Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base
--_000_0d278e8e72e34bb696eaf54f5b6d9948exch24sluse_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpEZW4gMjUgbWFycyAyMDE2IDEyOjEwIGZtIHNrcmV2IEthcmxpIFNqw7ZiZXJnIDxrYXJsaS5z am9iZXJnQHNsdS5zZT46DQo+DQo+DQo+IERlbiAyNCBtYXJzIDIwMTYgMTE6MjYgZW0gc2tyZXYg T25kcmEgTWFjaGFjZWsgPG9tYWNoYWNlQHJlZGhhdC5jb20+Og0KPiA+DQo+ID4gT24gMDMvMjQv MjAxNiAxMToxNCBQTSwgS2FybGkgU2rDtmJlcmcgd3JvdGU6DQo+ID4gPg0KPiA+ID4gRGVuIDI0 IG1hcnMgMjAxNiA3OjI2IGVtIHNrcmV2IE9uZHJhIE1hY2hhY2VrIDxvbWFjaGFjZUByZWRoYXQu Y29tPjoNCj4gPiA+ICA+DQo+ID4gPiAgPiBPbiAwMy8yNC8yMDE2IDA2OjE2IFBNLCBLYXJsaSBT asO2YmVyZyB3cm90ZToNCj4gPiA+ICA+ID4gSGkhDQo+ID4gPiAgPiA+DQo+ID4gPiAgPiA+DQo+ ID4gPiAgPiA+IFN0YXJ0aW5nIG5ldyB0aHJlYWQgaW5zdGVhZCBvZiBqYWNraW5nIHNvbWVvbmUg ZWxzZcK0cy4NCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4gTWFuYWdlZCB0byBt aWdyYXRlIGZyb20gb2xkICdlbmdpbmUtbWFuYWdlLWRvbWFpbnMnIGF1dGggdG8NCj4gPiA+IGFh YS1sZGFwIHVzaW5nOg0KPiA+ID4gID4gPg0KPiA+ID4gID4gPiAjfCBvdmlydC1lbmdpbmUta2Vy YmxkYXAtbWlncmF0aW9uLXRvb2wgLS1kb21haW4gYmF6LmZvby5iYXIgLS1jYWNlcnQNCj4gPiA+ ICA+ID4gL3RtcC9jYS5jcnQgLS1hcHBseQ0KPiA+ID4gID4gPiB8DQo+ID4gPiAgPiA+DQo+ID4g PiAgPiA+DQo+ID4gPiAgPiA+IEFsbCBPSywgbm8gZXJyb3JzLCBidXQgY2Fubm90IGxvZyBpbjoN Cj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4gIyBvdmlydC1lbmdpbmUtZXh0ZW5zaW9ucy10b29sIGFh YSBsb2dpbi11c2VyIC0tcHJvZmlsZT1iYXouZm9vLmJhci1uZXcNCj4gPiA+ICA+ID4gLS11c2Vy LW5hbWU9dXNlcjoNCj4gPiA+ICA+DQo+ID4gPiAgPiBJZiB5b3Ugd2FudCB0byBsb2dpbiB3aXRo IHVzZXIgd2l0aCBkaWZmZXJlbnQgdXBuIHN1ZmZpeCwgdGhlbiBqdXN0DQo+ID4gPiAgPiBhcHBl bmQgdGhhdCBzdWZmaXgNCj4gPiA+ICA+DQo+ID4gPiAgPiAkIG92aXJ0LWVuZ2luZS1leHRlbnNp b25zLXRvb2wgYWFhIGxvZ2luLXVzZXIgLS1wcm9maWxlPWJhei5mb28uYmFyLW5ldw0KPiA+ID4g ID4gLS11c2VyLW5hbWU9dXNlckBmb28uYmFyDQo+ID4gPg0KPiA+ID4gT0ssIHNvbWUgcHJvZ3Jl c3MsIHRoYXQgd29ya3MhDQo+ID4gPg0KPiA+ID4gID4NCj4gPiA+ICA+IElmIHlvdSBoYXZlIG1v cmUgc3VmZml4ZXMgYW5kIHdhbnQgdG8gaGF2ZSBzb21lIGFzIGRlZmF1bHQgeW91IGNhbiB1c2UN Cj4gPiA+ICA+IGZvbGxvd2luZyBhcHByb2FjaDoNCj4gPiA+ICA+DQo+ID4gPiAgPiAxKSBpbnN0 YWxsIG92aXJ0LWVuZ2luZS1leHRlbnNpb24tYWFhLW1pc2MNCj4gPiA+ICA+DQo+ID4gPiAgPiAy KSBjcmVhdGUgbmV3IG1hcHBpbmcgZXh0ZW5zaW9uIGxpa2UgdGhpczoNCj4gPiA+ICA+IC9ldGMv b3ZpcnQtZW5naW5lL2V4dGVuc2lvbnMuZC9tYXBwaW5nLXN1ZmZpeC5wcm9wZXJ0aWVzDQo+ID4g PiAgPg0KPiA+ID4gID4gb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5uYW1lID0gbWFwcGluZy1zdWZm