--_000_DC6968B979404A68B4986B61460DEDD9sluse_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
On 26 Mar 2016, at 13:49, Karli Sj=F6berg <Karli.Sjoberg@slu.se<mailto:Karl=
i.Sjoberg(a)slu.se>> wrote:
On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com<mailto:omacha=
ce(a)redhat.com>> wrote:
For me it's working completelly fine:
...
config.mapUser.type =3D regex
config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$
config.mapUser.regex.replacement =3D ${user}@DOMAINX.com<http://domainx.com=
/
config.mapUser.regex.mustMatch =3D false
...
$ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --=
user-name=3Duser@DOMAINY --profile=3Dad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad'
user=3D'user=
@DOMAINY'
INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad'
user=3D'user=
@DOMAINY'
$ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --=
user-name=3Duser --profile=3Dad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad'
user=3D'user=
'
INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad'
user=3D'user=
@DOMAINX.com<mailto:user=3D'user@DOMAINX.com>'
As you can see it's correctly mapped.
Please check once again the regex is correct, if it still won't work, pleas=
e send log output again.
/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name =3D mapping-suffix
ovirt.engine.extension.bindings.method =3D jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte=
nsions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextens=
ions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map=
ping
config.mapUser.type =3D regex
config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$
config.mapUser.regex.replacement =3D ${user}(a)foo.bar
config.mapUser.regex.mustMatch =3D false
# ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profil=
e=3Dbaz.foo.bar-new --user-name=3Duser@baz.foo.bar<mailto:user-name=3Duser@=
baz.foo.bar
# grep
Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user=3D=
'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>'
2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user=3D=
'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>'
And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
/K
Eureka! I changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from =
one with suffix =91(a)baz.foo.bar=92 to mine that has a =91(a)foo.bar=92 ending=
and now it works, for some reason. Very strange, but anyway... How do I go=
about changing from UPN to samAccountName, if I=B4d want that instead?
/K
On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern =3D user@baz.foo.bar<mailto:user@baz.foo.bar
config.mapUser.regex.replacement =3D
user@foo.bar<mailto:user@foo.bar
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <karli.sjoberg(a)slu.se<mailt=
o:karli.sjoberg@slu.se>>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace(a)redhat.com<mail=
to:omachace@redhat.com>>:
> On 03/24/2016 11:14 PM, Karli
Sj=F6berg wrote:
>
> > Den 24 mars 2016 7:26 em skrev Ondra Machacek
<omachace(a)redhat.com<m=
ailto:omachace@redhat.com>>:
> >
> > > On 03/24/2016 06:16
PM, Karli Sj=F6berg wrote:
> > > > Hi!
> > >
> > >
> > > > Starting new thread instead of jacking
someone else=B4s.
> > >
> > >
> > > > Managed to migrate from old
'engine-manage-domains' auth to
> > aaa-ldap using:
> > >
> > > > #|
ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
> > > > /tmp/ca.crt --apply
> > > > |
> > >
> > >
> > > > All OK, no errors, but cannot log in:
> > >
> > > > #
ovirt-engine-extensions-tool aaa login-user
--profile=3Dbaz.foo.bar-new
> > > > --user-name=3Duser:
> >
> > > If you want to
login with user with different upn suffix, then
just
> > > append that suffix
> >
> > > $
ovirt-engine-extensions-tool aaa login-user
--profile=3Dbaz.foo.bar-new
> > >
--user-name=3Duser@foo.bar<mailto:user-name=3Duser@foo.bar
>
> > OK, some progress, that works!
>
> >
>
> > If you have more suffixes and want to have some as default you
can use
> > > following approach:
> >
> > > 1) install
ovirt-engine-extension-aaa-misc
> >
> > > 2) create new
mapping extension like this:
> > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
> >
> > >
ovirt.engine.extension.name =3D mapping-suffix
> > > ovirt.engine.extension.bindings.method =3D jbossmodule
> > > ovirt.engine.extension.binding.jbossmodule.module =3D
> > > org.ovirt.engine-extensions.aaa.misc
> > > ovirt.engine.extension.binding.jbossmodule.class =3D
> > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> > > ovirt.engine.extension.provides =3D
> > > org.ovirt.engine.api.extensions.aaa.Mapping
> > > config.mapUser.type =3D regex
> > > config.mapUser.pattern =3D ^(?<user>[^@]*)$
>
> > Is that supposed to really say
'<user>' or should it be changed to a
> > real user name? Either way, it doesn't work, I tried it all.
