2:41 p.m.
On 11.09.2015 17:00, Alon Bar-Lev wrote:
----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: Users(a)ovirt.org
> Sent: Friday, September 11, 2015 5:33:21 PM
> Subject: Re: [ovirt-users] Extension aaa: No search for principal
>
> sorry, forgot one:
>
> On 11.09.2015 12:48, Alon Bar-Lev wrote:
>> Hi!
>>
>> Thank you for the information, for some reason the administrator user
>> cannot be resolved to userPrincipalName during login, is it specific for
>> Administrator or any user?
> This is the default domain administrator account witch exits in any
> forest. But just in case I created a new domain user just for the
> purpose; same outcome
Sorry for the delay, Alon.
I am unsure what actually happens...
I might have an idea, at
least from the commands you supplied.
Something in global catalog is out of sync.
Usually - you do not add domain administrator to external application... there is no need
to expose it.
By default Administrator does not have "login from network" and "user
principal suffix".
Also in my environment I do not get result for administrator, but I do get one for
regular user that has upn suffix in user record, you can see these fields in user and
domain manager.
So please use regular unprivileged users which belongs to "Domain Users" from
now on.
To test if user has userPrincipalName use the following command (assuming we search for
user(a)int.corp.de):
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b
'' '(userPrincipalName=user(a)int.corp.de)' cn userPrincipalName
It
seams with Active Directory (at least) the search base cannot be
empty (-b '') but needs to be provided.
In my case, the above command fails with:
# search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
While adding the most basic search path it succeeds:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
ldap://int.corp.de:389/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b
'dc=int,dc=corp,dc=de' '(userPrincipalName=administrator(a)int.corp.de)'
cn userPrincipalName
# search reference
ref: ldap://ForestDnsZones.int.corp.de/DC=ForestDnsZones,DC=int,DC=corp,DC=de
# search reference
ref: ldap://DomainDnsZones.int.corp.de/DC=DomainDnsZones,DC=int,DC=corp,DC=de
# search reference
ref: ldap://int.corp.de/CN=Configuration,DC=int,DC=corp,DC=de
# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.319 false DDDDDDDSSSDDMM=
pagedresults: cookie=
# numResponses: 4
# numReferences: 3
It succeeds with every user I tried.
I would set the search base; but i am not sure where to do so.
This should find the user (return one result), if not, please checkout user in Users and
Domains manager for the domain suffix, maybe it is empty.
To find user without userPrincipalName such as Administrator use the following command:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b
'' '(sAMAccountName=user)' cn userPrincipalName
For example, the above will work for Administrator, but for kerberos to work properly
user principal name must be defined, so these users will not work.
You can dump entire GC and send me a user record if no result so I can determine what is
different from expectations:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind(a)int.corp.de' -w PASSWORD -b
'' > /tmp/dump.out
If you still require a dump (its even a small one..) please drop a mail.
Regards,
Alon
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767