Bug 1368510

Summary: [RFE] setup tool could also generate configuration for SSO via apache httpd
Product: [oVirt] ovirt-engine-extension-aaa-ldap Reporter: Jiri Belka <jbelka>
Component: SetupAssignee: Martin Perina <mperina>
Status: CLOSED DEFERRED QA Contact: Ondra Machacek <omachace>
Severity: low Docs Contact:
Priority: unspecified    
Version: 1.2.1CC: bugs, oourfali
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: oourfali: ovirt-future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-13 07:57:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jiri Belka 2016-08-19 15:36:42 UTC
Description of problem:

Currently setup tools can generate files to make engine authenticate users against remote directory services. I don't see reason why setup could not enhance itself and generate all configuration for SSO. Maybe a question for keytab file on the server where setup is executed..., also get additional rpms?

No idea about TLS, this is currently too far in my testing...

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. /usr/bin/ovirt-engine-extension-aaa-ldap-setup to configure a DS to have SSO
2. check if it can be used without manual intervention to have working SSO
3.

Actual results:
not yet, setup doesn't know SSO

Expected results:
it should generate fully working SSO configuration, mapping, apache conf, check permission on keytab etc...

Additional info:
I was told ovirt-engine-extensions-tool aaa login-user doesn't work if SSO is configured, the user should have a way that its domain is configured correctly even he intends to use it for SSO via apache httpd

Manual configuration seems little bit error-prone.

Comment 1 Yaniv Kaul 2017-03-13 07:57:51 UTC
Don't see a great demand for local SSO, closing for the time being.
(I'd argue that easier setup of Kerberos integration would be nice though!)

Comment 2 Ondra Machacek 2017-03-13 08:07:55 UTC
I've created this[1] Ansible role, which does the job. Feel free to try it.

[1] https://galaxy.ansible.com/machacekondra/ovirt-aaa-ldap/