8:16 p.m.
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:
# ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
principal='user(a)baz.foo.bar'
SEVERE Cannot resolve principal 'user(a)baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user(a)foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub
"(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user(a)foo.bar
How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName
ends only on '(a)foo.bar'?
/K
9:28 p.m.
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert
/tmp/ca.crt --apply
|
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
--user-name=user:
If you want to login with user with different upn suffix, then just
append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
--user-name=user(a)foo.bar
If you have more suffixes and want to have some as default you can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.pattern = ^(?<user>[^@]*)$
config.mapUser.replacement = ${user}(a)foo.bar
config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be mapped to
user 'user(a)foo.bar'
and users 'user(a)anotherdomain.foo.bar' will remain
'user(a)anotherdomain.foo.bar'.
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
principal='user(a)baz.foo.bar'
SEVERE Cannot resolve principal 'user(a)baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user(a)foo.bar -W -b
DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user(a)foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when
userPrincipalName ends only on '(a)foo.bar'?
/K
|
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3165
days inactive
3165
days old
1 comments
2 participants
participants (2)
-
Karli Sjöberg -
Ondra Machacek