
> Require valid-user
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0;
url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> </If>
> </LocationMatch>
Attachments:
- attachment.html (text/html — 3.7 KB)