ovirt配置爲cas登陸

準備工做

Ovirt測試機、CAS服務器、AD服務器

cas.crt —— CAS服務器的CA證書

allwinner.cer —— CAS服務器的證書頒發機構根證書

Ovirt測試機要求：apache 2.二、mod_auth_cas、ovirt 3.六、openssl

CAS服務器地址：https://sso.allwinnertech.com:3443/

Ovirt測試機地址：https://kvmtest.allwinnertech.com/

安裝ovirt的authenticate extension，並配置properties文件

yum install -y ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap ovirt-engine-extension-aaa-ldap-setup

# 將配置模板拷貝到 ovirt-engine 的安裝目錄（/etc/ovirt-engine）

cp -rf /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad-sso/* /etc/ovirt-engine

# 修改配置文件的權限和全部者

chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
chown ovirt:ovirt /etc/ovirt-engine/aaa/*
chmod 600 /etc/ovirt-engine/extensions.d/*
chmod 600 /etc/ovirt-engine/aaa/*

# 修改配置文件的名字（自定義）以及內容

mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties
mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties
mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties
mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/allwinnertech.properties

注意：這裏的受權文件的名字最好定義爲域名，好比：allwinnertech。

# 新增一個認證文件，用於帳號、密碼登陸

touch /etc/ovirt-engine/extensions.d/login-authn.properties
# /etc/ovirt-engine/extensions.d/login-authn.properties
ovirt.engine.extension.name = login-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = login
ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz
config.profile.file.1 = ../aaa/allwinnertech.properties

# 上面配置內容以下：

# /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties
ovirt.engine.extension.name = apachesso-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = false
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}

# /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties
ovirt.engine.extension.name = apachesso-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = apachesso-http
ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz
ovirt.engine.aaa.authn.mapping.plugin = apachesso-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

# /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties
ovirt.engine.extension.name = allwinnertech-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/allwinnertech.properties

# /etc/ovirt-engine/aaa/allwinnertech.properties
include = <ad.properties>
vars.forest = allwinnertech.com
vars.user = cas@${global:vars.forest}
vars.password = ****
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.forest}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

Apache配置

配置Ovirt單點登陸端口（443）

# 在ssl.conf中增長以下內容

LoadModule auth_cas_module modules/mod_auth_cas.so
CASLoginURL https://sso.allwinnertech.com:3443/login
CASValidateURL https://sso.allwinnertech.com:3443/serviceValidate
CASCookiePath /tmp/cas-cookies/
CASTimeout 50400
CASDebug On
......
<VirtualHost *:443>
......
Servername kvmtest.allwinnertech.com
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api))>
AuthType CAS
AuthName "CAS Login"
Require valid-user
CASAuthNHeader Remote-User

RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
</LocationMatch>
</VirtualHost>

注意：這裏需指定一個有效的CAS服務器，同時須要處理如下兩件事：

# 建立cas存放cookie的目錄（/tmp/cas-cookies）

mkdir /tmp/cas-cookies
chmod 700 /tmp/cas-cookies
chown apache:apache /tmp/cas-cookies
# 建立目錄策略，避免寫入操做被Selinux阻止
chcon -R -h -t httpd_sys_content_t /tmp/cas-cookies

# 由於CAS使用的是SSL傳輸，而CAS證書頒發機構不被信任，因此須要配置爲可信（若是不配置，mod_auth_cas裏面執行curl命令會失敗）

yum install -y ca-certificates
update-ca-trust force-enable
cp allwinner.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

將準備好的allwinner.cer放入上面的目錄中，而後將cas.crt放入 /etc/ssl/certs 目錄中。

Ovirt帳號、密碼登陸端口（3443）

# 在/etc/httpd/conf.d/下面增長文件 ovirt-sso.conf

LoadModule ssl_module modules/mod_ssl.so

Listen 3443

<VirtualHost *:3443>
ErrorLog logs/ovirt_error_log
TransferLog logs/ovirt_access_log
LogLevel debug

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/kvm.crt
SSLCertificateKeyFile /etc/httpd/ssl/kvm.key

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl1_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Servername kvmtest.allwinnertech.com
</VirtualHost>

注意：這個配置主要是用於不適合經過單點登陸進入的設備，須要準備 kvm.crt 和 kvm.key 兩個文件。這裏沒有配置Location的緣由是由於在ovirt在/etc/httpd/conf.d下有一個被強制執行的配置文件（z-ovirt-engine-proxy.conf），由於Ovirt不支持http登陸（https://bugzilla.redhat.com/show_bug.cgi?id=1077447），因此才選擇配置爲SSL的方式。

重啓ovirt和apache服務

service ovirt-engine restart
service httpd restart

測試配置

訪問測試

https://kvmtest.allwinnertech.com/ovirt-engine/userportal # 跳轉到CAS的登陸頁面

https://kvmtest.allwinnertech.com:3443/ovirt-engine/userportal # 返回的是ovirt的登陸頁面

訪問上面兩個連接，看是否按照後面註釋執行。

登陸測試

當提示沒有受權時，這時應該以管理員帳號進入，爲該用戶受權登陸權限。

ldap調試日誌開啓

若是要記錄ldap的登陸日誌，能夠編輯 /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in 文件，而後在root-logger上面增長

<logger category="org.ovirt.engineextensions.aaa.ldap">

　　<level name="DEBUG"/>

</logger>
而後保存，重啓ovirt-engine。

日誌訪問位置爲：/var/log/ovirt-engine/engine.log

參考：https://bugzilla.redhat.com/show_bug.cgi?id=1019243