Hi,
I've managed to get it work.
What I've done is to first run "engine-manage-domains delete" to remove
the domain and add it again using the new aaa extension tool
"ovirt-engine-extension-aaa-ldap-setup". It's not a good idea to mix
these two methods, I guess.
Restart the engine after each change.
To get rid of the double authentication for the webadmin portal I
changed in /etc/httpd/conf.d/ovirt-sso.conf
"<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>"
to
"<LocationMatch ^(/ovirt-engine/api|/api)>"
So Kerberos SSO will be used for the API only.
Furthermore I've given the user the role "superuser".
Best regards
Marcel
On 14.04.2016 11:44, Marcel Galke wrote:
Hi,
I'm using curl and I followed steps in [1] and double checked the
permissions.
I've tested API access vs. webadmin access (see below).
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE
# Result: HTTP 401
$ kinit
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/ovirt-engine/webadmin/?locale=de_DE # Result:
HTTP 200
$ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k
https://server8.funfurt.de/api/vms # Result: HTTP 401
Therfore I believe httpd config is fine.
For engine.log and and properties file see attachment.
I've also attached console output from curl.
Thanks and regards
Marcel
On 14.04.2016 08:11, Ondra Machacek wrote:
> On 04/14/2016 08:06 AM, Ondra Machacek wrote:
>> On 04/13/2016 10:43 PM, Marcel Galke wrote:
>>> Hello,
>>>
>>> I need to automatically create a list of all the VMs and the storage
>>> path to their disks in the data center for offline storage for desaster
>>> recovery. We have oVirt 3.6 and IPA 4.2.0.
>>> To achieve this my idea was to query the API using Kerberos
>>> authentication and a keytab. This could then run as cronjob.
>>> Using username and password is not an option.
>>>
>>> To configure oVirt for use with IPA I've run engine-manage-domains but
>>> the result is not exactly what I'm looking for (despite from the fact,
>>> that I can add direcotry users etc.).
>>> Next I tried the generic LDAP provider as per documentation
>>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali...
>>>
>>>
>>
>> Just to be sure did you followed these steps[1]?
>> If yes and it don't work, it would be nice if you can share a properties
>> files you have and engine.log(the part when engine starts). Please also
>> ensure twice you have correct permissions on properties files, keytab
>> and apache confiig.
>>
>> Also ensure your browser is correctly setup. Example for firefox[2].
>
> Sorry, I've just realized you use API.
> So do you use SDKs or curl? Make sure you use kerberos properly in both
> cases.
> For cur its: curl --negotiate
> For SDKs[1], there is a parameter 'kerberos=true' in creation of api
> object.
>
> [1]
>
http://www.ovirt.org/develop/release-management/features/infra/kerberos-s...
>
>
>>
>> It don't work only for API or for UserPortal and Webadmin as well? Or
>> you set it up only for API?
>>
>> [1]
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali...
>>
>>
>> [2]
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/...
>>
>>
>>
>>>
>>> It was quite easy to get Apache to authenticate against IPA, but I did
>>> not manage to access the API. Each try ended with an "HTTP/1.1 401
>>> Unauthorized".
>>> At the moment Apache authentication appears first and then the RESTAPI
>>> auth dialog comes up.
>>> Some facts about my setup:
>>> oVirt Host:
>>> -OS: CentOS 6.7
>>> -Engine Version: 3.6
>>> IPA Host:
>>> -OS: CentOS 7.2
>>> -IPA Version: 4.2.0
>>>
>>>
>>> I might mix some things up. Please help me to find out how to achieve my
>>> goal. I can provide more information if required.
>>>
>>> Thanks a lot!
>>>
>>>
>>> Best regards
>>> Marcel
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users