<html><head></head><body><div>Hello,</div><div><br></div><div>I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit the login of AD users to ovirt.</div><div><br></div><div>For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch and ovirt-engine-extension-aaa-misc.noarch</div><div><br></div><div># ovirt-engine-extension-aaa-ldap-setup</div><div>- selected "Active Directory"</div><div>- Anonymous search user</div><div><br></div><div>I can run a search but when i try to login with the username alone "testuser" -> error "CREDENTIALS_INCORRECT", if i login with the user+domain "<a href="mailto:testuser@abc.lan">testuser@abc.lan</a>" my auth succeed but -> "Cannot resolve principal 'testuser@abc.lan'"</div><div><br></div><div><br></div><div># ovirt-engine-extensions-tool aaa login-user --profile=abc.lan <a href="mailto:--user-name=testuser@abc.lan">--user-name=testuser</a></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>...</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>2016-09-21 09:53:29 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan' result=CREDENTIALS_INCORRECT</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>2016-09-21 09:53:29 SEVERE Authn.Result code is: CREDENTIALS_INCORRECT</div><div><br></div><div># ovirt-engine-extensions-tool aaa login-user --profile=abc.lan --user-name=testuser@abc.lan</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>...</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>2016-09-21 09:52:02 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD <a href="mailto:principal='msartiaux@abc.lan">principal='testuser@abc.lan</a>'</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>2016-09-21 09:52:02 SEVERE Cannot resolve principal <a href="'testuser@abc.lan'">'testuser@abc.lan'</a></div><div><br></div><div><br></div><div>After some search i configured the mapping plugin to automaticaly add @abc.lan to the user like that i don't need to add the @abc.lan to connect but still the same error, cannot resolve principal ...</div><div><br></div><div><i># cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties</i></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.extension.name = mapping-suffix</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.extension.bindings.method = jbossmodule</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>config.mapUser.type = regex</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>config.mapUser.regex.pattern = ^(?<user>[^@]*)$</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>config.mapUser.regex.replacement = <a href="mailto:${user}@abc.lan">${user}@abc.lan</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>config.mapUser.regex.mustMatch = false</div><div><br></div><div><i># cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties</i></div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>...</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix</div><div><br></div><div>Any ideas ?</div><div><br></div><div>Thank you.</div></body></html>