--_000_DC6968B979404A68B4986B61460DEDD9sluse_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable On 26 Mar 2016, at 13:49, Karli Sj=F6berg <Karli.Sjoberg@slu.se<mailto:Karl= i.Sjoberg@slu.se>> wrote: On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com<mailto:omacha= ce@redhat.com>> wrote: For me it's working completelly fine: ... config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@DOMAINX.com<http://domainx.com= /> config.mapUser.regex.mustMatch =3D false ... $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= ' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINX.com<mailto:user=3D'user@DOMAINX.com>' As you can see it's correctly mapped. Please check once again the regex is correct, if it still won't work, pleas= e send log output again. /etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextens= ions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false # ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profil= e=3Dbaz.foo.bar-new --user-name=3Duser@baz.foo.bar<mailto:user-name=3Duser@= baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>' And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download /K Eureka! I changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from = one with suffix =91@baz.foo.bar=92 to mine that has a =91@foo.bar=92 ending= and now it works, for some reason. Very strange, but anyway... How do I go= about changing from UPN to samAccountName, if I=B4d want that instead? /K On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote: What the heck, my message disappeares! Trying again. Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern =3D user@baz.foo.bar<mailto:user@baz.foo.bar> config.mapUser.regex.replacement =3D user@foo.bar<mailto:user@foo.bar> And that isn't very useful. Please advice! /K On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote: Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <karli.sjoberg@slu.se<mailt= o:karli.sjoberg@slu.se>>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com<mail=
to:omachace@redhat.com>>:
On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com<m=
ailto:omachace@redhat.com>>:
On 03/24/2016 06:16 PM, Karli Sj=F6berg wrote:
Hi!
Starting new thread instead of jacking someone else=B4s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser@foo.bar<mailto:user-name=3Duser@foo.bar>
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type =3D regex config.mapUser.pattern =3D ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement =3D ${user}@foo.bar config.mapUser.mustMatch =3D false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin =3D mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar<mailto:user@foo.bar>' and users 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.f= oo.bar>' will remain 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.foo.bar>'.
This however does not, it doesn't replace the suffix as it's suppose= d to. I tried with many different types of the 'mapUser.pattern' but i= t simply won't change it, even if I type in '=3D ^user@baz.foo.bar<mai= lto:user@baz.foo.bar>$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar<mailto:user@foo.= bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar<mailto:user@foo.bar>@baz.foo.bar-new-authz Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false ... Notice there was missing 'regex', after 'mapUser'. /K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=3DSUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal=3D'user@baz.foo.bar<mailto:principal=3D'user@baz.foo.=
bar>'
SEVERE Cannot resolve principal 'user@baz.foo.bar<mailto:user@= baz.foo.bar>'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar<mailto:us= er@foo.bar> -W -b DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub "(samAccountName=3Duser)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user@foo.bar<mailto:user@foo.bar>