aXgNCj4gPiA+ICA+IG92aXJ0LmVuZ2luZS5leHRlbnNpb24uYmluZGluZ3MubWV0aG9kID0gamJv c3Ntb2R1bGUNCj4gPiA+ICA+IG92aXJ0LmVuZ2luZS5leHRlbnNpb24uYmluZGluZy5qYm9zc21v ZHVsZS5tb2R1bGUgPQ0KPiA+ID4gID4gb3JnLm92aXJ0LmVuZ2luZS1leHRlbnNpb25zLmFhYS5t aXNjDQo+ID4gPiAgPiBvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLmJpbmRpbmcuamJvc3Ntb2R1bGUu Y2xhc3MgPQ0KPiA+ID4gID4gb3JnLm92aXJ0LmVuZ2luZWV4dGVuc2lvbnMuYWFhLm1pc2MubWFw cGluZy5NYXBwaW5nRXh0ZW5zaW9uDQo+ID4gPiAgPiBvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLnBy b3ZpZGVzID0NCj4gPiA+ICA+IG9yZy5vdmlydC5lbmdpbmUuYXBpLmV4dGVuc2lvbnMuYWFhLk1h cHBpbmcNCj4gPiA+ICA+IGNvbmZpZy5tYXBVc2VyLnR5cGUgPSByZWdleA0KPiA+ID4gID4gY29u ZmlnLm1hcFVzZXIucGF0dGVybiA9IF4oPzx1c2VyPlteQF0qKSQNCj4gPiA+DQo+ID4gPiBJcyB0 aGF0IHN1cHBvc2VkIHRvIHJlYWxseSBzYXkgJzx1c2VyPicgb3Igc2hvdWxkIGl0IGJlIGNoYW5n ZWQgdG8gYQ0KPiA+ID4gcmVhbCB1c2VyIG5hbWU/IEVpdGhlciB3YXksIGl0IGRvZXNuJ3Qgd29y aywgSSB0cmllZCBpdCBhbGwuDQo+ID4NCj4gPiAnPzx1c2VyPicgaXMganVzdCBhIG5hbWVkIGdy b3VwIGluIHRoYXQgcmVnZXggc28geW91IGNhbiBsYXRlciB1c2UgaXQgaW4NCj4gPiAnY29uZmln Lm1hcFVzZXIucmVwbGFjZW1lbnQnICBvcHRpb24uIEl0IHNob3VsZCB0YWtlIGV2ZXJ5dGhpbmcg dW50aWwNCj4gPiBmaXJzdCAnQCcuDQo+ID4NCj4gPiA+DQo+ID4gPiAgPiBjb25maWcubWFwVXNl ci5yZXBsYWNlbWVudCA9ICR7dXNlcn1AZm9vLmJhcg0KPiA+ID4gID4gY29uZmlnLm1hcFVzZXIu bXVzdE1hdGNoID0gZmFsc2UNCj4gPiA+ICA+DQo+ID4gPiAgPiAzKSBzZWxlY3QgYSBtYXBwaW5n IHBsdWdpbiBpbiBhdXRobiBjb25maWd1cmF0aW9uOg0KPiA+ID4gID4NCj4gPiA+ICA+IG92aXJ0 LmVuZ2luZS5hYWEuYXV0aG4ubWFwcGluZy5wbHVnaW4gPSBtYXBwaW5nLXN1ZmZpeA0KPiA+ID4g ID4NCj4gPiA+ICA+IFdpdGggYWJvdmUgY29uZmlndXJhdGlvbiBpbiB1c2UsIHlvdXIgdXNlciAn dXNlcicgd2l0bGwgYmUgbWFwcGVkIHRvDQo+ID4gPiAgPiB1c2VyICd1c2VyQGZvby5iYXInDQo+ ID4gPiAgPiBhbmQgdXNlcnMgJ3VzZXJAYW5vdGhlcmRvbWFpbi5mb28uYmFyJyB3aWxsIHJlbWFp bg0KPiA+ID4gID4gJ3VzZXJAYW5vdGhlcmRvbWFpbi5mb28uYmFyJy4NCj4gPiA+DQo+ID4gPiBU aGlzIGhvd2V2ZXIgZG9lcyBub3QsIGl0IGRvZXNuJ3QgcmVwbGFjZSB0aGUgc3VmZml4IGFzIGl0 J3Mgc3VwcG9zZWQNCj4gPiA+IHRvLiBJIHRyaWVkIHdpdGggbWFueSBkaWZmZXJlbnQgdHlwZXMg b2YgdGhlICdtYXBVc2VyLnBhdHRlcm4nIGJ1dCBpdA0KPiA+ID4gc2ltcGx5IHdvbid0IGNoYW5n ZSBpdCwgZXZlbiBpZiBJIHR5cGUgaW4gJz0gXnVzZXJAYmF6LmZvby5iYXIkJywgdGhlDQo+ID4g PiBlcnJvciBpcyB0aGUgc2FtZTooDQo+ID4NCj4gPiBIbW0sIGhhcmQgdG8gc2F5IHdoYXQncyB3 cm9uZywgdHJ5IHRvIHJ1bjoNCj4gPiAkIG92aXJ0LWVuZ2luZS1leHRlbnNpb25zLXRvb2wgLS1s b2ctbGV2ZWw9RklORVNUIGFhYSBsb2dpbi11c2VyDQo+ID4gLS1wcm9maWxlPWJhei5mb28uYmFy LW5ldyAtLXVzZXItbmFtZT11c2VyDQo+ID4NCj4gPiBhbmQgc2VhcmNoIGZvciBhIG1hcHBpbmcg cGFydCBpbiBsb2cuDQo+DQo+IFdvdyB3aGF0IGEgbW91dGhmdWxsOikgQ2FuIHlvdSBtYWtlIGFu eXRoaW5nIG91dCBvZiBpdD8NCj4NCj4gaHR0cHM6Ly9kcm9wb2ZmLnNsdS5zZS9pbmRleC5waHAv cy9FTWUyTlBtT2ZzV0NOVHYvZG93bmxvYWQNCj4NCj4gL0sNCg0KSnVzdCBub3RpY2VkIGFmdGVy IGxvZ2dpbmcgaW4gdG8gd2ViYWRtaW4gYXMgInVzZXJAZm9vLmJhciIgKHdoaWNoIHdvcmtlZCBi dHcsIHNvIGdvb2QgdGhlcmUpIHRoYXQgdGhlICJVc2VyIE5hbWUiIGluIFVzZXJzIG1haW4gdGFi IGxvb2tzIHJlYWxseSBvZGQ6DQp1c2VyQGZvby5iYXJAYmF6LmZvby5iYXItbmV3LWF1dGh6DQoN Ci9LDQoNCj4NCj4gPg0KPiA+ID4NCj4gPiA+IC9LDQo+ID4gPg0KPiA+ID4gID4NCj4gPiA+ICA+ ID4NCj4gPiA+ICA+ID4gQVBJOiA8LS1BdXRobi5JbnZva2VDb21tYW5kcy5BVVRIRU5USUNBVEVf Q1JFREVOVElBTFMgcmVzdWx0PVNVQ0NFU1MNCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4NCj4gPiA+ ICA+ID4gYnV0Og0KPiA+ID4gID4gPg0KPiA+ID4gID4gPiBBUEk6IC0tPkF1dGh6Lkludm9rZUNv bW1hbmRzLkZFVENIX1BSSU5DSVBBTF9SRUNPUkQNCj4gPiA+ICA+ID4gcHJpbmNpcGFsPSd1c2Vy QGJhei5mb28uYmFyJw0KPiA+ID4gID4gPiBTRVZFUkUgIENhbm5vdCByZXNvbHZlIHByaW5jaXBh bCAndXNlckBiYXouZm9vLmJhcicNCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4g U28gaXQgZmFpbHMuDQo+ID4gPiAgPiA+DQo+ID4gPiAgPiA+DQo+ID4gPiAgPiA+ICMgbGRhcHNl YXJjaCAteCAtSCBsZGFwOi8vYmF6LmZvby5iYXIgLUQgdXNlckBmb28uYmFyIC1XIC1iDQo+ID4g PiAgPiA+IERDPWJheixEQz1mb28sREM9YmFyIC1zIHN1YiAiKHNhbUFjY291bnROYW1lPXVzZXIp IiB1c2VyUHJpbmNpcGFsTmFtZSB8DQo+ID4gPiAgPiA+IGdyZXAgJ3VzZXJQcmluY2lwYWxOYW1l OicNCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4gdXNlclByaW5jaXBhbE5hbWU6IHVzZXJAZm9vLmJh cg0KPiA+ID4gID4gPg0KPiA+ID4gID4gPg0KPiA+ID4gID4gPiB8SG93IGRvIHlvdSBjb25maWd1 cmUgQUFBIHdpdGggYmFzZSAnREM9YmF6LERDPWZvbyxEQz1iYXInIHdoZW4NCj4gPiA+ICA+ID4g dXNlclByaW5jaXBhbE5hbWUgZW5kcyBvbmx5IG9uICdAZm9vLmJhcic/DQo+ID4gPiAgPiA+DQo+ ID4gPiAgPiA+IC9LDQo+ID4gPiAgPiA+IHwNCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4NCj4gPiA+ ICA+ID4NCj4gPiA+ICA+ID4NCj4gPiA+ICA+ID4gX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCj4gPiA+ICA+ID4gVXNlcnMgbWFpbGluZyBsaXN0DQo+ID4g PiAgPiA+IFVzZXJzQG92aXJ0Lm9yZw0KPiA+ID4gID4gPiBodHRwOi8vbGlzdHMub3ZpcnQub3Jn L21haWxtYW4vbGlzdGluZm8vdXNlcnMNCj4gPiA+ICA+ID4NCj4gPiA+DQo= --_000_0d278e8e72e34bb696eaf54f5b6d9948exch24sluse_ Content-Type: text/html; charset="utf-8" Content-ID: <7E50D08D305B164D8B34D21E306473D7@ad.slu.se> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5Pg0KPHAgZGlyPSJsdHIi Pjxicj4NCkRlbiAyNSBtYXJzIDIwMTYgMTI6MTAgZm0gc2tyZXYgS2FybGkgU2rDtmJlcmcgJmx0 O2thcmxpLnNqb2JlcmdAc2x1LnNlJmd0Ozo8YnI+DQomZ3Q7PGJyPg0KJmd0Ozxicj4NCiZndDsg RGVuIDI0IG1hcnMgMjAxNiAxMToyNiBlbSBza3JldiBPbmRyYSBNYWNoYWNlayAmbHQ7b21hY2hh Y2VAcmVkaGF0LmNvbSZndDs6PGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IE9uIDAzLzI0 LzIwMTYgMTE6MTQgUE0sIEthcmxpIFNqw7ZiZXJnIHdyb3RlOjxicj4NCiZndDsgJmd0OyAmZ3Q7 PGJyPg0KJmd0OyAmZ3Q7ICZndDsgRGVuIDI0IG1hcnMgMjAxNiA3OjI2IGVtIHNrcmV2IE9uZHJh IE1hY2hhY2VrICZsdDtvbWFjaGFjZUByZWRoYXQuY29tJmd0Ozo8YnI+DQomZ3Q7ICZndDsgJmd0 OyZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBPbiAwMy8yNC8yMDE2 IDA2OjE2IFBNLCBLYXJsaSBTasO2YmVyZyB3cm90ZTo8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNw OyAmZ3Q7ICZndDsgSGkhPGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7PGJyPg0K Jmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsg Jmd0OyAmZ3Q7IFN0YXJ0aW5nIG5ldyB0aHJlYWQgaW5zdGVhZCBvZiBqYWNraW5nIHNvbWVvbmUg ZWxzZcK0cy48YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDs8YnI+DQomZ3Q7ICZn dDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZn dDsgTWFuYWdlZCB0byBtaWdyYXRlIGZyb20gb2xkICdlbmdpbmUtbWFuYWdlLWRvbWFpbnMnIGF1 dGggdG88YnI+DQomZ3Q7ICZndDsgJmd0OyBhYWEtbGRhcCB1c2luZzo8YnI+DQomZ3Q7ICZndDsg Jmd0OyZuYnNwOyAmZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDsg I3wgb3ZpcnQtZW5naW5lLWtlcmJsZGFwLW1pZ3JhdGlvbi10b29sIC0tZG9tYWluIGJhei5mb28u YmFyIC0tY2FjZXJ0PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IC90bXAvY2Eu Y3J0IC0tYXBwbHk8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDsgfDxicj4NCiZn dDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZn dDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyBBbGwgT0ssIG5vIGVy cm9ycywgYnV0IGNhbm5vdCBsb2cgaW46PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAm Z3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7ICMgb3ZpcnQtZW5naW5lLWV4 dGVuc2lvbnMtdG9vbCBhYWEgbG9naW4tdXNlciAtLXByb2ZpbGU9YmF6LmZvby5iYXItbmV3PGJy Pg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IC0tdXNlci1uYW1lPXVzZXI6PGJyPg0K Jmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsg SWYgeW91IHdhbnQgdG8gbG9naW4gd2l0aCB1c2VyIHdpdGggZGlmZmVyZW50IHVwbiBzdWZmaXgs IHRoZW4ganVzdDxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgYXBwZW5kIHRoYXQgc3Vm Zml4PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5i c3A7ICZndDsgJCBvdmlydC1lbmdpbmUtZXh0ZW5zaW9ucy10b29sIGFhYSBsb2dpbi11c2VyIC0t cHJvZmlsZT1iYXouZm9vLmJhci1uZXc8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7IC0t