> '?<user>' is just a named group in that
regex so you can later use
it in
> 'config.mapUser.replacement' option. It should take
everything until
> first '@'.
>
> > >
config.mapUser.replacement =3D ${user}(a)foo.bar
> > > config.mapUser.mustMatch =3D false
> >
> > > 3) select a mapping
plugin in authn configuration:
> >
> > >
ovirt.engine.aaa.authn.mapping.plugin =3D mapping-suffix
> >
> > > With above
configuration in use, your user 'user' witll be
mapped to
> > > user
'user@foo.bar<mailto:user@foo.bar>'
> > > and users 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.f=
oo.bar>' will remain
> > >
'user@anotherdomain.foo.bar<mailto:user@anotherdomain.foo.bar>'.
>
> > This however does not, it doesn't replace the
suffix as it's suppose=
d
> > to. I tried with many different types of the
'mapUser.pattern' but i=
t
> > simply won't change it, even if I type in '=3D
^user(a)baz.foo.bar<mai=
lto:user@baz.foo.bar>$', the
> > error is the same:(
> Hmm, hard to say what's wrong, try to run:
> $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user
> --profile=3Dbaz.foo.bar-new --user-name=3Duser
> and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar<mailto:user@foo.=
bar>" (which
worked btw, so good there) that the "User Name" in Users main tab looks
really odd:
user@foo.bar<mailto:user@foo.bar>@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect
cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
...
config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$
config.mapUser.regex.replacement =3D ${user}(a)foo.bar
config.mapUser.regex.mustMatch =3D false
...
Notice there was missing 'regex', after 'mapUser'.
/K
>
> > /K
>
> >
>
> >
> > > > API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=3DSUCCESS
> > >
>
> >
> > > > but:
> > >
> > > > API:
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> > > >
principal=3D'user@baz.foo.bar<mailto:principal=3D'user@baz.foo.=
bar>'
> > > > SEVERE Cannot resolve principal
'user@baz.foo.bar<mailto:user@=
baz.foo.bar>'
> > >
>
> >
> > > > So it fails.
> > >
> > >
> > > > # ldapsearch -x -H ldap://baz.foo.bar -D
user@foo.bar<mailto:us=
er(a)foo.bar> -W -b
> > > > DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub
"(samAccountName=3Duser)"
userPrincipalName |
> > > > grep 'userPrincipalName:'
> > >
> > > >
userPrincipalName: user@foo.bar<mailto:user@foo.bar
>
> >
> > >
> > > > |How do you configure AAA with base
'DC=3Dbaz,DC=3Dfoo,DC=3Dbar=
' when
> > > > userPrincipalName ends only on
'(a)foo.bar'?
> > >
> > > > /K
> > > > |
> > >
> > >
> > >
>
> >
> > > >
_______________________________________________
> > > > Users mailing list
> > > > Users@ovirt.org<mailto:Users@ovirt.org
> > > >
http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
--_000_DC6968B979404A68B4986B61460DEDD9sluse_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <7C99868A39F0CD4E83EED89EDD689798(a)ad.slu.se
Content-Transfer-Encoding: quoted-printable
<html
<head
<meta http-equiv=3D"Content-Type"
content=3D"text/html; charset=3DWindows-1=
252"
</head
<body style=3D"word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;" class=3D""
<br
class=3D""
<div
<blockquote type=3D"cite" class=3D""
<div class=3D"">On 26 Mar 2016, at 13:49, Karli
Sj=F6berg <<a href=3D"ma=
ilto:Karli.Sjoberg@slu.se"
class=3D"">Karli.Sjoberg(a)slu.se</a>&gt; wrote:</=
div
<br class=3D"Apple-interchange-newline"
<div class=3D""
<div
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space;" class=3D""
