11:32 p.m.
On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
> On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg(a)slu.se
> <mailto:Karli.Sjoberg@slu.se>> wrote:
>
>
>> On 26 Mar 2016, at 11:35, Ondra Machacek <omachace(a)redhat.com
>> <mailto:omachace@redhat.com>> wrote:
>>
>> For me it's working completelly fine:
>>
>> ...
>> config.mapUser.type = regex
>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
>> config.mapUser.regex.replacement = ${user}(a)DOMAINX.com
>> <http://domainx.com/>
>> config.mapUser.regex.mustMatch = false
>> ...
>>
>> $ ovirt-engine-extensions-tool aaa login-user
>> --password=pass:password --user-name=user@DOMAINY --profile=ad
>>
>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
>> user='user@DOMAINY'
>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
>> user='user@DOMAINY'
>>
>> $ ovirt-engine-extensions-tool aaa login-user
>> --password=pass:password --user-name=user --profile=ad
>>
>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
user='user'
>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
>> user='user(a)DOMAINX.com <mailto:user='user@DOMAINX.com>'
>>
>> As you can see it's correctly mapped.
>>
>> Please check once again the regex is correct, if it still won't work,
>> please send log output again.
>
> /etc/ovirt-engine/extensions.d/mapping-suffix.properties:
> ovirt.engine.extension.name = mapping-suffix
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class
> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Mapping
> config.mapUser.type = regex
> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> config.mapUser.regex.replacement = ${user}(a)foo.bar
> config.mapUser.regex.mustMatch = false
>
> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> --profile=baz.foo.bar-new --user-name=user(a)baz.foo.bar
> <mailto:user-name=user@baz.foo.bar>
> # grep Mapping.InvokeCommands.MAP_USER login.log
> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER
> user='user(a)baz.foo.bar <mailto:user='user@baz.foo.bar>'
> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER
> user='user(a)baz.foo.bar <mailto:user='user@baz.foo.bar>'
>
> And here is the log:
> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
>
> /K
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
with suffix ‘(a)baz.foo.xn--bar-to0a to mine that has a ‘(a)foo.xn--bar-to0a ending and now
it works, for some reason. Very strange, but anyway... How do I go about
changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in
username.
/K
>
>>
>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
>>> What the heck, my message disappeares! Trying again.
>>>
>>> Ok, so it's mapping now but the only thing working is:
>>> config.mapUser.regex.pattern = user(a)baz.foo.bar
>>> <mailto:user@baz.foo.bar>
>>> config.mapUser.regex.replacement = user(a)foo.bar <mailto:user@foo.bar>
>>>
>>> And that isn't very useful. Please advice!
>>>
>>> /K
>>>
>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
>>>>
>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg(a)slu.se
>>>> <mailto:karli.sjoberg@slu.se>>:
>>>> >
>>>> >
>>>> > Den 24 mars 2016 11:26 em skrev Ondra Machacek
>>>> <omachace(a)redhat.com <mailto:omachace@redhat.com>>:
>>>> > >
>>>> > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
>>>> > > >
>>>> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek
>>>> <omachace(a)redhat.com <mailto:omachace@redhat.com>>:
>>>> > > > >
>>>> > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
>>>> > > > > > Hi!
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > Starting new thread instead of jacking someone
else´s.
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > Managed to migrate from old
'engine-manage-domains' auth to
>>>> > > > aaa-ldap using:
>>>> > > > > >
>>>> > > > > > #| ovirt-engine-kerbldap-migration-tool
--domain
>>>> baz.foo.bar
>>>> --cacert
>>>> > > > > > /tmp/ca.crt --apply
>>>> > > > > > |
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > All OK, no errors, but cannot log in:
>>>> > > > > >
>>>> > > > > > # ovirt-engine-extensions-tool aaa login-user
>>>> --profile=baz.foo.bar-new
>>>> > > > > > --user-name=user:
>>>> > > > >
>>>> > > > > If you want to login with user with different upn
suffix,
>>>> then
>>>> just
>>>> > > > > append that suffix
>>>> > > > >
>>>> > > > > $ ovirt-engine-extensions-tool aaa login-user
>>>> --profile=baz.foo.bar-new
>>>> > > > > --user-name=user(a)foo.bar
<mailto:user-name=user@foo.bar>
>>>> > > >
>>>> > > > OK, some progress, that works!
