Martin, thanks for the help. It works.
03.10.2016, 15:01, "Martin Perina" <mperina@redhat.com>:
> Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ ovirt-engine/api>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> KrbAuthRealms AD.HOLDING.COM
> KrbMethodK5Passwd off
> Require valid-user
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/ login-unauthorized\">Here</a>< /body></html>"
> </If>
> </LocationMatch>
>
>
> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
>
> 1. yum install mod_session mod_auth_gssapi
> 2. Use following Apache configuration
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ ovirt-engine/api>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
>
> AuthType GSSAPI
> AuthName "Kerberos Login"
>
> # Modify to match installation
> GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> GssapiUseSessions On
> Session On
> SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
>
> Require valid-user
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/ login-unauthorized\">Here</a>< /body></html>"
> </If>
> </LocationMatch>