[ovirt-users] oVirt, LDAP & SSO: authentication domain/profile consolidation

Lloyd Kamara l.kamara at imperial.ac.uk
Sat Apr 29 16:47:01 UTC 2017


Hello,

I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release
7.3.1611 and have configured authentication against Active Directory
with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1.

I have also configured single-sign-on (SSO) via
ovirt-engine-extension-aaa-misc version 1.0.1.  We use MIT Kerberos
in our organisation for Linux authentication.  After configuring
appropriate System Permissions in the oVirt Engine web interface,
end-users can successfully authenticate:

- without additional input if they have a valid Kerberos
ticket-granting-ticket (TGT).

- by entering their Active Directory login and password in the
oVirt log-in page if they do not have a valid TGT.


The problem is that oVirt sees the Active Directory and SSO log-ins
as two distinct Authentication Domains.  In more detail:

- ovirt.engine.extension.name = Kerberos in the authz.properties file
for our SSO configuration.

If a user authenticates via a Kerberos TGT, their user-name appears
as username at our.ad.domain@Kerberos within oVirt engine.


- ovirt.engine.extension.name = LDAP in the authz.properties file for
our Active Directory configuration.

If a user authenticates by entering the relevant Active Directory login
and password in the oVirt web-form log-in, their user-name appears as
user at our.ad.domain@LDAP within oVirt engine.


Is there a way to configure both authentication methods to map to the
same user irrespective  of the Authentication domain?  That is, is
there a way in oVirt to say that user1 at domain1 and user1 at domain2 are
to be treated as being equivalent?

Best wishes,
  Lloyd Kamara


More information about the Users mailing list