oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting
Hello oVirt guru`s! I set up oVirt integration with Active Directory LDAP according to the manual: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat... I created a profile integration with my domain. All is working well. Now I'm trying to configure single sign-on for portals based on Kerberos. All settings are performed according to the manual: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat... Kerberos client tested and working. However, SSO is not working. Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
On 09/30/2016 02:44 PM, aleksey.maksimov@it-kb.ru wrote:
Hello oVirt guru`s!
I set up oVirt integration with Active Directory LDAP according to the manual: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat...
I created a profile integration with my domain. All is working well.
Now I'm trying to configure single sign-on for portals based on Kerberos.
All settings are performed according to the manual: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat...
Kerberos client tested and working. However, SSO is not working.
So if you run kinit and then: $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://fqdn/ovirt-engine/api It's fine?
Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
On oVirt engine check: /var/log/httpd/ssl_error_log /var/log/ovirt-engine/engine.log On AD check kerberos log.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.holding.com Using existing cache: persistent:0:0 Using principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM Using keytab: /etc/httpd/s-oVirt-Krb.keytab Authenticated to Kerberos v5 # klist Ticket cache: KEYRING:persistent:0:0 Default principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM Valid starting Expires Service principal 09/30/2016 16:28:02 10/01/2016 02:28:02 krbtgt/AD.HOLDING.COM@AD.HOLDING.COM renew until 10/07/2016 16:28:02 # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api <html><head><title>Error</title></head><body>Unauthorized</body></html> However, if I open this URL (https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens without errors and authorization requests # tail -f /var/log/httpd/ssl_error_log # tail -f /var/log/ovirt-engine/engine.log In the logs nothing in that moment when I open the portal in the browser. 30.09.2016, 15:52, "Ondra Machacek" <omachace@redhat.com>:
So if you run kinit and then:
$ curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://fqdn/ovirt-engine/api
It's fine?
Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
On oVirt engine check:
/var/log/httpd/ssl_error_log /var/log/ovirt-engine/engine.log
On AD check kerberos log.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test login with it. You should try something like `kinit myuser` and then curl. And be sure that 'myuser' has appropriate permissions in oVirt. Do you have properly setup your browser and enabled negotiation (for example for firefox [1])? [1] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Secu... On 09/30/2016 03:34 PM, aleksey.maksimov@it-kb.ru wrote:
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.holding.com
Using existing cache: persistent:0:0 Using principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM Using keytab: /etc/httpd/s-oVirt-Krb.keytab Authenticated to Kerberos v5
# klist
Ticket cache: KEYRING:persistent:0:0 Default principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM
Valid starting Expires Service principal 09/30/2016 16:28:02 10/01/2016 02:28:02 krbtgt/AD.HOLDING.COM@AD.HOLDING.COM renew until 10/07/2016 16:28:02
# curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
<html><head><title>Error</title></head><body>Unauthorized</body></html>
However, if I open this URL (https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens without errors and authorization requests
# tail -f /var/log/httpd/ssl_error_log # tail -f /var/log/ovirt-engine/engine.log
In the logs nothing in that moment when I open the portal in the browser.
30.09.2016, 15:52, "Ondra Machacek" <omachace@redhat.com>:
So if you run kinit and then:
$ curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://fqdn/ovirt-engine/api
It's fine?
Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
On oVirt engine check:
/var/log/httpd/ssl_error_log /var/log/ovirt-engine/engine.log
On AD check kerberos log.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
# kinit aleksey Password for aleksey@AD.HOLDING.COM: *** # klist Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 Default principal: aleksey@AD.HOLDING.COM Valid starting Expires Service principal 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD.HOLDING.COM renew until 10/07/2016 16:50:29 # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <api> ... output truncated ... </api> It Works. The browsers are configured. Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox 30.09.2016, 16:45, "Ondra Machacek" <omachace@redhat.com>:
'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test login with it. You should try something like `kinit myuser` and then curl. And be sure that 'myuser' has appropriate permissions in oVirt.
Do you have properly setup your browser and enabled negotiation (for example for firefox [1])?
[1] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Secu...
Hi Aleksey, in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you? Regards Martin Perina
# kinit aleksey
Password for aleksey@AD.HOLDING.COM: ***
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 Default principal: aleksey@AD.HOLDING.COM
Valid starting Expires Service principal 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD. HOLDING.COM renew until 10/07/2016 16:50:29
# curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <api> ... output truncated ... </api>
It Works. The browsers are configured. Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox
On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov@it-kb.ru> wrote:
Up
30.09.2016, 18:55, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru
: Any other ideas?
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksimov@it-kb.ru> wrote:
Hello, Martin
Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox. Kerberos authentication NOT working with oVirt Web-Portals.
I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos. It is impossible ??
It's possible and it's working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client). So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right? I don't use IE, but you need to set following options in "about:config" URL for Firefox to work properly with kerberos: network.negotiate-auth.delegation-uris = .ad.holding.com network.negotiate-auth.trusted-uris = .ad.holding.com If you have those options set, what exactly happen when you try to access https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in Firefox? Martin Perina
03.10.2016, 09:08, "Martin Perina" <mperina@redhat.com>:
Hi Aleksey,
in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?
Regards
Martin Perina
# kinit aleksey
Password for aleksey@AD.HOLDING.COM: ***
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 Default principal: aleksey@AD.HOLDING.COM
Valid starting Expires Service principal 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD. HOLDING.COM renew until 10/07/2016 16:50:29
# curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <api> ... output truncated ... </api>
It Works. The browsers are configured. Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox
On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov@it-kb.ru> wrote:
Up
30.09.2016, 18:55, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru
: Any other ideas?
