oVirt, LDAP & SSO: authentication domain/profile consolidation
Hello, I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release 7.3.1611 and have configured authentication against Active Directory with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1. I have also configured single-sign-on (SSO) via ovirt-engine-extension-aaa-misc version 1.0.1. We use MIT Kerberos in our organisation for Linux authentication. After configuring appropriate System Permissions in the oVirt Engine web interface, end-users can successfully authenticate: - without additional input if they have a valid Kerberos ticket-granting-ticket (TGT). - by entering their Active Directory login and password in the oVirt log-in page if they do not have a valid TGT. The problem is that oVirt sees the Active Directory and SSO log-ins as two distinct Authentication Domains. In more detail: - ovirt.engine.extension.name = Kerberos in the authz.properties file for our SSO configuration. If a user authenticates via a Kerberos TGT, their user-name appears as username@our.ad.domain@Kerberos within oVirt engine. - ovirt.engine.extension.name = LDAP in the authz.properties file for our Active Directory configuration. If a user authenticates by entering the relevant Active Directory login and password in the oVirt web-form log-in, their user-name appears as user@our.ad.domain@LDAP within oVirt engine. Is there a way to configure both authentication methods to map to the same user irrespective of the Authentication domain? That is, is there a way in oVirt to say that user1@domain1 and user1@domain2 are to be treated as being equivalent? Best wishes, Lloyd Kamara
Hi Lloyd, there is no reason to have different authz providers for both authn providers, because authz part is the same for both kerberos and LDAP. Just edit for example kerberos authn configuration file in /etc/ovirt-engine/extension.d/ and change 'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP authz provider. When done please restart ovirt-engine to apply changes. Regards Martin Perina On Sat, Apr 29, 2017 at 12:47 PM, Lloyd Kamara <l.kamara@imperial.ac.uk> wrote:
Hello,
I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release 7.3.1611 and have configured authentication against Active Directory with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1.
I have also configured single-sign-on (SSO) via ovirt-engine-extension-aaa-misc version 1.0.1. We use MIT Kerberos in our organisation for Linux authentication. After configuring appropriate System Permissions in the oVirt Engine web interface, end-users can successfully authenticate:
- without additional input if they have a valid Kerberos ticket-granting-ticket (TGT).
- by entering their Active Directory login and password in the oVirt log-in page if they do not have a valid TGT.
The problem is that oVirt sees the Active Directory and SSO log-ins as two distinct Authentication Domains. In more detail:
- ovirt.engine.extension.name = Kerberos in the authz.properties file for our SSO configuration.
If a user authenticates via a Kerberos TGT, their user-name appears as username@our.ad.domain@Kerberos within oVirt engine.
- ovirt.engine.extension.name = LDAP in the authz.properties file for our Active Directory configuration.
If a user authenticates by entering the relevant Active Directory login and password in the oVirt web-form log-in, their user-name appears as user@our.ad.domain@LDAP within oVirt engine.
Is there a way to configure both authentication methods to map to the same user irrespective of the Authentication domain? That is, is there a way in oVirt to say that user1@domain1 and user1@domain2 are to be treated as being equivalent?
Best wishes, Lloyd Kamara _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, Martin, you wrote:
there is no reason to have different authz providers for both authn providers, because authz part is the same for both kerberos and LDAP. Just edit for example kerberos authn configuration file in /etc/ovirt-engine/extension.d/ and change 'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP authz provider. When done please restart ovirt-engine to apply changes.
Thank you for the above succinct and clear explanation. I changed the configuration accordingly and can confirm that it resolved the issue. When I log in via a Kerberos Ticket Granting Ticket and interactively via the LDAP-backed oVirt login web form, I am mapped to a single authentication domain. Best wishes, Lloyd
Great to hear it's working for you as expected! Martin On Mon, May 1, 2017 at 12:50 PM, Lloyd Kamara <l.kamara@imperial.ac.uk> wrote:
Hi, Martin, you wrote:
there is no reason to have different authz providers for both authn providers, because authz part is the same for both kerberos and LDAP. Just edit for example kerberos authn configuration file in /etc/ovirt-engine/extension.d/ and change 'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP authz provider. When done please restart ovirt-engine to apply changes.
Thank you for the above succinct and clear explanation. I changed the configuration accordingly and can confirm that it resolved the issue. When I log in via a Kerberos Ticket Granting Ticket and interactively via the LDAP-backed oVirt login web form, I am mapped to a single authentication domain.
Best wishes, Lloyd
participants (2)
-
Lloyd Kamara -
Martin Perina