dXNlci1uYW1lPXVzZXJAZm9vLmJhcjxicj4NCiZndDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7 ICZndDsgT0ssIHNvbWUgcHJvZ3Jlc3MsIHRoYXQgd29ya3MhPGJyPg0KJmd0OyAmZ3Q7ICZndDs8 YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsg Jmd0OyBJZiB5b3UgaGF2ZSBtb3JlIHN1ZmZpeGVzIGFuZCB3YW50IHRvIGhhdmUgc29tZSBhcyBk ZWZhdWx0IHlvdSBjYW4gdXNlPGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBmb2xsb3dp bmcgYXBwcm9hY2g6PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0Ozxicj4NCiZndDsgJmd0 OyAmZ3Q7Jm5ic3A7ICZndDsgMSkgaW5zdGFsbCBvdmlydC1lbmdpbmUtZXh0ZW5zaW9uLWFhYS1t aXNjPGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5i c3A7ICZndDsgMikgY3JlYXRlIG5ldyBtYXBwaW5nIGV4dGVuc2lvbiBsaWtlIHRoaXM6PGJyPg0K Jmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAvZXRjL292aXJ0LWVuZ2luZS9leHRlbnNpb25zLmQv bWFwcGluZy1zdWZmaXgucHJvcGVydGllczxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDs8 YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7IG92aXJ0LmVuZ2luZS5leHRlbnNpb24ubmFt ZSA9IG1hcHBpbmctc3VmZml4PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBvdmlydC5l bmdpbmUuZXh0ZW5zaW9uLmJpbmRpbmdzLm1ldGhvZCA9IGpib3NzbW9kdWxlPGJyPg0KJmd0OyAm Z3Q7ICZndDsmbmJzcDsgJmd0OyBvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLmJpbmRpbmcuamJvc3Nt b2R1bGUubW9kdWxlID08YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7IG9yZy5vdmlydC5l bmdpbmUtZXh0ZW5zaW9ucy5hYWEubWlzYzxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsg b3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5iaW5kaW5nLmpib3NzbW9kdWxlLmNsYXNzID08YnI+DQom Z3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7IG9yZy5vdmlydC5lbmdpbmVleHRlbnNpb25zLmFhYS5t aXNjLm1hcHBpbmcuTWFwcGluZ0V4dGVuc2lvbjxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZn dDsgb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5wcm92aWRlcyA9PGJyPg0KJmd0OyAmZ3Q7ICZndDsm bmJzcDsgJmd0OyBvcmcub3ZpcnQuZW5naW5lLmFwaS5leHRlbnNpb25zLmFhYS5NYXBwaW5nPGJy Pg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBjb25maWcubWFwVXNlci50eXBlID0gcmVnZXg8 YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7IGNvbmZpZy5tYXBVc2VyLnBhdHRlcm4gPSBe KD8mbHQ7dXNlciZndDtbXkBdKikkPGJyPg0KJmd0OyAmZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsg Jmd0OyBJcyB0aGF0IHN1cHBvc2VkIHRvIHJlYWxseSBzYXkgJyZsdDt1c2VyJmd0Oycgb3Igc2hv dWxkIGl0IGJlIGNoYW5nZWQgdG8gYTxicj4NCiZndDsgJmd0OyAmZ3Q7IHJlYWwgdXNlciBuYW1l PyBFaXRoZXIgd2F5LCBpdCBkb2Vzbid0IHdvcmssIEkgdHJpZWQgaXQgYWxsLjxicj4NCiZndDsg