zoukankan      html  css  js  c++  java

  • ovirt配置为cas登录

    准备工作

    Ovirt测试机、CAS服务器、AD服务器

    cas.crt —— CAS服务器的CA证书

    allwinner.cer —— CAS服务器的证书颁发机构根证书

    Ovirt测试机要求:apache 2.2、mod_auth_cas、ovirt 3.6、openssl

    CAS服务器地址:https://sso.allwinnertech.com:3443/

    Ovirt测试机地址:https://kvmtest.allwinnertech.com/

    安装ovirt的authenticate extension,并配置properties文件

    yum install -y ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap ovirt-engine-extension-aaa-ldap-setup

    # 将配置模板拷贝到 ovirt-engine 的安装目录(/etc/ovirt-engine)

    cp -rf /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad-sso/* /etc/ovirt-engine

    # 修改配置文件的权限和所有者

    chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
chown ovirt:ovirt /etc/ovirt-engine/aaa/*
chmod 600 /etc/ovirt-engine/extensions.d/*
chmod 600 /etc/ovirt-engine/aaa/*

    # 修改配置文件的名字(自定义)以及内容

    mv /etc/ovirt-engine/extensions.d/profile1-http-mapping.properties /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties
mv /etc/ovirt-engine/extensions.d/profile1-http-authn.properties /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties
mv /etc/ovirt-engine/extensions.d/profile1-authz.properties /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties
mv /etc/ovirt-engine/aaa/profile1.properties /etc/ovirt-engine/aaa/allwinnertech.properties

    注意:这里的授权文件的名字最好定义为域名,比如:allwinnertech。

    # 新增一个认证文件,用于账号、密码登录

    touch /etc/ovirt-engine/extensions.d/login-authn.properties
# /etc/ovirt-engine/extensions.d/login-authn.properties
ovirt.engine.extension.name = login-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = login
ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz
config.profile.file.1 = ../aaa/allwinnertech.properties

    # 上面配置内容如下:

    # /etc/ovirt-engine/extensions.d/apachesso-http-mapping.properties
ovirt.engine.extension.name = apachesso-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = false
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
    
#     /etc/ovirt-engine/extensions.d/apachesso-http-authn.properties
ovirt.engine.extension.name = apachesso-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = apachesso-http
ovirt.engine.aaa.authn.authz.plugin = allwinnertech-authz
ovirt.engine.aaa.authn.mapping.plugin = apachesso-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User
    
#     /etc/ovirt-engine/extensions.d/allwinnertech-authz.properties
ovirt.engine.extension.name = allwinnertech-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/allwinnertech.properties
    
#     /etc/ovirt-engine/aaa/allwinnertech.properties
include = <ad.properties>
vars.forest = allwinnertech.com
vars.user = cas@${global:vars.forest}
vars.password = ****
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.forest}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

    Apache配置

    配置Ovirt单点登录端口(443)

    # 在ssl.conf中增加如下内容

    LoadModule auth_cas_module modules/mod_auth_cas.so
CASLoginURL https://sso.allwinnertech.com:3443/login
CASValidateURL https://sso.allwinnertech.com:3443/serviceValidate
CASCookiePath /tmp/cas-cookies/
CASTimeout 50400
CASDebug On
......
<VirtualHost *:443>
......
Servername kvmtest.allwinnertech.com
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api))>
AuthType CAS
AuthName "CAS Login"
Require valid-user
CASAuthNHeader Remote-User

RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
</LocationMatch>
</VirtualHost>

    注意:这里需指定一个有效的CAS服务器,同时需要处理以下两件事:

    # 创建cas存放cookie的目录(/tmp/cas-cookies)

    mkdir /tmp/cas-cookies
chmod 700 /tmp/cas-cookies
chown apache:apache /tmp/cas-cookies
# 创建目录策略,避免写入操作被Selinux阻止
chcon -R -h -t httpd_sys_content_t /tmp/cas-cookies

    # 因为CAS使用的是SSL传输,而CAS证书颁发机构不被信任,所以需要配置为可信(如果不配置,mod_auth_cas里面执行curl命令会失败)

    yum install -y ca-certificates
update-ca-trust force-enable
cp allwinner.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

    将准备好的allwinner.cer放入上面的目录中,然后将cas.crt放入 /etc/ssl/certs 目录中。

    Ovirt账号、密码登录端口(3443)

    # 在/etc/httpd/conf.d/下面增加文件 ovirt-sso.conf

    LoadModule ssl_module modules/mod_ssl.so
    
Listen     3443
    
<VirtualHost *:3443>
ErrorLog logs/ovirt_error_log
TransferLog logs/ovirt_access_log
LogLevel debug

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/kvm.crt
SSLCertificateKeyFile /etc/httpd/ssl/kvm.key

SetEnvIf User-Agent ".*MSIE.*" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0

CustomLog logs/ssl1_request_log 
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

Servername kvmtest.allwinnertech.com
</VirtualHost>

    注意:这个配置主要是用于不适合通过单点登录进入的设备,需要准备 kvm.crt 和 kvm.key 两个文件。这里没有配置Location的原因是因为在ovirt在/etc/httpd/conf.d下有一个被强制执行的配置文件(z-ovirt-engine-proxy.conf),因为Ovirt不支持http登录(https://bugzilla.redhat.com/show_bug.cgi?id=1077447),所以才选择配置为SSL的方式。

    重启ovirt和apache服务

    service ovirt-engine restart
    service httpd restart

    测试配置

    访问测试

    https://kvmtest.allwinnertech.com/ovirt-engine/userportal # 跳转到CAS的登录页面

    https://kvmtest.allwinnertech.com:3443/ovirt-engine/userportal # 返回的是ovirt的登录页面

    访问上面两个链接,看是否按照后面注释执行。

    登录测试

    当提示没有授权时,这时应该以管理员账号进入,为该用户授权登录权限。

    ldap调试日志开启

    如果要记录ldap的登录日志,可以编辑 /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in 文件,然后在root-logger上面增加

    <logger category="org.ovirt.engineextensions.aaa.ldap">

      <level name="DEBUG"/>

    </logger>
    然后保存,重启ovirt-engine。

    日志访问位置为:/var/log/ovirt-engine/engine.log

    参考:https://bugzilla.redhat.com/show_bug.cgi?id=1019243
  • 相关阅读:
    VS2010 自动跳过代码现象
    Reverse Linked List II 【纠结逆序!!!】
    Intersection of Two Linked Lists
    Linked List Cycle II
    Remove Nth Node From End of List 【另一个技巧,指针的指针】
    Swap Nodes in Pairs
    Merge Two Sorted Lists
    Remove Duplicates from Sorted List
    Linked List Cycle
    Dungeon Game
  • 原文地址:https://www.cnblogs.com/zhangyanpei/p/6041693.html
Copyright © 2011-2022 走看看