>>>> > > >
>>>> > > > >
>>>> > > > > If you have more suffixes and want to have some as
>>>> default you
>>>> can use
>>>> > > > > following approach:
>>>> > > > >
>>>> > > > > 1) install ovirt-engine-extension-aaa-misc
>>>> > > > >
>>>> > > > > 2) create new mapping extension like this:
>>>> > > > >
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
>>>> > > > >
>>>> > > > > ovirt.engine.extension.name = mapping-suffix
>>>> > > > > ovirt.engine.extension.bindings.method =
jbossmodule
>>>> > > > > ovirt.engine.extension.binding.jbossmodule.module
=
>>>> > > > > org.ovirt.engine-extensions.aaa.misc
>>>> > > > > ovirt.engine.extension.binding.jbossmodule.class =
>>>> > > > >
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>>>> > > > > ovirt.engine.extension.provides =
>>>> > > > > org.ovirt.engine.api.extensions.aaa.Mapping
>>>> > > > > config.mapUser.type = regex
>>>> > > > > config.mapUser.pattern = ^(?<user>[^@]*)$
>>>> > > >
>>>> > > > Is that supposed to really say '<user>' or
should it be
>>>> changed to a
>>>> > > > real user name? Either way, it doesn't work, I tried
it all.
>>>> > >
>>>> > > '?<user>' is just a named group in that regex so
you can later use
>>>> it in
>>>> > > 'config.mapUser.replacement' option. It should take
>>>> everything until
>>>> > > first '@'.
>>>> > >
>>>> > > >
>>>> > > > > config.mapUser.replacement = ${user}(a)foo.bar
>>>> > > > > config.mapUser.mustMatch = false
>>>> > > > >
>>>> > > > > 3) select a mapping plugin in authn configuration:
>>>> > > > >
>>>> > > > > ovirt.engine.aaa.authn.mapping.plugin =
mapping-suffix
>>>> > > > >
>>>> > > > > With above configuration in use, your user
'user' witll be
>>>> mapped to
>>>> > > > > user 'user(a)foo.bar
<mailto:user@foo.bar>'
>>>> > > > > and users 'user(a)anotherdomain.foo.bar
>>>> <mailto:user@anotherdomain.foo.bar>' will remain
>>>> > > > > 'user(a)anotherdomain.foo.bar
>>>> <mailto:user@anotherdomain.foo.bar>'.
>>>> > > >
>>>> > > > This however does not, it doesn't replace the suffix
as it's
>>>> supposed
>>>> > > > to. I tried with many different types of the
>>>> 'mapUser.pattern' but it
>>>> > > > simply won't change it, even if I type in '=
>>>> ^user(a)baz.foo.bar <mailto:user@baz.foo.bar>$', the
>>>> > > > error is the same:(
>>>> > >
>>>> > > Hmm, hard to say what's wrong, try to run:
>>>> > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa
login-user
>>>> > > --profile=baz.foo.bar-new --user-name=user
>>>> > >
>>>> > > and search for a mapping part in log.
>>>> >
>>>> > Wow what a mouthfull:) Can you make anything out of it?
>>>> >
>>>> > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>>>> >
>>>> > /K
>>>>
>>>> Just noticed after logging in to webadmin as "user(a)foo.bar
>>>> <mailto:user@foo.bar>" (which
>>>> worked btw, so good there) that the "User Name" in Users main
tab looks
>>>> really odd:
>>>> user(a)foo.bar <mailto:user@foo.bar>@baz.foo.bar-new-authz
>>>
>>> Sorry you are right, it don't work. I've sent you incorrect
>>> cofiguration, the correct one is:
>>>
>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>>>
>>> ...
>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
>>> config.mapUser.regex.replacement = ${user}(a)foo.bar
>>> config.mapUser.regex.mustMatch = false
>>> ...
>>>
>>> Notice there was missing 'regex', after 'mapUser'.
>>>
>>>>
>>>> /K
>>>>
>>>> >
>>>> > >
>>>> > > >
>>>> > > > /K
>>>> > > >
>>>> > > > >
>>>> > > > > >
>>>> > > > > > API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
>>>> result=SUCCESS
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > but:
>>>> > > > > >
>>>> > > > > > API:
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
>>>> > > > > > principal='user(a)baz.foo.bar
>>>> <mailto:principal='user@baz.foo.bar>'
>>>> > > > > > SEVERE Cannot resolve principal
'user(a)baz.foo.bar
>>>> <mailto:user@baz.foo.bar>'
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > So it fails.
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D
user(a)foo.bar
>>>> <mailto:user@foo.bar> -W -b
>>>> > > > > > DC=baz,DC=foo,DC=bar -s sub
"(samAccountName=user)"
>>>> userPrincipalName |
>>>> > > > > > grep 'userPrincipalName:'
>>>> > > > > >
>>>> > > > > > userPrincipalName: user(a)foo.bar
<mailto:user@foo.bar>
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > |How do you configure AAA with base
>>>> 'DC=baz,DC=foo,DC=bar' when
>>>> > > > > > userPrincipalName ends only on
'(a)foo.bar'?
>>>> > > > > >
>>>> > > > > > /K
>>>> > > > > > |
>>>> > > > > >
>>>> > > > > >
>>>> > > > > >
>>>> > > > > >
>>>> > > > > >
_______________________________________________
>>>> > > > > > Users mailing list
>>>> > > > > > Users(a)ovirt.org
<mailto:Users@ovirt.org>
>>>> > > > > > http://lists.ovirt.org/mailman/listinfo/users
>>>> > > > > >
>>>> > > >
>>>>
>