úterý 30. prosince 2014

[PART 3] Ovirt with SSO - ovirt & apache

Installing ovirt

Create vm(or whatever) where you install your oVirt.Here are all steps provided. Just follow the steps.

Configure kerberos for ovirt

ssh into your openldap machine. Here we need to create SPN for our oVirt in kerberos database. Create keytab and copy it to our oVirt machine. Then change permissions/owner of keytab appropriatelly.

Configure apache kerberos module

First we need to install kerberos module for apache and then configure it, with our kerberos configuration.(I suggest to use mod_auth_gssapi since centos 7):

Configure ovirt

First we need to install new extension api. We have to install two packages one is for ldap extensions and second is gateway extension. If you just wanna try new extension api, you don't have to install misc package, but we will need it for SSO. There is also one for logging.
Now I highly recommend to read the all READMEs.
In another steps we have to configure the mappping for SSO, authorization and authentication. Authorization configuration is quite simple for our example. We just let all values default, and just set url for our openldap. We place all our configurations into /etc/ovirt-engine/extensions.d. Now restart ovirt and apache, because configurations are loaded on start.

Configure kerberos workstation

OK. We are done. The last step is to setup our workstation and test if it's working. Now go into ovirt admin console and login as admin@internal. Find user1 from ldap-authz-simple_openldap assign him some permissions. Last step is to configure our browser. I tested firefox. Here is the link. Now just obtain ticket and browse webadmin without log in .. :)

$ kinit user1

Žádné komentáře: