[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

aleksey.maksimov at it-kb.ru aleksey.maksimov at it-kb.ru
Tue Oct 4 11:16:44 EDT 2016


Martin, thanks for the help. It works.

03.10.2016, 15:01, "Martin Perina" <mperina at redhat.com>:
> ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration:
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>     AuthType Kerberos
>     AuthName "Kerberos Login"
>     Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
>     KrbAuthRealms AD.HOLDING.COM
>     KrbMethodK5Passwd off
>     Require valid-user
>     ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>   </If>
> </LocationMatch>
>>
> ​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following:
>
>   1. yum install mod_session mod_auth_gssapi
>   2. Use following Apache configuration ​
>
> ​<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>
>     AuthType GSSAPI
>     AuthName "Kerberos Login"
>
>     # Modify to match installation
>     GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
>     GssapiUseSessions On
>     Session On
>     SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
>
>     Require valid-user
>     ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>   </If>
> </LocationMatch>​


More information about the Users mailing list