|How do you configure AAA with base 'DC=3Dbaz,DC=3Dfoo,DC=3Dbar= ' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--_000_DC6968B979404A68B4986B61460DEDD9sluse_ Content-Type: text/html; charset="Windows-1252" Content-ID: <7C99868A39F0CD4E83EED89EDD689798@ad.slu.se> Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> </head> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space;" class=3D""> <br class=3D""> <div> <blockquote type=3D"cite" class=3D""> <div class=3D"">On 26 Mar 2016, at 13:49, Karli Sj=F6berg <<a href=3D"ma= ilto:Karli.Sjoberg@slu.se" class=3D"">Karli.Sjoberg@slu.se</a>> wrote:</= div> <br class=3D"Apple-interchange-newline"> <div class=3D""> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line= -break: after-white-space;" class=3D""> <br class=3D""> <div class=3D""> <blockquote type=3D"cite" class=3D""> <div class=3D"">On 26 Mar 2016, at 11:35, Ondra Machacek <<a href=3D"mai= lto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>> wrote:</div=
<br class=3D"Apple-interchange-newline"> <div class=3D"">For me it's working completelly fine:<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@<a href=3D"http://domainx.com/= " class=3D"">DOMAINX.com</a><br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' <a href=3D"mailto:user=3D'user@DOMAINX.com" class=3D""> user=3D'user@DOMAINX.com</a>'<br class=3D""> <br class=3D""> As you can see it's correctly mapped.<br class=3D""> <br class=3D""> Please check once again the regex is correct, if it still won't work, pleas= e send log output again.<br class=3D""> </div> </blockquote> <div class=3D""><br class=3D""> </div> <span class=3D""> <div class=3D"">/etc/ovirt-engine/extensions.d/mapping-suffix.properties:</= div> </span><span class=3D"">ovirt.engine.extension.name =3D mapping-suffix<br c= lass=3D""> ovirt.engine.extension.bindings.method =3D jbossmodule<br class=3D""> ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc<br class=3D""> ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.enginee= xtensions.aaa.misc.mapping.MappingExtension<br class=3D""> ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false</span></div> <div class=3D""><span class=3D""><br class=3D""> </span></div> <span class=3D""># ovirt-engine-extensions-tool --log-level=3DFINEST aaa lo= gin-user --profile=3Dbaz.foo.bar-new --<a href=3D"mailto:user-name=3Duser@b= az.foo.bar" class=3D"">user-name=3Duser@baz.foo.bar</a><br class=3D""> # grep Mapping.InvokeCommands.MAP_USER login.log <br class=3D""> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommand= s.MAP_USER <a href=3D"mailto:user=3D'user@baz.foo.bar" class=3D"">user= =3D'user@baz.foo.bar</a>'<br class=3D""> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP= _USER <a href=3D"mailto:user=3D'user@baz.foo.bar" class=3D"">user=3D'u= ser@baz.foo.bar</a>'<br class=3D""> </span><span class=3D""><br class=3D""> </span> <div class=3D""><span class=3D"">And here is the log:</span></div> <div class=3D""><span class=3D""><a href=3D"https://dropoff.slu.se/index.ph= p/s/SK9T8vOUO7yB3PM/download" class=3D"">https://dropoff.slu.se/index.php/s= /SK9T8vOUO7yB3PM/download</a></span></div> <div class=3D""><span class=3D""><br class=3D""> </span></div> <div class=3D""><span class=3D"">/K</span></div> </div> </div> </blockquote> <div><br class=3D""> </div> Eureka! I changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from = one with suffix =91@baz.foo.bar=92 to mine that has a =91@foo.bar=92 ending= and now it works, for some reason. Very strange, but anyway... How do I go= about changing from UPN to samAccountName, if I=B4d want that instead?</div> <div><br class=3D""> </div> <div>/K</div> <div><br class=3D""> <blockquote type=3D"cite" class=3D""> <div class=3D""> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line= -break: after-white-space;" class=3D""> <div class=3D""><span class=3D""><br class=3D""> </span> <blockquote type=3D"cite" class=3D""> <div class=3D""><br class=3D""> On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D"">What the heck, my message disappeares!= Trying again.<br class=3D""> <br class=3D""> Ok, so it's mapping now but the only thing working is:<br class=3D""> config.mapUser.regex.pattern =3D <a href=3D"mailto:user@baz.foo.bar" class= =3D"">user@baz.foo.bar</a><br class=3D""> config.mapUser.regex.replacement =3D <a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a><br class=3D""> <br class=3D""> And that isn't very useful. Please advice!