Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

--_000_af85ac88d3754905aa58276556a94cceexch24sluse_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpEZW4gMjQgbWFycyAyMDE2IDc6MjYgZW0gc2tyZXYgT25kcmEgTWFjaGFjZWsgPG9tYWNoYWNl QHJlZGhhdC5jb20+Og0KPg0KPiBPbiAwMy8yNC8yMDE2IDA2OjE2IFBNLCBLYXJsaSBTasO2YmVy ZyB3cm90ZToNCj4gPiBIaSENCj4gPg0KPiA+DQo+ID4gU3RhcnRpbmcgbmV3IHRocmVhZCBpbnN0 ZWFkIG9mIGphY2tpbmcgc29tZW9uZSBlbHNlwrRzLg0KPiA+DQo+ID4NCj4gPiBNYW5hZ2VkIHRv IG1pZ3JhdGUgZnJvbSBvbGQgJ2VuZ2luZS1tYW5hZ2UtZG9tYWlucycgYXV0aCB0byBhYWEtbGRh cCB1c2luZzoNCj4gPg0KPiA+ICN8IG92aXJ0LWVuZ2luZS1rZXJibGRhcC1taWdyYXRpb24tdG9v bCAtLWRvbWFpbiBiYXouZm9vLmJhciAtLWNhY2VydA0KPiA+IC90bXAvY2EuY3J0IC0tYXBwbHkN Cj4gPiB8DQo+ID4NCj4gPg0KPiA+IEFsbCBPSywgbm8gZXJyb3JzLCBidXQgY2Fubm90IGxvZyBp bjoNCj4gPg0KPiA+ICMgb3ZpcnQtZW5naW5lLWV4dGVuc2lvbnMtdG9vbCBhYWEgbG9naW4tdXNl ciAtLXByb2ZpbGU9YmF6LmZvby5iYXItbmV3DQo+ID4gLS11c2VyLW5hbWU9dXNlcjoNCj4NCj4g SWYgeW91IHdhbnQgdG8gbG9naW4gd2l0aCB1c2VyIHdpdGggZGlmZmVyZW50IHVwbiBzdWZmaXgs IHRoZW4ganVzdA0KPiBhcHBlbmQgdGhhdCBzdWZmaXgNCj4NCj4gJCBvdmlydC1lbmdpbmUtZXh0 ZW5zaW9ucy10b29sIGFhYSBsb2dpbi11c2VyIC0tcHJvZmlsZT1iYXouZm9vLmJhci1uZXcNCj4g LS11c2VyLW5hbWU9dXNlckBmb28uYmFyDQoNCk9LLCBzb21lIHByb2dyZXNzLCB0aGF0IHdvcmtz IQ0KDQo+DQo+IElmIHlvdSBoYXZlIG1vcmUgc3VmZml4ZXMgYW5kIHdhbnQgdG8gaGF2ZSBzb21l IGFzIGRlZmF1bHQgeW91IGNhbiB1c2UNCj4gZm9sbG93aW5nIGFwcHJvYWNoOg0KPg0KPiAxKSBp bnN0YWxsIG92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLW1pc2MNCj4NCj4gMikgY3JlYXRlIG5l dyBtYXBwaW5nIGV4dGVuc2lvbiBsaWtlIHRoaXM6DQo+IC9ldGMvb3ZpcnQtZW5naW5lL2V4dGVu c2lvbnMuZC9tYXBwaW5nLXN1ZmZpeC5wcm9wZXJ0aWVzDQo+DQo+IG92aXJ0LmVuZ2luZS5leHRl bnNpb24ubmFtZSA9IG1hcHBpbmctc3VmZml4DQo+IG92aXJ0LmVuZ2luZS5leHRlbnNpb24uYmlu ZGluZ3MubWV0aG9kID0gamJvc3Ntb2R1bGUNCj4gb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5iaW5k aW5nLmpib3NzbW9kdWxlLm1vZHVsZSA9DQo+IG9yZy5vdmlydC5lbmdpbmUtZXh0ZW5zaW9ucy5h YWEubWlzYw0KPiBvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLmJpbmRpbmcuamJvc3Ntb2R1bGUuY2xh c3MgPQ0KPiBvcmcub3ZpcnQuZW5naW5lZXh0ZW5zaW9ucy5hYWEubWlzYy5tYXBwaW5nLk1hcHBp bmdFeHRlbnNpb24NCj4gb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5wcm92aWRlcyA9DQo+IG9yZy5v