Den 25 mars 2016 9:32 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'.
/K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users