<br class=3D""> <br class=3D""> /K<br class=3D""> <br class=3D""> On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <<a href=3D"mailto:karli= .sjoberg@slu.se" class=3D"">karli.sjoberg@slu.se</a>>:<br class=3D""> ><br class=3D""> ><br class=3D""> > Den 24 mars 2016 11:26 em skrev Ondra Machacek <<a href=3D"ma= ilto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<br class= =3D""> > ><br class=3D""> > > On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:<br class=3D"= "> > > ><br class=3D""> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <<a h= ref=3D"mailto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<= br class=3D""> > > > ><br class=3D""> > > > > On 03/24/2016 06:16 PM, Karli Sj=F6berg wro= te:<br class=3D""> > > > > > Hi!<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Starting new thread instead of jacking= someone else=B4s.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Managed to migrate from old 'engine-ma= nage-domains' auth to<br class=3D""> > > > aaa-ldap using:<br class=3D""> > > > > ><br class=3D""> > > > > > #| ovirt-engine-kerbldap-migration-too= l --domain baz.foo.bar<br class=3D""> --cacert<br class=3D""> > > > > > /tmp/ca.crt --apply<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > All OK, no errors, but cannot log in:<= br class=3D""> > > > > ><br class=3D""> > > > > > # ovirt-engine-extensions-tool aaa log= in-user<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > > --user-name=3Duser:<br class=3D""> > > > ><br class=3D""> > > > > If you want to login with user with differe= nt upn suffix, then<br class=3D""> just<br class=3D""> > > > > append that suffix<br class=3D""> > > > ><br class=3D""> > > > > $ ovirt-engine-extensions-tool aaa login-us= er<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > --<a href=3D"mailto:user-name=3Duser@foo.ba= r" class=3D"">user-name=3Duser@foo.bar</a><br class=3D""> > > ><br class=3D""> > > > OK, some progress, that works!<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > If you have more suffixes and want to have = some as default you<br class=3D""> can use<br class=3D""> > > > > following approach:<br class=3D""> > > > ><br class=3D""> > > > > 1) install ovirt-engine-extension-aaa-misc<= br class=3D""> > > > ><br class=3D""> > > > > 2) create new mapping extension like this:<= br class=3D""> > > > > /etc/ovirt-engine/extensions.d/mapping-suff= ix.properties<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.extension.name =3D mapping-suf= fix<br class=3D""> > > > > ovirt.engine.extension.bindings.method =3D = jbossmodule<br class=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= module =3D<br class=3D""> > > > > org.ovirt.engine-extensions.aaa.misc<br cla= ss=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= class =3D<br class=3D""> > > > > org.ovirt.engineextensions.aaa.misc.mapping= .MappingExtension<br class=3D""> > > > > ovirt.engine.extension.provides =3D<br clas= s=3D""> > > > > org.ovirt.engine.api.extensions.aaa.Mapping= <br class=3D""> > > > > config.mapUser.type =3D regex<br class=3D""=
> > > > config.mapUser.pattern =3D ^(?<user>[= ^@]*)$<br class=3D""> > > ><br class=3D""> > > > Is that supposed to really say '<user>' or shoul= d it be changed to a<br class=3D""> > > > real user name? Either way, it doesn't work, I tried i= t all.<br class=3D""> > ><br class=3D""> > > '?<user>' is just a named group in that regex so you = can later use<br class=3D""> it in<br class=3D""> > > 'config.mapUser.replacement' option. It should take e= verything until<br class=3D""> > > first '@'.<br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > > config.mapUser.replacement =3D ${user}@foo.= bar<br class=3D""> > > > > config.mapUser.mustMatch =3D false<br class= =3D""> > > > ><br class=3D""> > > > > 3) select a mapping plugin in authn configu= ration:<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.aaa.authn.mapping.plugin =3D m= apping-suffix<br class=3D""> > > > ><br class=3D""> > > > > With above configuration in use, your user = 'user' witll be<br class=3D""> mapped to<br class=3D""> > > > > user '<a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a>'<br class=3D""> > > > > and users '<a href=3D"mailto:user@anotherdo= main.foo.bar" class=3D"">user@anotherdomain.foo.bar</a>' will remain<br cla= ss=3D""> > > > > '<a href=3D"mailto:user@anotherdomain.foo.b= ar" class=3D"">user@anotherdomain.foo.bar</a>'.