准备工作
Ovirt测试机、CAS服务器、AD服务器
cas.crt —— CAS服务器的CA证书
allwinner.cer —— CAS服务器的证书颁发机构根证书
Ovirt测试机要求:apache 2.2、mod_auth_cas、ovirt 3.6、openssl
CAS服务器地址:https://sso.allwinnertech.com:3443/
Ovirt测试机地址:https://kvmtest.allwinnertech.com/
安装ovirt的authenticate extension,并配置properties文件
yum install -y ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap ovirt-engine-extension-aaa-ldap-setup
# 将配置模板拷贝到 ovirt-engine 的安装目录(/etc/ovirt-engine)
cp -rf /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad-sso/* /etc/ovirt-engine
# 修改配置文件的权限和所有者
chown ovirt:ovirt /etc/ovirt-engine/extensions.d/* chown ovirt:ovirt /etc/ovirt-engine/aaa/* chmod 600 /etc/ovirt-engine/extensions.d/* chmod 600 /etc/ovirt-engine/aaa/*
# 修改配置文件的名字(自定义)以及内容
mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/allwinnertech.properties
注意:这里的授权文件的名字最好定义为域名,比如:allwinnertech。
# 新增一个认证文件,用于账号、密码登录
touch /etc/ovirt-engine/extensions.d/login-authn.properties # /etc/ovirt-engine/extensions.d/login-authn.properties ovirt.engine.extension.name = login-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = login ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz config.profile.file.1 = ../aaa/allwinnertech.properties
# 上面配置内容如下:
# /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties ovirt.engine.extension.name = apachesso-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = false config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
# /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties ovirt.engine.extension.name = apachesso-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = apachesso-http ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz ovirt.engine.aaa.authn.mapping.plugin = apachesso-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User
# /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties ovirt.engine.extension.name = allwinnertech-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/allwinnertech.properties
# /etc/ovirt-engine/aaa/allwinnertech.properties include = <ad.properties> vars.forest = allwinnertech.com vars.user = cas@${global:vars.forest} vars.password = **** pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.forest} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
Apache配置
配置Ovirt单点登录端口(443)
# 在ssl.conf中增加如下内容
LoadModule auth_cas_module modules/mod_auth_cas.so CASLoginURL https://sso.allwinnertech.com:3443/login CASValidateURL https://sso.allwinnertech.com:3443/serviceValidate CASCookiePath /tmp/cas-cookies/ CASTimeout 50400 CASDebug On ...... <VirtualHost *:443> ...... Servername kvmtest.allwinnertech.com <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api))> AuthType CAS AuthName "CAS Login" Require valid-user CASAuthNHeader Remote-User RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s </LocationMatch> </VirtualHost>
注意:这里需指定一个有效的CAS服务器,同时需要处理以下两件事:
# 创建cas存放cookie的目录(/tmp/cas-cookies)
mkdir /tmp/cas-cookies chmod 700 /tmp/cas-cookies chown apache:apache /tmp/cas-cookies # 创建目录策略,避免写入操作被Selinux阻止 chcon -R -h -t httpd_sys_content_t /tmp/cas-cookies
# 因为CAS使用的是SSL传输,而CAS证书颁发机构不被信任,所以需要配置为可信(如果不配置,mod_auth_cas里面执行curl命令会失败)
yum install -y ca-certificates update-ca-trust force-enable cp allwinner.cer /etc/pki/ca-trust/source/anchors/ update-ca-trust extract
将准备好的allwinner.cer放入上面的目录中,然后将cas.crt放入 /etc/ssl/certs 目录中。
Ovirt账号、密码登录端口(3443)
# 在/etc/httpd/conf.d/下面增加文件 ovirt-sso.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 3443
<VirtualHost *:3443> ErrorLog logs/ovirt_error_log TransferLog logs/ovirt_access_log LogLevel debug SSLEngine on SSLCertificateFile /etc/httpd/ssl/kvm.crt SSLCertificateKeyFile /etc/httpd/ssl/kvm.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl1_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Servername kvmtest.allwinnertech.com </VirtualHost>
注意:这个配置主要是用于不适合通过单点登录进入的设备,需要准备 kvm.crt 和 kvm.key 两个文件。这里没有配置Location的原因是因为在ovirt在/etc/httpd/conf.d下有一个被强制执行的配置文件(z-ovirt-engine-proxy.conf),因为Ovirt不支持http登录(https://bugzilla.redhat.com/show_bug.cgi?id=1077447),所以才选择配置为SSL的方式。
重启ovirt和apache服务
service ovirt-engine restart
service httpd restart
测试配置
访问测试
https://kvmtest.allwinnertech.com/ovirt-engine/userportal # 跳转到CAS的登录页面
https://kvmtest.allwinnertech.com:3443/ovirt-engine/userportal # 返回的是ovirt的登录页面
访问上面两个链接,看是否按照后面注释执行。
登录测试
当提示没有授权时,这时应该以管理员账号进入,为该用户授权登录权限。
ldap调试日志开启
如果要记录ldap的登录日志,可以编辑 /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in 文件,然后在root-logger上面增加
<logger category="org.ovirt.engineextensions.aaa.ldap">
<level name="DEBUG"/>
</logger>
然后保存,重启ovirt-engine。
日志访问位置为:/var/log/ovirt-engine/engine.log
参考:https://bugzilla.redhat.com/show_bug.cgi?id=1019243