dmlydC5lbmdpbmUuYXBpLmV4dGVuc2lvbnMuYWFhLk1hcHBpbmcNCj4gY29uZmlnLm1hcFVzZXIu dHlwZSA9IHJlZ2V4DQo+IGNvbmZpZy5tYXBVc2VyLnBhdHRlcm4gPSBeKD88dXNlcj5bXkBdKikk DQoNCklzIHRoYXQgc3VwcG9zZWQgdG8gcmVhbGx5IHNheSAnPHVzZXI+JyBvciBzaG91bGQgaXQg YmUgY2hhbmdlZCB0byBhIHJlYWwgdXNlciBuYW1lPyBFaXRoZXIgd2F5LCBpdCBkb2Vzbid0IHdv cmssIEkgdHJpZWQgaXQgYWxsLg0KDQo+IGNvbmZpZy5tYXBVc2VyLnJlcGxhY2VtZW50ID0gJHt1 c2VyfUBmb28uYmFyDQo+IGNvbmZpZy5tYXBVc2VyLm11c3RNYXRjaCA9IGZhbHNlDQo+DQo+IDMp IHNlbGVjdCBhIG1hcHBpbmcgcGx1Z2luIGluIGF1dGhuIGNvbmZpZ3VyYXRpb246DQo+DQo+IG92 aXJ0LmVuZ2luZS5hYWEuYXV0aG4ubWFwcGluZy5wbHVnaW4gPSBtYXBwaW5nLXN1ZmZpeA0KPg0K PiBXaXRoIGFib3ZlIGNvbmZpZ3VyYXRpb24gaW4gdXNlLCB5b3VyIHVzZXIgJ3VzZXInIHdpdGxs IGJlIG1hcHBlZCB0bw0KPiB1c2VyICd1c2VyQGZvby5iYXInDQo+IGFuZCB1c2VycyAndXNlckBh bm90aGVyZG9tYWluLmZvby5iYXInIHdpbGwgcmVtYWluDQo+ICd1c2VyQGFub3RoZXJkb21haW4u Zm9vLmJhcicuDQoNClRoaXMgaG93ZXZlciBkb2VzIG5vdCwgaXQgZG9lc24ndCByZXBsYWNlIHRo ZSBzdWZmaXggYXMgaXQncyBzdXBwb3NlZCB0by4gSSB0cmllZCB3aXRoIG1hbnkgZGlmZmVyZW50 IHR5cGVzIG9mIHRoZSAnbWFwVXNlci5wYXR0ZXJuJyBidXQgaXQgc2ltcGx5IHdvbid0IGNoYW5n ZSBpdCwgZXZlbiBpZiBJIHR5cGUgaW4gJz0gXnVzZXJAYmF6LmZvby5iYXIkJywgdGhlIGVycm9y IGlzIHRoZSBzYW1lOigNCg0KL0sNCg0KPg0KPiA+DQo+ID4gQVBJOiA8LS1BdXRobi5JbnZva2VD b21tYW5kcy5BVVRIRU5USUNBVEVfQ1JFREVOVElBTFMgcmVzdWx0PVNVQ0NFU1MNCj4gPg0KPiA+ DQo+ID4gYnV0Og0KPiA+DQo+ID4gQVBJOiAtLT5BdXRoei5JbnZva2VDb21tYW5kcy5GRVRDSF9Q UklOQ0lQQUxfUkVDT1JEDQo+ID4gcHJpbmNpcGFsPSd1c2VyQGJhei5mb28uYmFyJw0KPiA+IFNF VkVSRSAgQ2Fubm90IHJlc29sdmUgcHJpbmNpcGFsICd1c2VyQGJhei5mb28uYmFyJw0KPiA+DQo+ ID4NCj4gPiBTbyBpdCBmYWlscy4NCj4gPg0KPiA+DQo+ID4gIyBsZGFwc2VhcmNoIC14IC1IIGxk YXA6Ly9iYXouZm9vLmJhciAtRCB1c2VyQGZvby5iYXIgLVcgLWINCj4gPiBEQz1iYXosREM9Zm9v LERDPWJhciAtcyBzdWIgIihzYW1BY2NvdW50TmFtZT11c2VyKSIgdXNlclByaW5jaXBhbE5hbWUg fA0KPiA+IGdyZXAgJ3VzZXJQcmluY2lwYWxOYW1lOicNCj4gPg0KPiA+IHVzZXJQcmluY2lwYWxO YW1lOiB1c2VyQGZvby5iYXINCj4gPg0KPiA+DQo+ID4gfEhvdyBkbyB5b3UgY29uZmlndXJlIEFB QSB3aXRoIGJhc2UgJ0RDPWJheixEQz1mb28sREM9YmFyJyB3aGVuDQo+ID4gdXNlclByaW5jaXBh bE5hbWUgZW5kcyBvbmx5IG9uICdAZm9vLmJhcic/DQo+ID4NCj4gPiAvSw0KPiA+IHwNCj4gPg0K PiA+DQo+ID4NCj4gPg0KPiA+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fDQo+ID4gVXNlcnMgbWFpbGluZyBsaXN0DQo+ID4gVXNlcnNAb3ZpcnQub3JnDQo+ ID4gaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3VzZXJzDQo+ID4NCg== --_000_af85ac88d3754905aa58276556a94cceexch24sluse_ Content-Type: text/html; charset="utf-8" Content-ID: <51B0C4ED7F656947BE8D44AC9BB2A263@ad.slu.se> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5Pg0KPHAgZGlyPSJsdHIi Pjxicj4NCkRlbiAyNCBtYXJzIDIwMTYgNzoyNiBlbSBza3JldiBPbmRyYSBNYWNoYWNlayAmbHQ7 b21hY2hhY2VAcmVkaGF0LmNvbSZndDs6PGJyPg0KJmd0Ozxicj4NCiZndDsgT24gMDMvMjQvMjAx NiAwNjoxNiBQTSwgS2FybGkgU2rDtmJlcmcgd3JvdGU6PGJyPg0KJmd0OyAmZ3Q7IEhpITxicj4N CiZndDsgJmd0Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyBTdGFydGluZyBuZXcgdGhy ZWFkIGluc3RlYWQgb2YgamFja2luZyBzb21lb25lIGVsc2XCtHMuPGJyPg0KJmd0OyAmZ3Q7PGJy Pg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IE1hbmFnZWQgdG8gbWlncmF0ZSBmcm9tIG9sZCAn ZW5naW5lLW1hbmFnZS1kb21haW5zJyBhdXRoIHRvIGFhYS1sZGFwIHVzaW5nOjxicj4NCiZndDsg Jmd0Ozxicj4NCiZndDsgJmd0OyAjfCBvdmlydC1lbmdpbmUta2VyYmxkYXAtbWlncmF0aW9uLXRv b2wgLS1kb21haW4gYmF6LmZvby5iYXIgLS1jYWNlcnQ8YnI+DQomZ3Q7ICZndDsgL3RtcC9jYS5j cnQgLS1hcHBseTxicj4NCiZndDsgJmd0OyB8PGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7 PGJyPg0KJmd0OyAmZ3Q7IEFsbCBPSywgbm8gZXJyb3JzLCBidXQgY2Fubm90IGxvZyBpbjo8YnI+ DQomZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsgIyBvdmlydC1lbmdpbmUtZXh0ZW5zaW9ucy10b29s IGFhYSBsb2dpbi11c2VyIC0tcHJvZmlsZT1iYXouZm9vLmJhci1uZXc8YnI+DQomZ3Q7ICZndDsg LS11c2VyLW5hbWU9dXNlcjo8YnI+DQomZ3Q7PGJyPg0KJmd0OyBJZiB5b3Ugd2FudCB0byBsb2dp biB3aXRoIHVzZXIgd2l0aCBkaWZmZXJlbnQgdXBuIHN1ZmZpeCwgdGhlbiBqdXN0IDxicj4NCiZn dDsgYXBwZW5kIHRoYXQgc3VmZml4PGJyPg0KJmd0Ozxicj4NCiZndDsgJCBvdmlydC1lbmdpbmUt ZXh0ZW5zaW9ucy10b29sIGFhYSBsb2dpbi11c2VyIC0tcHJvZmlsZT1iYXouZm9vLmJhci1uZXcg PGJyPg0KJmd0OyAtLXVzZXItbmFtZT11c2VyQGZvby5iYXI8L3A+DQo8cCBkaXI9Imx0ciI+T0ss IHNvbWUgcHJvZ3Jlc3MsIHRoYXQgd29ya3MhPC9wPg0KPHAgZGlyPSJsdHIiPiZndDs8YnI+DQom Z3Q7IElmIHlvdSBoYXZlIG1vcmUgc3VmZml4ZXMgYW5kIHdhbnQgdG8gaGF2ZSBzb21lIGFzIGRl ZmF1bHQgeW91IGNhbiB1c2UgPGJyPg0KJmd0OyBmb2xsb3dpbmcgYXBwcm9hY2g6PGJyPg0KJmd0 Ozxicj4NCiZndDsgMSkgaW5zdGFsbCBvdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1taXNjPGJy