<br
class=3D""
<div class=3D""
<blockquote type=3D"cite" class=3D""
<div class=3D"">On 26 Mar 2016, at 11:35, Ondra
Machacek <<a href=3D"mai=
lto:omachace@redhat.com"
class=3D"">omachace(a)redhat.com</a>&gt; wrote:</div=
<br class=3D"Apple-interchange-newline"
<div class=3D"">For me it's working
completelly fine:<br class=3D""
<br
class=3D""
...<br class=3D""
config.mapUser.type =3D regex<br class=3D""
config.mapUser.regex.pattern =3D
^(?<user>[^@]*)$<br class=3D""
config.mapUser.regex.replacement =3D ${user}@<a
href=3D"http://domainx.com/=
" class=3D"">DOMAINX.com</a><br class=3D""
config.mapUser.regex.mustMatch =3D false<br
class=3D""
...<br class=3D""
<br class=3D""
$
ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --=
user-name=3Duser@DOMAINY --profile=3Dad<br class=3D""
<br class=3D""
INFO
API: -->Mapping.InvokeCommands.MAP_USER profile=
=3D'ad' user=3D'user@DOMAINY'<br class=3D""
INFO API:
<--Mapping.InvokeCommands.MAP_USER profile=
=3D'ad' user=3D'user@DOMAINY'<br class=3D""
<br class=3D""
$
ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --=
user-name=3Duser --profile=3Dad<br class=3D""
<br
class=3D""
INFO
API: -->Mapping.InvokeCommands.MAP_USER profile=
=3D'ad' user=3D'user'<br class=3D""
INFO API:
<--Mapping.InvokeCommands.MAP_USER profile=
=3D'ad' <a href=3D"mailto:user=3D'user@DOMAINX.com"
class=3D""
user=3D'user(a)DOMAINX.com</a>'<br class=3D""
<br class=3D""
As you
can see it's correctly mapped.<br class=3D""
<br
class=3D""
Please check once again the regex is
correct, if it still won't work, pleas=
e send log output again.<br class=3D""
</div
</blockquote
<div class=3D""><br class=3D""
</div
<span
class=3D""
<div
class=3D"">/etc/ovirt-engine/extensions.d/mapping-suffix.properties:</=
div
</span><span
class=3D"">ovirt.engine.extension.name =3D mapping-suffix<br c=
lass=3D""
ovirt.engine.extension.bindings.method =3D jbossmodule<br
class=3D""
ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte=
nsions.aaa.misc<br class=3D""
ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.enginee=
xtensions.aaa.misc.mapping.MappingExtension<br class=3D""
ovirt.engine.extension.provides =3D
org.ovirt.engine.api.extensions.aaa.Map=
ping<br class=3D""
config.mapUser.type =3D regex<br
class=3D""
config.mapUser.regex.pattern =3D
^(?<user>[^@]*)$<br class=3D""
config.mapUser.regex.replacement =3D ${user}(a)foo.bar<br class=3D""
config.mapUser.regex.mustMatch =3D
false</span></div
<div
class=3D""><span class=3D""><br class=3D""
</span></div
<span
class=3D""># ovirt-engine-extensions-tool --log-level=3DFINEST aaa lo=
gin-user --profile=3Dbaz.foo.bar-new --<a href=3D"mailto:user-name=3Duser@b=
az.foo.bar" class=3D"">user-name=3Duser(a)baz.foo.bar</a><br
class=3D""
# grep
Mapping.InvokeCommands.MAP_USER login.log <br class=3D""
2016-03-26 13:27:40 INFO API:
-->Mapping.InvokeCommand=
s.MAP_USER <a href=3D"mailto:user=3D'user@baz.foo.bar"
class=3D"">user=
=3D'user(a)baz.foo.bar</a>'<br class=3D""
2016-03-26 13:27:40 INFO API:
<--Mapping.InvokeCommands.MAP=
_USER <a href=3D"mailto:user=3D'user@baz.foo.bar"
class=3D"">user=3D'u=
ser(a)baz.foo.bar</a>'<br class=3D""
</span><span class=3D""><br class=3D""
</span
<div
class=3D""><span class=3D"">And here is the
log:</span></div
<div
class=3D""><span class=3D""><a
href=3D"https://dropoff.slu.se/index.ph=
p/s/SK9T8vOUO7yB3PM/download"
class=3D"">https://dropoff.slu.se/index.php/s=
/SK9T8vOUO7yB3PM/download</a></span></div
