[ovirt-users] oVirt, LDAP & SSO: authentication domain/profile consolidation

Martin Perina mperina at redhat.com
Mon May 1 15:53:17 UTC 2017


Hi Lloyd,

there is no reason to have different authz providers for both authn
providers, because authz part is the same for both kerberos and LDAP. Just
edit for example kerberos authn configuration file in
/etc/ovirt-engine/extension.d/ and change
'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP authz
provider.
When done please restart ovirt-engine to apply changes.

Regards

Martin Perina


On Sat, Apr 29, 2017 at 12:47 PM, Lloyd Kamara <l.kamara at imperial.ac.uk>
wrote:

> Hello,
>
> I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release
> 7.3.1611 and have configured authentication against Active Directory
> with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1.
>
> I have also configured single-sign-on (SSO) via
> ovirt-engine-extension-aaa-misc version 1.0.1.  We use MIT Kerberos
> in our organisation for Linux authentication.  After configuring
> appropriate System Permissions in the oVirt Engine web interface,
> end-users can successfully authenticate:
>
> - without additional input if they have a valid Kerberos
> ticket-granting-ticket (TGT).
>
> - by entering their Active Directory login and password in the
> oVirt log-in page if they do not have a valid TGT.
>
>
> The problem is that oVirt sees the Active Directory and SSO log-ins
> as two distinct Authentication Domains.  In more detail:
>
> - ovirt.engine.extension.name = Kerberos in the authz.properties file
> for our SSO configuration.
>
> If a user authenticates via a Kerberos TGT, their user-name appears
> as username at our.ad.domain@Kerberos within oVirt engine.
>
>
> - ovirt.engine.extension.name = LDAP in the authz.properties file for
> our Active Directory configuration.
>
> If a user authenticates by entering the relevant Active Directory login
> and password in the oVirt web-form log-in, their user-name appears as
> user at our.ad.domain@LDAP within oVirt engine.
>
>
> Is there a way to configure both authentication methods to map to the
> same user irrespective  of the Authentication domain?  That is, is
> there a way in oVirt to say that user1 at domain1 and user1 at domain2 are
> to be treated as being equivalent?
>
> Best wishes,
>   Lloyd Kamara
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170501/cda1c25b/attachment.html>


More information about the Users mailing list