On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace(a)redhat.com>:
>
> On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
> > Hi!
> >
> >
> > Starting new thread instead of jacking someone else´s.
> >
> >
> > Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
> >
> > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert
> > /tmp/ca.crt --apply
> > |
> >
> >
> > All OK, no errors, but cannot log in:
> >
> > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
> > --user-name=user:
>
> If you want to login with user with different upn suffix, then just
> append that suffix
>
> $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
> --user-name=user(a)foo.bar
OK, some progress, that works!
>
> If you have more suffixes and want to have some as default you can use
> following approach:
>
> 1) install ovirt-engine-extension-aaa-misc
>
> 2) create new mapping extension like this:
> /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>
> ovirt.engine.extension.name = mapping-suffix
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Mapping
> config.mapUser.type = regex
> config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a
real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in
'config.mapUser.replacement' option. It should take everything until
first '@'.
> config.mapUser.replacement = ${user}(a)foo.bar
> config.mapUser.mustMatch = false
>
> 3) select a mapping plugin in authn configuration:
>
> ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>
> With above configuration in use, your user 'user' witll be mapped to
> user 'user(a)foo.bar'
> and users 'user(a)anotherdomain.foo.bar' will remain
> 'user(a)anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed
to. I tried with many different types of the 'mapUser.pattern' but it
simply won't change it, even if I type in '= ^user(a)baz.foo.bar$', the
error is the same:(
Hmm, hard to say what's wrong, try to run:
$ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
/K
>
> >
> > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
> >
> >
> > but:
> >
> > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> > principal='user(a)baz.foo.bar'
> > SEVERE Cannot resolve principal 'user(a)baz.foo.bar'
> >
> >
> > So it fails.
> >
> >
> > # ldapsearch -x -H ldap://baz.foo.bar -D user(a)foo.bar -W -b
> > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
> > grep 'userPrincipalName:'
> >
> > userPrincipalName: user(a)foo.bar
> >
> >
> > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when
> > userPrincipalName ends only on '(a)foo.bar'?
> >
> > /K
> > |
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> >
http://lists.ovirt.org/mailman/listinfo/users
> >