<div
class=3D""><span class=3D""><br class=3D""
</span></div
<div
class=3D""><span class=3D"">/K</span></div
</div
</div
</blockquote
<div><br class=3D""
</div
Eureka! I
changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from =
one with suffix =91(a)baz.foo.bar=92 to mine that has a =91(a)foo.bar=92 ending=
and now it works, for some reason. Very strange, but anyway... How do I go=
about changing from UPN to samAccountName, if I=B4d
want that instead?</div
<div><br
class=3D""
</div
<div>/K</div
<div><br class=3D""
<blockquote type=3D"cite" class=3D""
<div class=3D""
<div
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space;" class=3D""
<div
class=3D""><span class=3D""><br class=3D""
</span
<blockquote type=3D"cite" class=3D""
<div class=3D""><br class=3D""
On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote:<br
class=3D""
<blockquote
type=3D"cite" class=3D"">What the heck, my message disappeares!=
Trying again.<br class=3D""
<br
class=3D""
Ok, so it's mapping now but the
only thing working is:<br class=3D""
config.mapUser.regex.pattern =3D <a href=3D"mailto:user@baz.foo.bar"
class=
=3D"">user(a)baz.foo.bar</a><br class=3D""
config.mapUser.regex.replacement =3D <a
href=3D"mailto:user@foo.bar" class=
=3D"">user(a)foo.bar</a><br class=3D""
<br class=3D""
And that
isn't very useful. Please advice!<br class=3D""
<br class=3D""
/K<br
class=3D""
<br class=3D""
On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote:<br
class=3D""
<blockquote
type=3D"cite" class=3D""><br class=3D""
Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <<a
href=3D"mailto:karli=
.sjoberg(a)slu.se"
class=3D"">karli.sjoberg@slu.se</a>>:<br
class=3D""
><br
class=3D""
><br
class=3D""
> Den 24 mars 2016
11:26 em skrev Ondra Machacek <<a href=3D"ma=
ilto:omachace@redhat.com"
class=3D"">omachace@redhat.com</a>>:<br class=
=3D""
> ><br
class=3D""
> > On
03/24/2016 11:14 PM, Karli Sj=F6berg wrote:<br class=3D"=
"
> > ><br
class=3D""
> > >
Den 24 mars 2016 7:26 em skrev Ondra Machacek <<a h=
ref=3D"mailto:omachace@redhat.com"
class=3D"">omachace@redhat.com</a>>:<=
br class=3D""
> > >
><br class=3D""
> > > > On 03/24/2016 06:16 PM,
Karli Sj=F6berg wro=
te:<br class=3D""
> > >
> > Hi!<br class=3D""
> > > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > > Starting new thread
instead of jacking=
someone else=B4s.<br class=3D""
> > > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > > Managed to migrate
from old 'engine-ma=
nage-domains' auth to<br class=3D""
> > > aaa-ldap using:<br class=3D""
> > > >
><br class=3D""
> > > > > #|
ovirt-engine-kerbldap-migration-too=
l --domain baz.foo.bar<br class=3D""
--cacert<br class=3D""
> > > > > /tmp/ca.crt
--apply<br class=3D""
> > >
> > |<br class=3D""
> > > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > > All OK, no errors,
but cannot log in:<=
br class=3D""
> > >
> ><br class=3D""
> > > > > #
ovirt-engine-extensions-tool aaa log=
in-user<br class=3D""
--profile=3Dbaz.foo.bar-new<br
class=3D""
> > >
> > --user-name=3Duser:<br class=3D""
> > > ><br
class=3D""
> > >
> If you want to login with user with differe=
nt upn suffix, then<br class=3D""
just<br class=3D""
> > > > append that suffix<br
class=3D""
> > >
><br class=3D""
> > > > $
ovirt-engine-extensions-tool aaa login-us=
er<br class=3D""
--profile=3Dbaz.foo.bar-new<br
class=3D""
> > >
> --<a href=3D"mailto:user-name=3Duser@foo.ba=
r" class=3D"">user-name=3Duser(a)foo.bar</a><br
class=3D""