Jmd0Ozxicj4NCiZndDsgJmd0OyAnPyZsdDt1c2VyJmd0OycgaXMganVzdCBhIG5hbWVkIGdyb3Vw IGluIHRoYXQgcmVnZXggc28geW91IGNhbiBsYXRlciB1c2UgaXQgaW48YnI+DQomZ3Q7ICZndDsg J2NvbmZpZy5tYXBVc2VyLnJlcGxhY2VtZW50JyZuYnNwOyBvcHRpb24uIEl0IHNob3VsZCB0YWtl IGV2ZXJ5dGhpbmcgdW50aWwgPGJyPg0KJmd0OyAmZ3Q7IGZpcnN0ICdAJy48YnI+DQomZ3Q7ICZn dDs8YnI+DQomZ3Q7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgY29u ZmlnLm1hcFVzZXIucmVwbGFjZW1lbnQgPSAke3VzZXJ9QGZvby5iYXI8YnI+DQomZ3Q7ICZndDsg Jmd0OyZuYnNwOyAmZ3Q7IGNvbmZpZy5tYXBVc2VyLm11c3RNYXRjaCA9IGZhbHNlPGJyPg0KJmd0 OyAmZ3Q7ICZndDsmbmJzcDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgMykg c2VsZWN0IGEgbWFwcGluZyBwbHVnaW4gaW4gYXV0aG4gY29uZmlndXJhdGlvbjo8YnI+DQomZ3Q7 ICZndDsgJmd0OyZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBvdmly dC5lbmdpbmUuYWFhLmF1dGhuLm1hcHBpbmcucGx1Z2luID0gbWFwcGluZy1zdWZmaXg8YnI+DQom Z3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyBX aXRoIGFib3ZlIGNvbmZpZ3VyYXRpb24gaW4gdXNlLCB5b3VyIHVzZXIgJ3VzZXInIHdpdGxsIGJl IG1hcHBlZCB0bzxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgdXNlciAndXNlckBmb28u YmFyJzxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgYW5kIHVzZXJzICd1c2VyQGFub3Ro ZXJkb21haW4uZm9vLmJhcicgd2lsbCByZW1haW48YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAm Z3Q7ICd1c2VyQGFub3RoZXJkb21haW4uZm9vLmJhcicuPGJyPg0KJmd0OyAmZ3Q7ICZndDs8YnI+ DQomZ3Q7ICZndDsgJmd0OyBUaGlzIGhvd2V2ZXIgZG9lcyBub3QsIGl0IGRvZXNuJ3QgcmVwbGFj ZSB0aGUgc3VmZml4IGFzIGl0J3Mgc3VwcG9zZWQ8YnI+DQomZ3Q7ICZndDsgJmd0OyB0by4gSSB0 cmllZCB3aXRoIG1hbnkgZGlmZmVyZW50IHR5cGVzIG9mIHRoZSAnbWFwVXNlci5wYXR0ZXJuJyBi dXQgaXQ8YnI+DQomZ3Q7ICZndDsgJmd0OyBzaW1wbHkgd29uJ3QgY2hhbmdlIGl0LCBldmVuIGlm IEkgdHlwZSBpbiAnPSBedXNlckBiYXouZm9vLmJhciQnLCB0aGU8YnI+DQomZ3Q7ICZndDsgJmd0 OyBlcnJvciBpcyB0aGUgc2FtZTooPGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7IEhtbSwg aGFyZCB0byBzYXkgd2hhdCdzIHdyb25nLCB0cnkgdG8gcnVuOjxicj4NCiZndDsgJmd0OyAkIG92 aXJ0LWVuZ2luZS1leHRlbnNpb25zLXRvb2wgLS1sb2ctbGV2ZWw9RklORVNUIGFhYSBsb2dpbi11 c2VyIDxicj4NCiZndDsgJmd0OyAtLXByb2ZpbGU9YmF6LmZvby5iYXItbmV3IC0tdXNlci1uYW1l PXVzZXI8YnI+DQomZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsgYW5kIHNlYXJjaCBmb3IgYSBtYXBw aW5nIHBhcnQgaW4gbG9nLjxicj4NCiZndDs8YnI+DQomZ3Q7IFdvdyB3aGF0IGEgbW91dGhmdWxs OikgQ2FuIHlvdSBtYWtlIGFueXRoaW5nIG91dCBvZiBpdD88YnI+DQomZ3Q7PGJyPg0KJmd0OyBo dHRwczovL2Ryb3BvZmYuc2x1LnNlL2luZGV4LnBocC9zL0VNZTJOUG1PZnNXQ05Udi9kb3dubG9h