<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 11 March 2016 at 11:55, Martin Perina <span dir="ltr"><<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I'm glad to hear that you were able to successfully configure aaa-misc<br>
and mod_auth_cas to allow CAS based login for oVirt.<br>
<br>
Unfortunately regarding CAS authorization for oVirt I have somewhat bad<br>
news for you. But let me explain the issue a bit:<br>
<br>
1. Using aaa-misc we are able to pass only user name of the authenticated<br>
user from apache to ovirt.<br>
<br>
2. After that we have authenticated user on oVirt and then we pass<br>
its username to authz extension to fetch full principal record including<br>
group memberships. At the moment we don't pass anything else to authz<br>
extension, just principal name (username).<br>
<br>
So here are options how to enable CAS authorization for oVirt:<br>
<br>
1. Implement new authz extension which will fetch principal record for CAS<br>
server (if this is possible, I don't know much about CAS)<br>
<br>
2. Or implement new authn/authz extensions specific to CAS which will use<br>
CAS API do both authn and authz.<br>
<br>
3. Use LDAP as a backend for you CAS server (if possible) and configure<br>
authz part using ovirt-engine-extension-aaa-ldap<br>
<br>
4. You could also create an RFE bug on oVirt to add CAS support, but<br>
no promises from me :-) you are the first user asking about CAS support<br></blockquote><div><br></div><div><br>err, no I asked about it about 18 months ago on this very list and got no response. So in a way they are the first to ask and actually get a response.</div><div><br></div><div><br><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
And of course feel free to ask!<br>
<br>
Regards<br>
<br>
Martin Perina<br>
<br>
[1] <a href="http://machacekondra.blogspot.cz/" rel="noreferrer" target="_blank">http://machacekondra.blogspot.cz/</a><br>
[2] <a href="https://www.youtube.com/watch?v=bSbdqmRNLi0" rel="noreferrer" target="_blank">https://www.youtube.com/watch?v=bSbdqmRNLi0</a><br>
[3] <a href="http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level" rel="noreferrer" target="_blank">http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level</a><br>
[4] <a href="https://www.youtube.com/watch?v=9b9WVFsy_yg" rel="noreferrer" target="_blank">https://www.youtube.com/watch?v=9b9WVFsy_yg</a><br>
[5] <a href="http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt" rel="noreferrer" target="_blank">http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt</a><br>
[6] <a href="https://github.com/oVirt/ovirt-engine-extension-aaa-ldap" rel="noreferrer" target="_blank">https://github.com/oVirt/ovirt-engine-extension-aaa-ldap</a><br>
[7] <a href="https://github.com/oVirt/ovirt-engine-extension-aaa-misc" rel="noreferrer" target="_blank">https://github.com/oVirt/ovirt-engine-extension-aaa-misc</a><br>
[8] <a href="https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc" rel="noreferrer" target="_blank">https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc</a><br>
<div><div><br>
----- Original Message -----<br>
> From: "Fabrice Bacchella" <<a href="mailto:fabrice.bacchella@orange.fr" target="_blank">fabrice.bacchella@orange.fr</a>><br>
> To: <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> Sent: Tuesday, March 8, 2016 11:54:13 AM<br>
> Subject: [ovirt-users] ovirt and CAS SSO<br>
><br>
> I'm trying to add CAS SSO to ovirt.<br>
><br>
> For authn (authentication),<br>
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss<br>
> behind an Apache with mod_auth_cas.<br>
><br>
> Now I'm fighting with authz (authorization). CAS provides everything needed<br>
> as header. So I don't need ldap or jdbc extensions. Is there anything done<br>
> about that or do I need to write my own extension ? Is there some<br>
> documentation about that ?<br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div></div>