Hello,

I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit the login of AD users to ovirt.

For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch and ovirt-engine-extension-aaa-misc.noarch

# ovirt-engine-extension-aaa-ldap-setup

- selected "Active Directory"

- Anonymous search user

I can run a search but when i try to login with the username alone "testuser" -> error "CREDENTIALS_INCORRECT", if i login with the user+domain "testuser@abc.lan" my auth succeed but -> "Cannot resolve principal 'testuser@abc.lan'"

# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan --user-name=testuser

...

2016-09-21 09:53:29 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan' result=CREDENTIALS_INCORRECT

2016-09-21 09:53:29 SEVERE  Authn.Result code is: CREDENTIALS_INCORRECT

# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan --user-name=testuser@abc.lan

...

2016-09-21 09:52:02 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='testuser@abc.lan'

2016-09-21 09:52:02 SEVERE  Cannot resolve principal 'testuser@abc.lan'

After some search i configured the mapping plugin to automaticaly add @abc.lan to the user like that i don't need to add the @abc.lan to connect but still the same error, cannot resolve principal ...

ovirt.engine.extension.name = mapping-suffix

ovirt.engine.extension.bindings.method = jbossmodule

ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc

ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension

ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping

config.mapUser.type = regex

config.mapUser.regex.pattern = ^(?<user>[^@]*)$

config.mapUser.regex.replacement = ${user}@abc.lan

config.mapUser.regex.mustMatch = false

...

ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix

Any ideas ?

Thank you.