
On 11.09.2015 17:00, Alon Bar-Lev wrote:
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: Users@ovirt.org Sent: Friday, September 11, 2015 5:33:21 PM Subject: Re: [ovirt-users] Extension aaa: No search for principal
sorry, forgot one:
Hi!
Thank you for the information, for some reason the administrator user cannot be resolved to userPrincipalName during login, is it specific for Administrator or any user? This is the default domain administrator account witch exits in any forest. But just in case I created a new domain user just for the
On 11.09.2015 12:48, Alon Bar-Lev wrote: purpose; same outcome
Sorry for the delay, Alon.
I am unsure what actually happens... I might have an idea, at least from the commands you supplied.
Something in global catalog is out of sync. Usually - you do not add domain administrator to external application... there is no need to expose it. By default Administrator does not have "login from network" and "user principal suffix".
Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager.
So please use regular unprivileged users which belongs to "Domain Users" from now on.
To test if user has userPrincipalName use the following command (assuming we search for user@int.corp.de):
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind@int.corp.de' -w PASSWORD -b '' '(userPrincipalName=user@int.corp.de)' cn userPrincipalName It seams with Active Directory (at least) the search base cannot be empty (-b '') but needs to be provided.
In my case, the above command fails with:
# search result search: 2 result: 32 No such object text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
While adding the most basic search path it succeeds: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://int.corp.de:389/ -x -D 'bind@int.corp.de' -w PASSWORD -b 'dc=int,dc=corp,dc=de' '(userPrincipalName=administrator@int.corp.de)' cn userPrincipalName
# search reference ref: ldap://ForestDnsZones.int.corp.de/DC=ForestDnsZones,DC=int,DC=corp,DC=de
# search reference ref: ldap://DomainDnsZones.int.corp.de/DC=DomainDnsZones,DC=int,DC=corp,DC=de
# search reference ref: ldap://int.corp.de/CN=Configuration,DC=int,DC=corp,DC=de
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false DDDDDDDSSSDDMM= pagedresults: cookie=
# numResponses: 4 # numReferences: 3
It succeeds with every user I tried. I would set the search base; but i am not sure where to do so.
This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty.
To find user without userPrincipalName such as Administrator use the following command:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind@int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName
For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work.
You can dump entire GC and send me a user record if no result so I can determine what is different from expectations:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind@int.corp.de' -w PASSWORD -b '' > /tmp/dump.out
If you still require a dump (its even a small one..) please drop a mail.
Regards, Alon
-- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767