+ users@ovirt.org On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote: > > > > Hi Artur, > > > > I would just like to make sure I am following correctly, comparing your > entries against mine. > > > > > Your setup: > > ... > > config.mapAuthRecord.regex.pattern = > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ > > ... > > > > > > My setup: > > … > > config.mapAuthRecord.regex.pattern = > ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ > > … > > > > Should I add the additional 2 “\\” in on my side?
Yes, please try adding it. In my case I learned about this issue by debugging
the code because the real exception generated by incorrect regexp syntax was
hidden behind generic error message giving no clues about the true cause.
>
>
> Your setup:
>
> ...
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0; url=/ovirt-
> engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-engine/sso/login-
> unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> …
>
>
>
> My setup:
>
> …
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv='refresh' content='0;
> url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-
> engine/sso/login-unauthorized'>Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> …
>
>
>
> I remember I had syntax errors, but mine was changed.
>
>
>
> Does this look fine to you?
>
Yeah, your version looks good too. You have ' instead of " so that is ok.
> Thanks
>
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
>
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Anton Louw
>
>
> Sent: 22 April 2020 10:07
>
> To: Artur Socha <aso...@redhat.com>
>
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> Hi Artur,
>
> Great, I will try the below and let you know. I appreciate your efforts.
>
>
> Sure, you may report it, I was in such a rush that I only hit “reply” and not
> “Reply All”
>
> I do recall that I had to make some changes to the below as the it complained
> about syntax errors:
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> I will let you know the outcome when I change the below as you suggested.
>
> Cheers
>
>
>
> From: Artur Socha <aso...@redhat.com>
>
>
> Sent: 22 April 2020 09:51
>
> To: Anton Louw <anton.l...@voxtelecom.co.za>
>
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> I checked your logs and I did not notice anything suspicious.
>
>
> However, now I recall I made some changes compared to blog post
>
> example:
>
>
>
> 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
>
> I added escaping in regexp for '\'
>
> ...
>
> config.mapAuthRecord.regex.pattern =
>
> ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> ...
>
>
>
> 2) /etc/httpd/ovirt-openidc.conf
>
> Escaping for '"' in error document snippet
>
> ...
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
>
>
> ...
>
>
>
> These two issues were most probably caused by the blog site rendering.
>
>
>
>
>
> You might want to check engine.log (or server.log not really sure which
>
> one was that) for aaa extension initialization logs. They should
>
> appear at the beginning just after restarting engine.
>
>
>
> Unfortunately, at the moment I do not have running keycloak setup (I
>
> used to have a local VM) but I will try to find some time to set it up
>
> again once I'm done with another work item that actually consumes
>
> almost entire disk space for my 2 machines)
>
>
>
> Please let me know if anything changes after applying these config
>
> changes. It this works for you then I will request the blog post to be
>
> updated.
>
>
>
> Do you mind if I keep(re-post) this discussion back to users@ovirt in
>
> case other might have similar issues with keycloak integration?
>
>
>
> A.
>
>
>
> On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
>
> >
>
> >
>
> > Hi Artru,
>
> >
>
> > Thank you for the reply. The post [1] is actually the main source of
>
> > information I worked from in order top get everything configured. In
>
> > the post[1] I ran through the whole testing section, and everything
>
> > works as expected. I can see the VMs etc when using the python
>
> > script.
>
> >
>
> > In my case we are not using ldap as a provider, I tried using
>
> > keycloak directly as a provider, I am not sure if that is where I am
>
> > going wrong?
>
> >
>
> > I have attached the last part of the apache ssl_access_log when I
>
> > tried logging in this morning. I have also attached the engine log.