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Oct 3, 2016 at 8:52 AM, <aleksey.maksimov@it-kb.ru> wrote:
network.negotiate-auth.delegation-uris = .ad.holding.com network.negotiate-auth.trusted-uris = .ad.holding.com
Yes. Configured
The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and Firefox opens without problems and without password prompts
But when opening links from start page...
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/ userportal/?locale=en_US https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
...opens a oVirt form prompting for credentials with a single profile "internal"
Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf Thanks Martin Perina
03.10.2016, 09:37, "Martin Perina" <mperina@redhat.com>:
On Mon, Oct 3, 2016 at 8:18 AM, <aleksey.maksimov@it-kb.ru> wrote:
Hello, Martin
Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox. Kerberos authentication NOT working with oVirt Web-Portals.
I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos. It is impossible ??
It's possible and it's working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client).
So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right? I don't use IE, but you need to set following options in "about:config" URL for Firefox to work properly with kerberos:
network.negotiate-auth.delegation-uris = .ad.holding.com network.negotiate-auth.trusted-uris = .ad.holding.com
If you have those options set, what exactly happen when you try to access https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
in Firefox?
Martin Perina
03.10.2016, 09:08, "Martin Perina" <mperina@redhat.com>:
Hi Aleksey,
in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?
Regards
Martin Perina
# kinit aleksey
Password for aleksey@AD.HOLDING.COM: ***
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9 Default principal: aleksey@AD.HOLDING.COM
Valid starting Expires Service principal 09/30/2016 16:50:32 10/01/2016 02:50:32 krbtgt/AD.HOLDING.COM@AD. HOLDING.COM renew until 10/07/2016 16:50:29
# curl --negotiate -u : -X GET -H "Accept: application/xml" -k <https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <api> ... output truncated ... </api>
It Works. The browsers are configured. Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox
On Mon, Oct 3, 2016 at 7:37 AM, <aleksey.maksimov@it-kb.ru> wrote:
Up
30.09.2016, 18:55, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru
: Any other ideas?
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Yes. Of course. Here are my configs. ===================================================================================== # cat /etc/ovirt-engine/aaa/ovirt-sso.conf <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM #KrbMethodNegotiate on #KrbMethodK5Passwd on KrbMethodK5Passwd off Require valid-user </LocationMatch> # ls -la /etc/httpd/conf.d/ovirt-* -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-engine-root-redirect.conf lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf ===================================================================================== # cat /etc/ovirt-engine/aaa/ad.holding.com.properties include = <ad.properties> vars.domain = ad.holding.com pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} pool.default.auth.simple.password = Passw0rd pool.default.dc-resolve.enable = false search.default.dc-resolve.enable = false search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com pool.default.serverset.type = failover pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} pool.default.serverset.failover.port = 636 pool.default.serverset.failover.domain = ${global:vars.domain} pool.default.ssl.enable = true pool.default.ssl.protocol = TLSv1.2 pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks pool.default.ssl.truststore.password = changeit ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties ovirt.engine.extension.name = ad.holding.com-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/ad.holding.com.properties ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties ovirt.engine.extension.name = ad.holding.com-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ad.holding.com-http ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User ===================================================================================== # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties ovirt.engine.extension.name = ad.holding.com-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm} 03.10.2016, 09:56, "Martin Perina" <mperina@redhat.com>:
Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
Hi, please take a look at inline comments: On Mon, Oct 3, 2016 at 9:15 AM, <aleksey.maksimov@it-kb.ru> wrote:
Yes. Of course. Here are my configs.
============================================================ ========================= # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM #KrbMethodNegotiate on #KrbMethodK5Passwd on KrbMethodK5Passwd off Require valid-user </LocationMatch>
Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration: <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following: 1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "Kerberos Login" # Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure; Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch>
# ls -la /etc/httpd/conf.d/ovirt-*
-rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt- engine-root-redirect.conf lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> /etc/ovirt-engine/aaa/ovirt-sso.conf
============================================================ ========================= # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
include = <ad.properties> vars.domain = ad.holding.com pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain} pool.default.auth.simple.password = Passw0rd pool.default.dc-resolve.enable = false search.default.dc-resolve.enable = false search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com pool.default.serverset.type = failover pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain} pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain} pool.default.serverset.failover.port = 636 pool.default.serverset.failover.domain = ${global:vars.domain} pool.default.ssl.enable = true pool.default.ssl.protocol = TLSv1.2 pool.default.ssl.truststore.file = ${local:_basedir}/${global: vars.domain}.jks pool.default.ssl.truststore.password = changeit
============================================================
========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
ovirt.engine.extension.name = ad.holding.com-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = ../aaa/ad.holding.com.properties
============================================================ ========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
ovirt.engine.extension.name = ad.holding.com-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ad.holding.com-http ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User
============================================================ ========================= # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping. properties
ovirt.engine.extension.name = ad.holding.com-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?< suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
03.10.2016, 09:56, "Martin Perina" <mperina@redhat.com>:
Ahh, so kerberos SSO works fine for API, but not for portals. Could you please share your Apache configuration with oVirt kerberos configuration? Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
Martin, thanks for the help. It works. 03.10.2016, 15:01, "Martin Perina" <mperina@redhat.com>:
Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch>
Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI AuthName "Kerberos Login"
# Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch>
On Tue, Oct 4, 2016 at 5:16 PM, <aleksey.maksimov@it-kb.ru> wrote:
Martin, thanks for the help. It works.
Glad to hear that, thanks. Martin
Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
</If> </LocationMatch>
Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate| oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI AuthName "Kerberos Login"
# Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
03.10.2016, 15:01, "Martin Perina" <mperina@redhat.com>: href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If> </LocationMatch>
participants (3)
-
aleksey.maksimov@it-kb.ru -
Martin Perina -
Ondra Machacek