On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella
<fabrice.bacche...@orange.fr> wrote:
>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacche...@orange.fr> a 
>> écrit :
>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omach...@redhat.com> a écrit :
>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't
>>> you use kerberos=True?
>> Ok, got it.
>> It's tested with the sdk, using kerberos. But Kerberos authentication is 
>> done in Apache and I configure a profile for that, so I needed to add: 
>> config.artifact.arg = X-Remote-User in my 
>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is 
>> missing from internal-authn.properties. So rexecutor@internal  is checked 
>> with my profil, and not found. But as the internal profil don't know about 
>> X-Remote-User, it can't check the user and fails silently. That's why I'm 
>> getting only one line. Perhaps the log line should have said the extensions 
>> name that was failing, not the generic "External Authentication" that did'nt 
>> caught my eye.
>> I will check that as soon as I have a few minutes to spare and tell you.
> I'm starting to understand. I need two authn modules, both using 
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different 
> authz.plugin. Is that possible ? If I do what, in what order the different 
> Authn will be tried ? Are they all tried until one succeed  both authn and 
> authz ?

Yes you can have multiple authn profiles and it tries to login until
one succeed:


The order isn't guaranteed, but I think it's not important, or is it for you?
Users mailing list

Reply via email to