Description of problem: In 14.4. Configuring LDAP and Kerberos for Single Sign-on there is under 14.5-3 ~~~ # cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/. /etc/ovirt-engine ~~~ Which is: ~~~ # find /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/aaa /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/aaa/ovirt-sso.conf /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/aaa/profile1.properties /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/extensions.d /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/extensions.d/profile1-authz.properties /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/extensions.d/profile1-http-authn.properties /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple-sso/extensions.d/profile1-http-mapping.properties ~~~ And in 14.5-6 there is: ~~~ # mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties # mv /etc/ovirt-engine/extensions.d/profile1-authn.properties /etc/ovirt-engine/extensions.d/example-authn.properties ^^ but this will fail as there is no 'profile1-authn.properties' # mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties ~~~ This is confusing, I suppose one would need to work with 'profile1-http-authn.properties'. Another thing is related to mapping file: Example 14.8. has: ~~~ ... ovirt.engine.aaa.authn.mapping.plugin = example-http-mapping ... ^^^^^^^ italic, thus to be modified ~~~ But there is not info about renaming mapping file, ie. there would be no example-http-mappping.properties file. I suppose 14.5-6 should have added: ~~~ mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/example-http-mapping.properties ~~~ Version-Release number of selected component (if applicable): rhevm-doc-4.0.0-3.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. follow the steps 2. 3. Actual results: fails on file non-existent and maybe mapping would not be correctly used Expected results: should not produce any visible error to user (not sure about mapping) Additional info:
*** Bug 1371522 has been marked as a duplicate of this bug. ***
Assigning to Tahlia for review.
* Changed "profile1-authn.properties" in step 6 to "profile1-http-authn.properties" Martin, can you answer the mapping file question? Any docs change needed for it? (Doc: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/154-configuring-ldap-and-kerberos-for-single-sign-on)
Hi Tahlia, due to move from EL6 to EL7 and various changes in engine around new engine SSO feature, we would like to refresh kerberos SSO configuration documentation completely. So here are changes that needs to be done in doc and which we tested along with QA: Procedure 15.5. Configuring Single Sign-on to the User Portal or Administration Portal Step 2. - we need to install mod_auth_gssapi instead of mod_auth_kerb and also install mod_session yum install ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session Step 4. - we should move ovirt-sso.conf into Apache configuration directory instead of creating a link mv /etc/ovirt-engine/aaa/ovirt-sso.conf /etc/httpd/conf.d Step 5. - users don't need to change anything in this config file, because realm is automatically fetched from keytab (unlike in mod_auth_krb), but I'd leave this step for users upgrading from previous version to be able to see difference from 3.x setup vi /etc/httpd/conf.d/ovirt-sso.conf Example 15.5 - it should contain updated configuration <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "Kerberos Login" # Modify to match installation GssapiCredStore keytab:/etc/httpd/http.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=/private;httponly;secure; Require valid-user ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> Step 6. - when configuring kerberos SSO, files in extension.d are a bit different than in normal aaa-ldap setup, so here are correct files renaming steps: # mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/example.properties # mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/example-http-authn.properties # mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/example-http-mapping.properties # mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/example-authz.properties Step 9.5 - we need to add this step between steps 9 and 10 Review the authentication mapping configuration file. The configuration profile extension name must match the value in authentication configuration file (step 8) # vi /etc/ovirt-engine/extensions.d/example-http-mapping.properties Example 15.?. Example authentication mapping configuration file ovirt.engine.extension.name = example-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix} Step 10 - we should check permission for all configuration files # chown ovirt:ovirt /etc/ovirt-engine/aaa/example.properties # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-authn.properties # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-http-mapping.properties # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/example-authz.properties # chmod 600 /etc/ovirt-engine/aaa/example.properties # chmod 640 /etc/ovirt-engine/extensions.d/example-http-authn.properties # chmod 640 /etc/ovirt-engine/extensions.d/example-http-mapping.properties # chmod 640 /etc/ovirt-engine/extensions.d/example-authz.properties Ondro, could you please check if I haven't missed anything?
Looks OK to me, just one note that it's not importatnt that ovirt owns the files in /etc/ovirt-engine/extensions.d/* , they can be world readeble, as there are no sensitive informations, but really not important.
Restoring need info for Martin.
Documentation Link: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide/#Configuring_LDAP_and_Kerberos_for_Single_Sign-on