<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi Lloyd,<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">there is no reason to have different authz providers for both authn providers, because authz part is the same for both kerberos and LDAP. Just edit for example kerberos authn configuration file in /etc/ovirt-engine/extension.d/ and change 'ovirt.engine.aaa.authn.authz.plugin' option to the name of your LDAP authz provider.<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">When done please restart ovirt-engine to apply changes.<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Regards<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Martin Perina<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Apr 29, 2017 at 12:47 PM, Lloyd Kamara <span dir="ltr"><<a href="mailto:l.kamara@imperial.ac.uk" target="_blank">l.kamara@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release<br>
7.3.1611 and have configured authentication against Active Directory<br>
with the ovirt-engine-extension-aaa-<wbr>ldap-setup version 1.3.1.<br>
<br>
I have also configured single-sign-on (SSO) via<br>
ovirt-engine-extension-aaa-<wbr>misc version 1.0.1. We use MIT Kerberos<br>
in our organisation for Linux authentication. After configuring<br>
appropriate System Permissions in the oVirt Engine web interface,<br>
end-users can successfully authenticate:<br>
<br>
- without additional input if they have a valid Kerberos<br>
ticket-granting-ticket (TGT).<br>
<br>
- by entering their Active Directory login and password in the<br>
oVirt log-in page if they do not have a valid TGT.<br>
<br>
<br>
The problem is that oVirt sees the Active Directory and SSO log-ins<br>
as two distinct Authentication Domains. In more detail:<br>
<br>
- <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> = Kerberos in the authz.properties file<br>
for our SSO configuration.<br>
<br>
If a user authenticates via a Kerberos TGT, their user-name appears<br>
as username@our.ad.domain@<wbr>Kerberos within oVirt engine.<br>
<br>
<br>
- <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> = LDAP in the authz.properties file for<br>
our Active Directory configuration.<br>
<br>
If a user authenticates by entering the relevant Active Directory login<br>
and password in the oVirt web-form log-in, their user-name appears as<br>
user@our.ad.domain@LDAP within oVirt engine.<br>
<br>
<br>
Is there a way to configure both authentication methods to map to the<br>
same user irrespective of the Authentication domain? That is, is<br>
there a way in oVirt to say that user1@domain1 and user1@domain2 are<br>
to be treated as being equivalent?<br>
<br>
Best wishes,<br>
Lloyd Kamara<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
</blockquote></div><br></div>