> Le 30 juin 2017 à 23:25, Ondra Machacek <omach...@redhat.com> a écrit : > > On Thu, Jun 29, 2017 at 5:16 PM, Fabrice Bacchella > <fabrice.bacche...@orange.fr> wrote: >> >>> Le 29 juin 2017 à 14:42, Fabrice Bacchella <fabrice.bacche...@orange.fr> a >>> écrit : >>> >>> >>>> Le 29 juin 2017 à 13:41, Ondra Machacek <omach...@redhat.com> a écrit : >>>> >>>> How do you login? Do you use webadmin or API/SDK, if using SDK, don't >>>> you use kerberos=True? >>> >>> Ok, got it. >>> It's tested with the sdk, using kerberos. But Kerberos authentication is >>> done in Apache and I configure a profile for that, so I needed to add: >>> config.artifact.arg = X-Remote-User in my >>> /etc/ovirt-engine/extensions.d/MyProfile.authn.properties. But this is >>> missing from internal-authn.properties. So rexecutor@internal is checked >>> with my profil, and not found. But as the internal profil don't know about >>> X-Remote-User, it can't check the user and fails silently. That's why I'm >>> getting only one line. Perhaps the log line should have said the extensions >>> name that was failing, not the generic "External Authentication" that >>> did'nt caught my eye. >>> >>> I will check that as soon as I have a few minutes to spare and tell you. >> >> I'm starting to understand. I need two authn modules, both using >> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension but with a different >> authz.plugin. Is that possible ? If I do what, in what order the different >> Authn will be tried ? Are they all tried until one succeed both authn and >> authz ? >> > > Yes you can have multiple authn profiles and it tries to login until > one succeed: > > https://github.com/oVirt/ovirt-engine/blob/de46aa78f3117cbe436ab10926ac0c23fcdd7cfc/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java#L125 > > The order isn't guaranteed, but I think it's not important, or is it for you?
I'm not sure. As I need two org.ovirt.engineextensions.aaa.misc.http.AuthnExtension, the authentication will always succeed. It's the auhtz that fails as user as either in one backend or the other. So if ExtMap output = profile.getAuthn().invoke(..) calls the authz part I will be fine. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users