Bug 1368452
| Summary: | 14.4. Configuring LDAP and Kerberos for Single Sign-on issues | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> |
| Component: | Documentation | Assignee: | Tahlia Richardson <trichard> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Julie <juwu> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.0.0 | CC: | gklein, lbopf, lleistne, lsurette, mperina, omachace, rbalakri, srevivo, thildred, ykaul |
| Target Milestone: | ovirt-4.0.5 | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-27 06:21:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jiri Belka
2016-08-19 12:52:45 UTC
*** Bug 1371522 has been marked as a duplicate of this bug. *** Assigning to Tahlia for review. * Changed "profile1-authn.properties" in step 6 to "profile1-http-authn.properties" Martin, can you answer the mapping file question? Any docs change needed for it? (Doc: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/154-configuring-ldap-and-kerberos-for-single-sign-on) Hi Tahlia,
due to move from EL6 to EL7 and various changes in engine around new engine SSO feature, we would like to refresh kerberos SSO configuration documentation completely. So here are changes that needs to be done in doc and which we tested along with QA:
Procedure 15.5. Configuring Single Sign-on to the User Portal or Administration Portal
Step 2.
- we need to install mod_auth_gssapi instead of mod_auth_kerb and also install mod_session
yum install ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session
Step 4.
- we should move ovirt-sso.conf into Apache configuration directory instead of creating a link
mv /etc/ovirt-engine/aaa/ovirt-sso.conf /etc/httpd/conf.d
Step 5.
- users don't need to change anything in this config file, because realm is automatically fetched from keytab (unlike in mod_auth_krb), but I'd leave this step for users upgrading from previous version to be able to see difference from 3.x setup
vi /etc/httpd/conf.d/ovirt-sso.conf
Example 15.5
- it should contain updated configuration
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType GSSAPI
AuthName "Kerberos Login"
# Modify to match installation
GssapiCredStore keytab:/etc/httpd/http.keytab
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
Require valid-user
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>
Step 6.
- when configuring kerberos SSO, files in extension.d are a bit different than in normal aaa-ldap setup, so here are correct files renaming steps:
# mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties
# mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/example-http-authn.properties
# mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties
Step 9.5
- we need to add this step between steps 9 and 10
Review the authentication mapping configuration file. The configuration profile extension name must match the value in authentication configuration file (step 8)
# vi /etc/ovirt-engine/extensions.d/example-http-mapping.properties
Example 15.?. Example authentication mapping configuration file
ovirt.engine.extension.name = example-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
Step 10
- we should check permission for all configuration files
# chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-authn.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-authz.properties
# chmod 600 /etc/ovirt-engine/aaa/example.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-http-authn.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-http-mapping.properties
# chmod 640 /etc/ovirt-engine/extensions.d/example-authz.properties
Ondro, could you please check if I haven't missed anything?
Looks OK to me, just one note that it's not importatnt that ovirt owns the files in /etc/ovirt-engine/extensions.d/* , they can be world readeble, as there are no sensitive informations, but really not important. Restoring need info for Martin. |