Pg0KJmd0Ozxicj4NCiZndDsgMikgY3JlYXRlIG5ldyBtYXBwaW5nIGV4dGVuc2lvbiBsaWtlIHRo aXM6PGJyPg0KJmd0OyAvZXRjL292aXJ0LWVuZ2luZS9leHRlbnNpb25zLmQvbWFwcGluZy1zdWZm aXgucHJvcGVydGllczxicj4NCiZndDs8YnI+DQomZ3Q7IG92aXJ0LmVuZ2luZS5leHRlbnNpb24u bmFtZSA9IG1hcHBpbmctc3VmZml4PGJyPg0KJmd0OyBvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLmJp bmRpbmdzLm1ldGhvZCA9IGpib3NzbW9kdWxlPGJyPg0KJmd0OyBvdmlydC5lbmdpbmUuZXh0ZW5z aW9uLmJpbmRpbmcuamJvc3Ntb2R1bGUubW9kdWxlID0gPGJyPg0KJmd0OyBvcmcub3ZpcnQuZW5n aW5lLWV4dGVuc2lvbnMuYWFhLm1pc2M8YnI+DQomZ3Q7IG92aXJ0LmVuZ2luZS5leHRlbnNpb24u YmluZGluZy5qYm9zc21vZHVsZS5jbGFzcyA9IDxicj4NCiZndDsgb3JnLm92aXJ0LmVuZ2luZWV4 dGVuc2lvbnMuYWFhLm1pc2MubWFwcGluZy5NYXBwaW5nRXh0ZW5zaW9uPGJyPg0KJmd0OyBvdmly dC5lbmdpbmUuZXh0ZW5zaW9uLnByb3ZpZGVzID0gPGJyPg0KJmd0OyBvcmcub3ZpcnQuZW5naW5l LmFwaS5leHRlbnNpb25zLmFhYS5NYXBwaW5nPGJyPg0KJmd0OyBjb25maWcubWFwVXNlci50eXBl ID0gcmVnZXg8YnI+DQomZ3Q7IGNvbmZpZy5tYXBVc2VyLnBhdHRlcm4gPSBeKD8mbHQ7dXNlciZn dDtbXkBdKikkPC9wPg0KPHAgZGlyPSJsdHIiPklzIHRoYXQgc3VwcG9zZWQgdG8gcmVhbGx5IHNh eSAnJmx0O3VzZXImZ3Q7JyBvciBzaG91bGQgaXQgYmUgY2hhbmdlZCB0byBhIHJlYWwgdXNlciBu YW1lPyBFaXRoZXIgd2F5LCBpdCBkb2Vzbid0IHdvcmssIEkgdHJpZWQgaXQgYWxsLjwvcD4NCjxw IGRpcj0ibHRyIj4mZ3Q7IGNvbmZpZy5tYXBVc2VyLnJlcGxhY2VtZW50ID0gJHt1c2VyfUBmb28u YmFyPGJyPg0KJmd0OyBjb25maWcubWFwVXNlci5tdXN0TWF0Y2ggPSBmYWxzZTxicj4NCiZndDs8 YnI+DQomZ3Q7IDMpIHNlbGVjdCBhIG1hcHBpbmcgcGx1Z2luIGluIGF1dGhuIGNvbmZpZ3VyYXRp b246PGJyPg0KJmd0Ozxicj4NCiZndDsgb3ZpcnQuZW5naW5lLmFhYS5hdXRobi5tYXBwaW5nLnBs dWdpbiA9IG1hcHBpbmctc3VmZml4PGJyPg0KJmd0Ozxicj4NCiZndDsgV2l0aCBhYm92ZSBjb25m aWd1cmF0aW9uIGluIHVzZSwgeW91ciB1c2VyICd1c2VyJyB3aXRsbCBiZSBtYXBwZWQgdG8gPGJy Pg0KJmd0OyB1c2VyICd1c2VyQGZvby5iYXInPGJyPg0KJmd0OyBhbmQgdXNlcnMgJ3VzZXJAYW5v dGhlcmRvbWFpbi5mb28uYmFyJyB3aWxsIHJlbWFpbiA8YnI+DQomZ3Q7ICd1c2VyQGFub3RoZXJk b21haW4uZm9vLmJhcicuPC9wPg0KPHAgZGlyPSJsdHIiPlRoaXMgaG93ZXZlciBkb2VzIG5vdCwg aXQgZG9lc24ndCByZXBsYWNlIHRoZSBzdWZmaXggYXMgaXQncyBzdXBwb3NlZCB0by4gSSB0cmll ZCB3aXRoIG1hbnkgZGlmZmVyZW50IHR5cGVzIG9mIHRoZSAnbWFwVXNlci5wYXR0ZXJuJyBidXQg aXQgc2ltcGx5IHdvbid0IGNoYW5nZSBpdCwgZXZlbiBpZiBJIHR5cGUgaW4gJz0gXnVzZXJAYmF6 LmZvby5iYXIkJywgdGhlIGVycm9yIGlzIHRoZSBzYW1lOig8L3A+DQo8cCBkaXI9Imx0ciI+L0s8 