Hello,

I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release
7.3.1611 and have configured authentication against Active Directory
with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1.

I have also configured single-sign-on (SSO) via
ovirt-engine-extension-aaa-misc version 1.0.1.  We use MIT Kerberos
in our organisation for Linux authentication.  After configuring
appropriate System Permissions in the oVirt Engine web interface,
end-users can successfully authenticate:

- without additional input if they have a valid Kerberos
ticket-granting-ticket (TGT).

- by entering their Active Directory login and password in the
oVirt log-in page if they do not have a valid TGT.


The problem is that oVirt sees the Active Directory and SSO log-ins
as two distinct Authentication Domains.  In more detail:

- ovirt.engine.extension.name = Kerberos in the authz.properties file
for our SSO configuration.

If a user authenticates via a Kerberos TGT, their user-name appears
as username@our.ad.domain@Kerberos within oVirt engine.


- ovirt.engine.extension.name = LDAP in the authz.properties file for
our Active Directory configuration.

If a user authenticates by entering the relevant Active Directory login
and password in the oVirt web-form log-in, their user-name appears as
user@our.ad.domain@LDAP within oVirt engine.


Is there a way to configure both authentication methods to map to the
same user irrespective  of the Authentication domain?  That is, is
there a way in oVirt to say that user1@domain1 and user1@domain2 are
to be treated as being equivalent?

Best wishes,
  Lloyd Kamara
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users