Hello,
I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release
7.3.1611 and have configured authentication against Active Directory
with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1.
I have also configured single-sign-on (SSO) via
ovirt-engine-extension-aaa-misc version 1.0.1. We use MIT Kerberos
in our organisation for Linux authentication. After configuring
appropriate System Permissions in the oVirt Engine web interface,
end-users can successfully authenticate:
- without additional input if they have a valid Kerberos
ticket-granting-ticket (TGT).
- by entering their Active Directory login and password in the
oVirt log-in page if they do not have a valid TGT.
The problem is that oVirt sees the Active Directory and SSO log-ins
as two distinct Authentication Domains. In more detail:
- ovirt.engine.extension.name = Kerberos in the authz.properties file
for our SSO configuration.
If a user authenticates via a Kerberos TGT, their user-name appears
as username@our.ad.domain(a)Kerberos within oVirt engine.
- ovirt.engine.extension.name = LDAP in the authz.properties file for
our Active Directory configuration.
If a user authenticates by entering the relevant Active Directory login
and password in the oVirt web-form log-in, their user-name appears as
user@our.ad.domain(a)LDAP within oVirt engine.
Is there a way to configure both authentication methods to map to the
same user irrespective of the Authentication domain? That is, is
there a way in oVirt to say that user1@domain1 and user1@domain2 are
to be treated as being equivalent?
Best wishes,
Lloyd Kamara