Hi, please take a look at inline comments: On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksimov@it-kb.ru> wrote:
Yes. Of course. Here are my configs.
============================================================ ========================= # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM #KrbMethodNegotiate on #KrbMethodK5Passwd on KrbMethodK5Passwd off Require valid-user </LocationMatch>
Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration: <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following: 1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "Kerberos Login" # Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure; Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch>
# ls -la /etc/httpd/conf.d/ovirt-*
-rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt- engine-root-redirect.conf lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf
============================================================ ========================= # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
include = <ad.properties> vars.domain = ad.holding.com pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} pool.default.auth.simple.password = Passw0rd pool.default.dc-resolve.enable = false search.default.dc-resolve.enable = false search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com pool.default.serverset.type = failover pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} pool.default.serverset.failover.port = 636 pool.default.serverset.failover.domain = ${global:vars.domain} pool.default.ssl.enable = true pool.default.ssl.protocol = TLSv1.2 pool.default.ssl.truststore.file = ${local:_basedir}/${global: vars.domain}.jks pool.default.ssl.truststore.password = changeit
============================================================
========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
ovirt.engine.extension.name = ad.holding.com-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = ../aaa/ad.holding.com.properties
============================================================ ========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
ovirt.engine.extension.name = ad.holding.com-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ad.holding.com-http ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User
============================================================ ========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping. properties
ovirt.engine.extension.name = ad.holding.com-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?< suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
03.10.2016, 09:56, "Martin Perina" <mperina@redhat.com>:
Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf