On 03/24/2016 06:16 PM, Karli Sjöberg wrote:

Hi!

Starting new thread instead of jacking someone else´s.

Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:

#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply |

All OK, no errors, but cannot log in:

# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:

If you want to login with user with different upn suffix, then just append that suffix $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar If you have more suffixes and want to have some as default you can use following approach: 1) install ovirt-engine-extension-aaa-misc 2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$ config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false 3) select a mapping plugin in authn configuration: ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix With above configuration in use, your user 'user' witll be mapped to user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.

API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS

but:

API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'

So it fails.

# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'

userPrincipalName: user@foo.bar

|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?

/K |

_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users