<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 26 Mar 2016, at 13:49, Karli Sjöberg <<a href="mailto:Karli.Sjoberg@slu.se" class="">Karli.Sjoberg@slu.se</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 26 Mar 2016, at 11:35, Ondra Machacek <<a href="mailto:omachace@redhat.com" class="">omachace@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">For me it's working completelly fine:<br class="">
<br class="">
...<br class="">
config.mapUser.type = regex<br class="">
config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br class="">
config.mapUser.regex.replacement = ${user}@<a href="http://domainx.com/" class="">DOMAINX.com</a><br class="">
config.mapUser.regex.mustMatch = false<br class="">
...<br class="">
<br class="">
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad<br class="">
<br class="">
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'<br class="">
INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'<br class="">
<br class="">
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad<br class="">
<br class="">
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'<br class="">
INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' <a href="mailto:user='user@DOMAINX.com" class="">
user='user@DOMAINX.com</a>'<br class="">
<br class="">
As you can see it's correctly mapped.<br class="">
<br class="">
Please check once again the regex is correct, if it still won't work, please send log output again.<br class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
<span class="">
<div class="">/etc/ovirt-engine/extensions.d/mapping-suffix.properties:</div>
</span><span class="">ovirt.engine.extension.name = mapping-suffix<br class="">
ovirt.engine.extension.bindings.method = jbossmodule<br class="">
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc<br class="">
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br class="">
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping<br class="">
config.mapUser.type = regex<br class="">
config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br class="">
config.mapUser.regex.replacement = ${user}@foo.bar<br class="">
config.mapUser.regex.mustMatch = false</span></div>
<div class=""><span class=""><br class="">
</span></div>
<span class=""># ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --<a href="mailto:user-name=user@baz.foo.bar" class="">user-name=user@baz.foo.bar</a><br class="">
# grep Mapping.InvokeCommands.MAP_USER login.log <br class="">
2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER <a href="mailto:user='user@baz.foo.bar" class="">user='user@baz.foo.bar</a>'<br class="">
2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER <a href="mailto:user='user@baz.foo.bar" class="">user='user@baz.foo.bar</a>'<br class="">
</span><span class=""><br class="">
</span>
<div class=""><span class="">And here is the log:</span></div>
<div class=""><span class=""><a href="https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download" class="">https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download</a></span></div>
<div class=""><span class=""><br class="">
</span></div>
<div class=""><span class="">/K</span></div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now it works, for some reason. Very strange, but anyway... How do I go about changing from UPN to samAccountName, if I´d
want that instead?</div>
<div><br class="">
</div>
<div>/K</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><span class=""><br class="">
</span>
<blockquote type="cite" class="">
<div class=""><br class="">
On 03/26/2016 10:07 AM, Karli Sjöberg wrote:<br class="">
<blockquote type="cite" class="">What the heck, my message disappeares! Trying again.<br class="">
<br class="">
Ok, so it's mapping now but the only thing working is:<br class="">
config.mapUser.regex.pattern = <a href="mailto:user@baz.foo.bar" class="">user@baz.foo.bar</a><br class="">
config.mapUser.regex.replacement = <a href="mailto:user@foo.bar" class="">user@foo.bar</a><br class="">
<br class="">
And that isn't very useful. Please advice!<br class="">
<br class="">
/K<br class="">
<br class="">
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:<br class="">
<blockquote type="cite" class=""><br class="">
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <<a href="mailto:karli.sjoberg@slu.se" class="">karli.sjoberg@slu.se</a>>:<br class="">
><br class="">
><br class="">
> Den 24 mars 2016 11:26 em skrev Ondra Machacek <<a href="mailto:omachace@redhat.com" class="">omachace@redhat.com</a>>:<br class="">
> ><br class="">
> > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:<br class="">
> > ><br class="">
> > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <<a href="mailto:omachace@redhat.com" class="">omachace@redhat.com</a>>:<br class="">
> > > ><br class="">
> > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:<br class="">
> > > > > Hi!<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > Starting new thread instead of jacking someone else´s.<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > Managed to migrate from old 'engine-manage-domains' auth to<br class="">
> > > aaa-ldap using:<br class="">
> > > > ><br class="">
> > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar<br class="">
--cacert<br class="">
> > > > > /tmp/ca.crt --apply<br class="">
> > > > > |<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > All OK, no errors, but cannot log in:<br class="">
> > > > ><br class="">
> > > > > # ovirt-engine-extensions-tool aaa login-user<br class="">
--profile=baz.foo.bar-new<br class="">
> > > > > --user-name=user:<br class="">
> > > ><br class="">
> > > > If you want to login with user with different upn suffix, then<br class="">
just<br class="">
> > > > append that suffix<br class="">
> > > ><br class="">
> > > > $ ovirt-engine-extensions-tool aaa login-user<br class="">
--profile=baz.foo.bar-new<br class="">
> > > > --<a href="mailto:user-name=user@foo.bar" class="">user-name=user@foo.bar</a><br class="">
> > ><br class="">
> > > OK, some progress, that works!<br class="">