L3A+DQo8cCBkaXI9Imx0ciI+Jmd0Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyBBUEk6 ICZsdDstLUF1dGhuLkludm9rZUNvbW1hbmRzLkFVVEhFTlRJQ0FURV9DUkVERU5USUFMUyByZXN1 bHQ9U1VDQ0VTUzxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyBi dXQ6PGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IEFQSTogLS0mZ3Q7QXV0aHouSW52b2tl Q29tbWFuZHMuRkVUQ0hfUFJJTkNJUEFMX1JFQ09SRDxicj4NCiZndDsgJmd0OyBwcmluY2lwYWw9 J3VzZXJAYmF6LmZvby5iYXInPGJyPg0KJmd0OyAmZ3Q7IFNFVkVSRSZuYnNwOyBDYW5ub3QgcmVz b2x2ZSBwcmluY2lwYWwgJ3VzZXJAYmF6LmZvby5iYXInPGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0 OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IFNvIGl0IGZhaWxzLjxicj4NCiZndDsgJmd0Ozxicj4NCiZn dDsgJmd0Ozxicj4NCiZndDsgJmd0OyAjIGxkYXBzZWFyY2ggLXggLUggbGRhcDovL2Jhei5mb28u YmFyIC1EIHVzZXJAZm9vLmJhciAtVyAtYjxicj4NCiZndDsgJmd0OyBEQz1iYXosREM9Zm9vLERD PWJhciAtcyBzdWIgJnF1b3Q7KHNhbUFjY291bnROYW1lPXVzZXIpJnF1b3Q7IHVzZXJQcmluY2lw YWxOYW1lIHw8YnI+DQomZ3Q7ICZndDsgZ3JlcCAndXNlclByaW5jaXBhbE5hbWU6Jzxicj4NCiZn dDsgJmd0Ozxicj4NCiZndDsgJmd0OyB1c2VyUHJpbmNpcGFsTmFtZTogdXNlckBmb28uYmFyPGJy Pg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IHxIb3cgZG8geW91IGNv bmZpZ3VyZSBBQUEgd2l0aCBiYXNlICdEQz1iYXosREM9Zm9vLERDPWJhcicgd2hlbjxicj4NCiZn dDsgJmd0OyB1c2VyUHJpbmNpcGFsTmFtZSBlbmRzIG9ubHkgb24gJ0Bmb28uYmFyJz88YnI+DQom Z3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsgL0s8YnI+DQomZ3Q7ICZndDsgfDxicj4NCiZndDsgJmd0 Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsgJmd0Ozxicj4NCiZndDsg Jmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4N CiZndDsgJmd0OyBVc2VycyBtYWlsaW5nIGxpc3Q8YnI+DQomZ3Q7ICZndDsgVXNlcnNAb3ZpcnQu b3JnPGJyPg0KJmd0OyAmZ3Q7IGh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5m by91c2Vyczxicj4NCiZndDsgJmd0Ozxicj4NCjwvcD4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_af85ac88d3754905aa58276556a94cceexch24sluse_--

On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you can use following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be mapped to user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user and search for a mapping part in log.
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Karli Sjöberg
-
Ondra Machacek