> >
><br class=3D""
> > > OK, some progress, that works!<br
class=3D""
> >
><br class=3D""
> > > ><br
class=3D""
> > >
> If you have more suffixes and want to have =
some as default you<br class=3D""
can
use<br class=3D""
> > >
> following approach:<br class=3D""
> > > ><br
class=3D""
> > >
> 1) install ovirt-engine-extension-aaa-misc<=
br class=3D""
> > >
><br class=3D""
> > > > 2) create new mapping
extension like this:<=
br class=3D""
> > >
> /etc/ovirt-engine/extensions.d/mapping-suff=
ix.properties<br class=3D""
> > > ><br
class=3D""
> > >
> ovirt.engine.extension.name =3D mapping-suf=
fix<br class=3D""
> > >
> ovirt.engine.extension.bindings.method =3D =
jbossmodule<br class=3D""
> > > >
ovirt.engine.extension.binding.jbossmodule.=
module =3D<br class=3D""
> > > >
org.ovirt.engine-extensions.aaa.misc<br cla=
ss=3D""
> > >
> ovirt.engine.extension.binding.jbossmodule.=
class =3D<br class=3D""
> > > >
org.ovirt.engineextensions.aaa.misc.mapping=
.MappingExtension<br class=3D""
> > > >
ovirt.engine.extension.provides =3D<br clas=
s=3D""
> > >
> org.ovirt.engine.api.extensions.aaa.Mapping=
<br class=3D""
> > >
> config.mapUser.type =3D regex<br class=3D""=
> > > >
config.mapUser.pattern =3D ^(?<user>[=
^@]*)$<br class=3D""
> >
><br class=3D""
> > > Is that supposed to really say
'<user>' or shoul=
d it be changed to a<br class=3D""
> > > real user name? Either way, it doesn't
work, I tried i=
t all.<br class=3D""
> ><br
class=3D""
> >
'?<user>' is just a named group in that regex so you =
can later use<br class=3D""
it
in<br class=3D""
> >
'config.mapUser.replacement' option. It should take e=
verything until<br class=3D""
> > first '(a)'.<br class=3D""
> ><br class=3D""
> > ><br
class=3D""
> > >
> config.mapUser.replacement =3D ${user}(a)foo.=
bar<br class=3D""
> > >
> config.mapUser.mustMatch =3D false<br class=
=3D""
> > >
><br class=3D""
> > > > 3) select a mapping plugin
in authn configu=
ration:<br class=3D""
> > >
><br class=3D""
> > > >
ovirt.engine.aaa.authn.mapping.plugin =3D m=
apping-suffix<br class=3D""
> > > ><br
class=3D""
> > >
> With above configuration in use, your user =
'user' witll be<br class=3D""
mapped
to<br class=3D""
> > >
> user '<a href=3D"mailto:user@foo.bar" class=
=3D"">user(a)foo.bar</a>'<br class=3D""
> > > > and
users '<a href=3D"mailto:user@anotherdo=
main.foo.bar" class=3D"">user(a)anotherdomain.foo.bar</a>' will
remain<br cla=
ss=3D""
> > >
> '<a href=3D"mailto:user@anotherdomain.foo.b=
ar" class=3D"">user(a)anotherdomain.foo.bar</a>'.<br
class=3D""
> >
><br class=3D""
> > > This however does not, it doesn't replace
the suffix a=
s it's supposed<br class=3D""
> > > to. I tried with many different types of the
'mapUser.=
pattern' but it<br class=3D""
> > > simply won't change it, even if I type in
'=3D ^<a hre=
f=3D"mailto:user@baz.foo.bar"
class=3D"">user(a)baz.foo.bar</a>$', the<br cla=
ss=3D""
> > >
error is the same:(<br class=3D""
> ><br class=3D""
> > Hmm, hard to say what's wrong, try to run:<br
class=3D""
> > $
ovirt-engine-extensions-tool --log-level=3DFINEST aaa log=
in-user<br class=3D""
> >
--profile=3Dbaz.foo.bar-new --user-name=3Duser<br class=3D"=
"
> ><br class=3D""
> > and search for a mapping part in
log.<br class=3D""
><br
class=3D""
> Wow what a
mouthfull:) Can you make anything out of it?<br class=
=3D""
><br
class=3D""
> <a
href=3D"https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/do=
wnload" class=3D""
