[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

Martin Perina mperina at redhat.com
Tue Oct 4 14:40:34 EDT 2016 

On Tue, Oct 4, 2016 at 5:16 PM, <aleksey.maksimov at it-kb.ru> wrote:

> Martin, thanks for the help. It works.
>

​Glad to hear that, thanks.

Martin
​


>
> 03.10.2016, 15:01, "Martin Perina" <mperina at redhat.com>:
> > ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but
> in 4.0 we have quite new OAuth base SSO, so you need to use following
> configuration:
> >
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|
> oauth/token-http-auth)|^/ovirt-engine/api>
> >   <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >     RewriteEngine on
> >     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> >     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> >     RequestHeader set X-Remote-User %{REMOTE_USER}s
> >     AuthType Kerberos
> >     AuthName "Kerberos Login"
> >     Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> >     KrbAuthRealms AD.HOLDING.COM
> >     KrbMethodK5Passwd off
> >     Require valid-user
> >     ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
> url=/ovirt-engine/sso/login-unauthorized\"/><body><a
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> >   </If>
> > </LocationMatch>
> > ​
> >
> > ​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
> need to do following:
> >
> >   1. yum install mod_session mod_auth_gssapi
> >   2. Use following Apache configuration ​
> >
> > ​<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|
> oauth/token-http-auth)|^/ovirt-engine/api>
> >   <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >     RewriteEngine on
> >     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> >     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> >     RequestHeader set X-Remote-User %{REMOTE_USER}s
> >
> >     AuthType GSSAPI
> >     AuthName "Kerberos Login"
> >
> >     # Modify to match installation
> >     GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> >     GssapiUseSessions On
> >     Session On
> >     SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
> >
> >     Require valid-user
> >     ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;
> url=/ovirt-engine/sso/login-unauthorized\"/><body><a
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> >   </If>
> > </LocationMatch>​
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161004/a01dfc64/attachment.html>

More information about the Users mailing list