Yes. Of course. Here are my configs.
=====================================================================================
# cat /etc/ovirt-engine/aaa/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
#KrbMethodNegotiate on
#KrbMethodK5Passwd on
KrbMethodK5Passwd off
Require valid-user
</LocationMatch>
# ls -la /etc/httpd/conf.d/ovirt-*
-rw-r--r--. 1 root root 33 Jul 26 16:42
/etc/httpd/conf.d/ovirt-engine-root-redirect.conf
lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf ->
/etc/ovirt-engine/aaa/ovirt-sso.conf
=====================================================================================
# cat /etc/ovirt-engine/aaa/ad.holding.com.properties
include = <ad.properties>
vars.domain = ad.holding.com
pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
pool.default.auth.simple.password = Passw0rd
pool.default.dc-resolve.enable = false
search.default.dc-resolve.enable = false
search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
pool.default.serverset.type = failover
pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
pool.default.serverset.failover.port = 636
pool.default.serverset.failover.domain = ${global:vars.domain}
pool.default.ssl.enable = true
pool.default.ssl.protocol = TLSv1.2
pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
pool.default.ssl.truststore.password = changeit
=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
ovirt.engine.extension.name = ad.holding.com-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/ad.holding.com.properties
=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
ovirt.engine.extension.name = ad.holding.com-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User
=====================================================================================
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties
ovirt.engine.extension.name = ad.holding.com-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern =
^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
03.10.2016, 09:56, "Martin Perina" <[email protected]>:
> Ahh, so kerberos SSO works fine for API, but not for portals. Could you
> please share your Apache configuration with oVirt kerberos configuration?
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you
choose to click.
If you are uncertain, we always try to help.
Greetings [email protected]
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/SGID226K6TJVJWLLEJJPEREBUBYTRL4Y/