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download</a><br
class=3D=
""
><br
class=3D""
> /K<br
class=3D""
<br class=3D""
Just noticed after logging in to webadmin as "<a
href=3D"mailto:user@f=
oo.bar" class=3D"">user(a)foo.bar</a>&quot; (which<br
class=3D""
worked btw, so good there) that the
"User Name" in Users main tab=
looks<br class=3D""
really odd:<br
class=3D""
<a
href=3D"mailto:user@foo.bar"
class=3D"">user@foo.bar</a>(a)baz.foo.bar-new=
-authz<br class=3D""
</blockquote
<br class=3D""
Sorry you
are right, it don't work. I've sent you incorrect<br class=3D""
cofiguration, the correct one is:<br
class=3D""
<br class=3D""
/etc/ovirt-engine/extensions.d/mapping-suffix.properties<br
class=3D""
<br class=3D""
...<br class=3D""
config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br
class=3D""
config.mapUser.regex.replacement =3D
${user}(a)foo.bar<br class=3D""
config.mapUser.regex.mustMatch =3D false<br class=3D""
...<br class=3D""
<br
class=3D""
Notice there was missing
'regex', after 'mapUser'.<br class=3D""
<br class=3D""
<blockquote type=3D"cite" class=3D""><br
class=3D""
/K<br class=3D""
<br class=3D""
><br class=3D""
> ><br class=3D""
> > ><br class=3D""
> > > /K<br
class=3D""
> >
><br class=3D""
> > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > > API:
<--Authn.InvokeCommands.AUTHEN=
TICATE_CREDENTIALS<br class=3D""
result=3DSUCCESS<br class=3D""
> > > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > > but:<br
class=3D""
> > >
> ><br class=3D""
> > > > > API:
-->Authz.InvokeCommands.FETCH_=
PRINCIPAL_RECORD<br class=3D""
> > > > > <a
href=3D"mailto:principal=3D'user@ba=
z.foo.bar"
class=3D"">principal=3D'user(a)baz.foo.bar</a>'<br
class=3D""
> > >
> > SEVERE Cannot resolve principal =
'<a href=3D"mailto:user@baz.foo.bar"
class=3D"">user(a)baz.foo.bar</a>'<br cl=
ass=3D""
> > >
> ><br class=3D""
> > > > ><br
class=3D""
> > >
> > So it fails.<br class=3D""
> > > >
><br class=3D""
> > > > ><br
class=3D""
> > >
> > # ldapsearch -x -H <a href=3D"ldap://b=
az.foo.bar" class=3D"">ldap://baz.foo.bar</a> -D
<a href=3D"mailto:user@foo.bar"
class=3D"">user(a)foo.bar</a> -W -b<br class=
=3D""
> > >
> > DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub &quo=
t;(samAccountName=3Duser)"<br class=3D""
userPrincipalName |<br class=3D""
> > > >
> grep 'userPrincipalName:'<br class=3D"=
"
> > > >
><br class=3D""
> > > > > userPrincipalName:
<a href=3D"mailto:u=
ser(a)foo.bar" class=3D"">user(a)foo.bar</a><br
class=3D""
> > >
> ><br class=3D""
> > > > ><br
class=3D""
> > >
> > |How do you configure AAA with base 'D=
C=3Dbaz,DC=3Dfoo,DC=3Dbar' when<br class=3D""
> > > >
> userPrincipalName ends only on '(a)foo.b=
ar'?<br class=3D""
> > > > ><br
class=3D""
> > >
> > /K<br class=3D""
> > > > > |<br
class=3D""
> > >
> ><br class=3D""
> > > > ><br
class=3D""
> > >
> ><br class=3D""
> > > > ><br
class=3D""
> > >
> > ______________________________________=
_________<br class=3D""
> > > > > Users mailing
list<br class=3D""
> > >
> > <a href=3D"mailto:Users@ovirt.org" cla=
ss=3D"">Users(a)ovirt.org</a><br class=3D""
> > > >
> <a
href=3D"http://lists.ovirt.org/mail=
man/listinfo/users"
class=3D"">http://lists.ovirt.org/mailman/listinfo/user=
s</a><br class=3D""
> > > > ><br
class=3D""
> >
><br class=3D""
<br
class=3D""
</blockquote
</blockquote
</div
</blockquote
</div
<br
class=3D""
</div
</div
</blockquote
</div
<br class=3D""
</body
</html
--_000_DC6968B979404A68B4986B61460DEDD9sluse_--