ZDxicj4NCiZndDs8YnI+DQomZ3Q7IC9LPC9wPg0KPHAgZGlyPSJsdHIiPkp1c3Qgbm90aWNlZCBh ZnRlciBsb2dnaW5nIGluIHRvIHdlYmFkbWluIGFzICZxdW90O3VzZXJAZm9vLmJhciZxdW90OyAo d2hpY2ggd29ya2VkIGJ0dywgc28gZ29vZCB0aGVyZSkgdGhhdCB0aGUgJnF1b3Q7VXNlciBOYW1l JnF1b3Q7IGluIFVzZXJzIG1haW4gdGFiIGxvb2tzIHJlYWxseSBvZGQ6PGJyPg0KdXNlckBmb28u YmFyQGJhei5mb28uYmFyLW5ldy1hdXRoejwvcD4NCjxwIGRpcj0ibHRyIj4vSzwvcD4NCjxwIGRp cj0ibHRyIj4mZ3Q7PGJyPg0KJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDs8YnI+DQomZ3Q7 ICZndDsgJmd0OyAvSzxicj4NCiZndDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJz cDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0 OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyBBUEk6ICZsdDstLUF1dGhuLkludm9rZUNvbW1hbmRzLkFV VEhFTlRJQ0FURV9DUkVERU5USUFMUyByZXN1bHQ9U1VDQ0VTUzxicj4NCiZndDsgJmd0OyAmZ3Q7 Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4N CiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyBidXQ6PGJyPg0KJmd0OyAmZ3Q7ICZndDsm bmJzcDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IEFQSTog LS0mZ3Q7QXV0aHouSW52b2tlQ29tbWFuZHMuRkVUQ0hfUFJJTkNJUEFMX1JFQ09SRDxicj4NCiZn dDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyBwcmluY2lwYWw9J3VzZXJAYmF6LmZvby5iYXIn PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IFNFVkVSRSZuYnNwOyBDYW5ub3Qg cmVzb2x2ZSBwcmluY2lwYWwgJ3VzZXJAYmF6LmZvby5iYXInPGJyPg0KJmd0OyAmZ3Q7ICZndDsm bmJzcDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7PGJyPg0K Jmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IFNvIGl0IGZhaWxzLjxicj4NCiZndDsgJmd0 OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0 Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyAjIGxkYXBzZWFyY2ggLXggLUgg bGRhcDovL2Jhei5mb28uYmFyIC1EIHVzZXJAZm9vLmJhciAtVyAtYjxicj4NCiZndDsgJmd0OyAm Z3Q7Jm5ic3A7ICZndDsgJmd0OyBEQz1iYXosREM9Zm9vLERDPWJhciAtcyBzdWIgJnF1b3Q7KHNh bUFjY291bnROYW1lPXVzZXIpJnF1b3Q7IHVzZXJQcmluY2lwYWxOYW1lIHw8YnI+DQomZ3Q7ICZn dDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDsgZ3JlcCAndXNlclByaW5jaXBhbE5hbWU6Jzxicj4NCiZn dDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZn dDsgJmd0OyB1c2VyUHJpbmNpcGFsTmFtZTogdXNlckBmb28uYmFyPGJyPg0KJmd0OyAmZ3Q7ICZn dDsmbmJzcDsgJmd0OyAmZ3Q7PGJyPg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7PGJy Pg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IHxIb3cgZG8geW91IGNvbmZpZ3VyZSBB QUEgd2l0aCBiYXNlICdEQz1iYXosREM9Zm9vLERDPWJhcicgd2hlbjxicj4NCiZndDsgJmd0OyAm