On 09/21/2016 12:03 PM, Maxence Sartiaux wrote:
Hello,
I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit the login of AD users to ovirt.
For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch and ovirt-engine-extension-aaa-misc.noarch
# ovirt-engine-extension-aaa-ldap-setup - selected "Active Directory" - Anonymous search user
I can run a search but when i try to login with the username alone "testuser" -> error "CREDENTIALS_INCORRECT", if i login with the user+domain "testuser@abc.lan <mailto:testuser@abc.lan>" my auth succeed but -> "Cannot resolve principal 'testuser@abc.lan'"
# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan --user-name=testuser <mailto:--user-name=testuser@abc.lan>
... 2016-09-21 09:53:29 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan' result=CREDENTIALS_INCORRECT 2016-09-21 09:53:29 SEVERE Authn.Result code is: CREDENTIALS_INCORRECT
# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan --user-name=testuser@abc.lan
... 2016-09-21 09:52:02 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='testuser@abc.lan <mailto:principal='msartiaux@abc.lan>' 2016-09-21 09:52:02 SEVERE Cannot resolve principal 'testuser@abc.lan'
After some search i configured the mapping plugin to automaticaly add @abc.lan to the user like that i don't need to add the @abc.lan to connect but still the same error, cannot resolve principal ...
/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@abc.lan <mailto:${user}@abc.lan> config.mapUser.regex.mustMatch = false
/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
... ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
Any ideas ?
What's the user principal name of the user 'testuser'? You can check out as follows: $ ldapsearch -x -b 'DC=abc,DC=lan -H 'ldap://abc.lan' 'sAMAccountName=testuser' userPrincipalName Is it indeed 'testuser@abc.lan' or different? If different then you need to use that UPN. Anyway debug log of test tool of login command would be helpful. $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=abc.lan --user-name=testuser
Thank you.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users