>
> >
>
> > Thanks
>
> >
>
> >
>
> > Anton Louw
>
> > Cloud Engineer: Storage and Virtualization at Vox
>
> > T: 087 805 0000 | D: 087 805 1572
>
> > M: N/A
>
> > E: anton.l...@voxtelecom.co.za
>
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> >
> www.vox.co.za
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > From: Artru Socha <aso...@redhat.com>
>
> > Sent: 21 April 2020 15:20
>
> > To: Anton Louw <anton.l...@voxtelecom.co.za>;
> users@ovirt.org
>
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> >
>
> > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
>
> > >
>
> > >
>
> > > Hi Everybody,
>
> > >
>
> > >
>
> > Hi Anton,
>
> >
>
> > > Has anybody gone the route of using KeyCloak to login to oVirt?
>
> > > KeyCloak has been configured and the neccesary configs have also
>
> > been
>
> > > done on the engine. It redirects perfectly from the oVirt Web Login
>
> > > page to KeyCloak, but after logging into KeyCloak, I get redirected
>
> > > back to the oVirt Web Login. When trying to login again, I get the
>
> > > below error:
>
> > >
>
> > >
>
> > >
>
> > > server_error: Missing parameter: 'params'
>
> > >
>
> >
>
> > Not so long ago I managed to setup ovirt engine with keyloack (using
>
> > ldap as users provider). Hopefully, I would be able to help you with
>
> > it.
>
> >
>
> > There is excellent blog post[1] available. You might also check
>
> > keycloak+ldap post [2], however, when I was working on the
>
> > integration
>
> > I was not aware of if and did not test it.
>
> >
>
> > The error you mentioned does not really indicate what exactly is
>
> > wrong
>
> > but it might suggest that there is some sort of misconfiguration with
>
> > apache (you need to install and configure mod_auth_openidc as
>
> > described
>
> > at [1]). At least that happened in my case.
>
> >
>
> > In case you have already gone through it you could probably check
>
> > apache logs.
>
> >
>
> > Under [1] there is a python script that can be used to check api
>
> > calls,
>
> > please update username/password and test it against your environment.
>
> >
>
> >
>
> > Would it be possible post relevant piece of apache logs together with
>
> > engine.log ?
>
> >
>
> >
>
> > [1]
>
> >
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
>
> > [2]
>
> >
> https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-federation/
>
> >
>
> > Artur
>
> >
>
> >
>
> >
>
> > > I have checked all the logs, but nothing is telling me what exactly
>
> > > the issue is.
>
> > >
>
> > > If anybody has any idea, please let me know.
>
> > >
>
> > > Thanks
>
> > >
>
> > > Anton Louw
>
> > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > T: 087 805 0000 | D: 087 805 1572
>
> > > M: N/A
>
> > > E: anton.l...@voxtelecom.co.za
>
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > >
> www.vox.co.za
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > Disclaimer
>
> > > The contents of this email are confidential to the sender and the
>
> > > intended recipient. Unless the contents are clearly and entirely of
>
> > a
>
> > > personal nature, they are subject to copyright in favour of the
>
> > > holding company of the Vox group of companies. Any recipient who
>
> > > receives this email in error should immediately report the error to
>
> > > the sender and permanently delete this email from all storage
>
> > > devices.
>
> > >
>
> > > This email has been scanned for viruses and malware, and may have
>
> > > been automatically archived by Mimecast Ltd, an innovator in
>
> > Software
>
> > > as a Service (SaaS) for business. Providing a safer and more useful
>
> > > place for your human generated data. Specializing in; Security,
>
> > > archiving and compliance. To find out more Click Here.
>
> > >
>
> > >
>
> > > _______________________________________________
>
> > > Users mailing list -- users@ovirt.org
>
> > > To unsubscribe send an email to users-le...@ovirt.org
>
> > > Privacy Statement:
> https://www.ovirt.org/privacy-policy.html
>
> > > oVirt Code of Conduct:
>
> > >
> https://www.ovirt.org/community/about/community-guidelines/
>
> > > List Archives:
>
> > >
>
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A4AYXVOLWKU55563DFKEFQ/
>
> >
>
>
>
>
>
>
>
>
>
>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VQGSFDLQDF2ORLCZ63752W46AMP3GIDI/
