Hide Forgot
Description of problem: Currently setup tools can generate files to make engine authenticate users against remote directory services. I don't see reason why setup could not enhance itself and generate all configuration for SSO. Maybe a question for keytab file on the server where setup is executed..., also get additional rpms? No idea about TLS, this is currently too far in my testing... Version-Release number of selected component (if applicable): ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. /usr/bin/ovirt-engine-extension-aaa-ldap-setup to configure a DS to have SSO 2. check if it can be used without manual intervention to have working SSO 3. Actual results: not yet, setup doesn't know SSO Expected results: it should generate fully working SSO configuration, mapping, apache conf, check permission on keytab etc... Additional info: I was told ovirt-engine-extensions-tool aaa login-user doesn't work if SSO is configured, the user should have a way that its domain is configured correctly even he intends to use it for SSO via apache httpd Manual configuration seems little bit error-prone.
Don't see a great demand for local SSO, closing for the time being. (I'd argue that easier setup of Kerberos integration would be nice though!)
I've created this[1] Ansible role, which does the job. Feel free to try it. [1] https://galaxy.ansible.com/machacekondra/ovirt-aaa-ldap/