<br class=3D""> > > ><br class=3D""> > > > This however does not, it doesn't replace the suffix a= s it's supposed<br class=3D""> > > > to. I tried with many different types of the 'mapUser.= pattern' but it<br class=3D""> > > > simply won't change it, even if I type in '=3D ^<a hre= f=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>$', the<br cla= ss=3D""> > > > error is the same:(<br class=3D""> > ><br class=3D""> > > Hmm, hard to say what's wrong, try to run:<br class=3D""> > > $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa log= in-user<br class=3D""> > > --profile=3Dbaz.foo.bar-new --user-name=3Duser<br class=3D"= "> > ><br class=3D""> > > and search for a mapping part in log.<br class=3D""> ><br class=3D""> > Wow what a mouthfull:) Can you make anything out of it?<br class= =3D""> ><br class=3D""> > <a href=3D"https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/do= wnload" class=3D""> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download</a><br class=3D= ""> ><br class=3D""> > /K<br class=3D""> <br class=3D""> Just noticed after logging in to webadmin as "<a href=3D"mailto:user@f= oo.bar" class=3D"">user@foo.bar</a>" (which<br class=3D""> worked btw, so good there) that the "User Name" in Users main tab= looks<br class=3D""> really odd:<br class=3D""> <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a>@baz.foo.bar-new= -authz<br class=3D""> </blockquote> <br class=3D""> Sorry you are right, it don't work. I've sent you incorrect<br class=3D""> cofiguration, the correct one is:<br class=3D""> <br class=3D""> /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> Notice there was missing 'regex', after 'mapUser'.<br class=3D""> <br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> /K<br class=3D""> <br class=3D""> ><br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > /K<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > API: <--Authn.InvokeCommands.AUTHEN= TICATE_CREDENTIALS<br class=3D""> result=3DSUCCESS<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > but:<br class=3D""> > > > > ><br class=3D""> > > > > > API: -->Authz.InvokeCommands.FETCH_= PRINCIPAL_RECORD<br class=3D""> > > > > > <a href=3D"mailto:principal=3D'user@ba= z.foo.bar" class=3D"">principal=3D'user@baz.foo.bar</a>'<br class=3D""> > > > > > SEVERE Cannot resolve principal = '<a href=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>'<br cl= ass=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > So it fails.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > # ldapsearch -x -H <a href=3D"ldap://b= az.foo.bar" class=3D"">ldap://baz.foo.bar</a> -D <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a> -W -b<br class= =3D""> > > > > > DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub &quo= t;(samAccountName=3Duser)"<br class=3D""> userPrincipalName |<br class=3D""> > > > > > grep 'userPrincipalName:'<br class=3D"= "> > > > > ><br class=3D""> > > > > > userPrincipalName: <a href=3D"mailto:u= ser@foo.bar" class=3D"">user@foo.bar</a><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > |How do you configure AAA with base 'D= C=3Dbaz,DC=3Dfoo,DC=3Dbar' when<br class=3D""> > > > > > userPrincipalName ends only on '@foo.b= ar'?<br class=3D""> > > > > ><br class=3D""> > > > > > /K<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > ______________________________________= _________<br class=3D""> > > > > > Users mailing list<br class=3D""> > > > > > <a href=3D"mailto:Users@ovirt.org" cla= ss=3D"">Users@ovirt.org</a><br class=3D""> > > > > > <a href=3D"http://lists.ovirt.org/mail= man/listinfo/users" class=3D"">http://lists.ovirt.org/mailman/listinfo/user= s</a><br class=3D""> > > > > ><br class=3D""> > > ><br class=3D""> <br class=3D""> </blockquote> </blockquote> </div> </blockquote> </div> <br class=3D""> </div> </div> </blockquote> </div> <br class=3D""> </body> </html> --_000_DC6968B979404A68B4986B61460DEDD9sluse_--