Martin, thanks for the help. It works. 03.10.2016, 15:01, "Martin Perina" <[email protected]>: > Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in > 4.0 we have quite new OAuth base SSO, so you need to use following > configuration: > > <LocationMatch > ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> > <If "req('Authorization') !~ /^(Bearer|Basic)/i"> > RewriteEngine on > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] > RequestHeader set X-Remote-User %{REMOTE_USER}s > AuthType Kerberos > AuthName "Kerberos Login" > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab > KrbAuthRealms AD.HOLDING.COM > KrbMethodK5Passwd off > Require valid-user > ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; > url=/ovirt-engine/sso/login-unauthorized\"/><body><a > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" > </If> > </LocationMatch> > > > Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session > instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need > to do following: > > 1. yum install mod_session mod_auth_gssapi > 2. Use following Apache configuration > > <LocationMatch > ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> > <If "req('Authorization') !~ /^(Bearer|Basic)/i"> > RewriteEngine on > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] > RequestHeader set X-Remote-User %{REMOTE_USER}s > > AuthType GSSAPI > AuthName "Kerberos Login" > > # Modify to match installation > GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab > GssapiUseSessions On > Session On > SessionCookieName ovirt_gssapi_session path=/private;httponly;secure; > > Require valid-user > ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; > url=/ovirt-engine/sso/login-unauthorized\"/><body><a > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" > </If> > </LocationMatch> _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
-- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings [email protected] -- IMPORTANT! This message has been scanned for viruses and phishing links. However, it is your responsibility to evaluate the links and attachments you choose to click. If you are uncertain, we always try to help. Greetings [email protected] _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/WGBMFGNJSJFFPAUFCK3AVEXLJUKHDFAY/