> > ><br class="">
> > > ><br class="">
> > > > If you have more suffixes and want to have some as default you<br class="">
can use<br class="">
> > > > following approach:<br class="">
> > > ><br class="">
> > > > 1) install ovirt-engine-extension-aaa-misc<br class="">
> > > ><br class="">
> > > > 2) create new mapping extension like this:<br class="">
> > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br class="">
> > > ><br class="">
> > > > ovirt.engine.extension.name = mapping-suffix<br class="">
> > > > ovirt.engine.extension.bindings.method = jbossmodule<br class="">
> > > > ovirt.engine.extension.binding.jbossmodule.module =<br class="">
> > > > org.ovirt.engine-extensions.aaa.misc<br class="">
> > > > ovirt.engine.extension.binding.jbossmodule.class =<br class="">
> > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br class="">
> > > > ovirt.engine.extension.provides =<br class="">
> > > > org.ovirt.engine.api.extensions.aaa.Mapping<br class="">
> > > > config.mapUser.type = regex<br class="">
> > > > config.mapUser.pattern = ^(?<user>[^@]*)$<br class="">
> > ><br class="">
> > > Is that supposed to really say '<user>' or should it be changed to a<br class="">
> > > real user name? Either way, it doesn't work, I tried it all.<br class="">
> ><br class="">
> > '?<user>' is just a named group in that regex so you can later use<br class="">
it in<br class="">
> > 'config.mapUser.replacement' option. It should take everything until<br class="">
> > first '@'.<br class="">
> ><br class="">
> > ><br class="">
> > > > config.mapUser.replacement = ${user}@foo.bar<br class="">
> > > > config.mapUser.mustMatch = false<br class="">
> > > ><br class="">
> > > > 3) select a mapping plugin in authn configuration:<br class="">
> > > ><br class="">
> > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix<br class="">
> > > ><br class="">
> > > > With above configuration in use, your user 'user' witll be<br class="">
mapped to<br class="">
> > > > user '<a href="mailto:user@foo.bar" class="">user@foo.bar</a>'<br class="">
> > > > and users '<a href="mailto:user@anotherdomain.foo.bar" class="">user@anotherdomain.foo.bar</a>' will remain<br class="">
> > > > '<a href="mailto:user@anotherdomain.foo.bar" class="">user@anotherdomain.foo.bar</a>'.<br class="">
> > ><br class="">
> > > This however does not, it doesn't replace the suffix as it's supposed<br class="">
> > > to. I tried with many different types of the 'mapUser.pattern' but it<br class="">
> > > simply won't change it, even if I type in '= ^<a href="mailto:user@baz.foo.bar" class="">user@baz.foo.bar</a>$', the<br class="">
> > > error is the same:(<br class="">
> ><br class="">
> > Hmm, hard to say what's wrong, try to run:<br class="">
> > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user<br class="">
> > --profile=baz.foo.bar-new --user-name=user<br class="">
> ><br class="">
> > and search for a mapping part in log.<br class="">
><br class="">
> Wow what a mouthfull:) Can you make anything out of it?<br class="">
><br class="">
> <a href="https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download" class="">
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download</a><br class="">
><br class="">
> /K<br class="">
<br class="">
Just noticed after logging in to webadmin as "<a href="mailto:user@foo.bar" class="">user@foo.bar</a>" (which<br class="">
worked btw, so good there) that the "User Name" in Users main tab looks<br class="">
really odd:<br class="">
<a href="mailto:user@foo.bar" class="">user@foo.bar</a>@baz.foo.bar-new-authz<br class="">
</blockquote>
<br class="">
Sorry you are right, it don't work. I've sent you incorrect<br class="">
cofiguration, the correct one is:<br class="">
<br class="">
/etc/ovirt-engine/extensions.d/mapping-suffix.properties<br class="">
<br class="">
...<br class="">
config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br class="">
config.mapUser.regex.replacement = ${user}@foo.bar<br class="">
config.mapUser.regex.mustMatch = false<br class="">
...<br class="">
<br class="">
Notice there was missing 'regex', after 'mapUser'.<br class="">
<br class="">
<blockquote type="cite" class=""><br class="">
/K<br class="">
<br class="">
><br class="">
> ><br class="">
> > ><br class="">
> > > /K<br class="">
> > ><br class="">
> > > ><br class="">
> > > > ><br class="">
> > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS<br class="">
result=SUCCESS<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > but:<br class="">
> > > > ><br class="">
> > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD<br class="">
> > > > > <a href="mailto:principal='user@baz.foo.bar" class="">principal='user@baz.foo.bar</a>'<br class="">
> > > > > SEVERE Cannot resolve principal '<a href="mailto:user@baz.foo.bar" class="">user@baz.foo.bar</a>'<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > So it fails.<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > # ldapsearch -x -H <a href="ldap://baz.foo.bar" class="">ldap://baz.foo.bar</a> -D
<a href="mailto:user@foo.bar" class="">user@foo.bar</a> -W -b<br class="">
> > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"<br class="">
userPrincipalName |<br class="">
> > > > > grep 'userPrincipalName:'<br class="">
> > > > ><br class="">
> > > > > userPrincipalName: <a href="mailto:user@foo.bar" class="">user@foo.bar</a><br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when<br class="">
> > > > > userPrincipalName ends only on '@foo.bar'?<br class="">
> > > > ><br class="">
> > > > > /K<br class="">
> > > > > |<br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > ><br class="">
> > > > > _______________________________________________<br class="">
> > > > > Users mailing list<br class="">
> > > > > <a href="mailto:Users@ovirt.org" class="">Users@ovirt.org</a><br class="">
> > > > > <a href="http://lists.ovirt.org/mailman/listinfo/users" class="">http://lists.ovirt.org/mailman/listinfo/users</a><br class="">
> > > > ><br class="">
> > ><br class="">
<br class="">
</blockquote>
</blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>