Z3Q7Jm5ic3A7ICZndDsgJmd0OyB1c2VyUHJpbmNpcGFsTmFtZSBlbmRzIG9ubHkgb24gJ0Bmb28u YmFyJz88YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDs8YnI+DQomZ3Q7ICZndDsg Jmd0OyZuYnNwOyAmZ3Q7ICZndDsgL0s8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZn dDsgfDxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAm Z3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxi cj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0Ozxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5i c3A7ICZndDsgJmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXzxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0OyBVc2VycyBtYWlsaW5nIGxp c3Q8YnI+DQomZ3Q7ICZndDsgJmd0OyZuYnNwOyAmZ3Q7ICZndDsgVXNlcnNAb3ZpcnQub3JnPGJy Pg0KJmd0OyAmZ3Q7ICZndDsmbmJzcDsgJmd0OyAmZ3Q7IGh0dHA6Ly9saXN0cy5vdmlydC5vcmcv bWFpbG1hbi9saXN0aW5mby91c2Vyczxicj4NCiZndDsgJmd0OyAmZ3Q7Jm5ic3A7ICZndDsgJmd0 Ozxicj4NCiZndDsgJmd0OyAmZ3Q7PGJyPg0KPC9wPg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_0d278e8e72e34bb696eaf54f5b6d9948exch24sluse_--
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'.
/K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Den 25 mars 2016 9:32 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'.
/K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Den 25 mars 2016 9:32 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'.
/K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
What the heck, my message disappeares! Trying again. Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = user@baz.foo.bar config.mapUser.regex.replacement = user@foo.bar And that isn't very useful. Please advice! /K On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'.
/K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar' SEVERE Cannot resolve principal 'user@baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
grep 'userPrincipalName:'
userPrincipalName: user@foo.bar
|How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
For me it's working completelly fine: ... config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@DOMAINX.com config.mapUser.regex.mustMatch = false ... $ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' $ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINX.com' As you can see it's correctly mapped. Please check once again the regex is correct, if it still won't work, please send log output again. On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = user@baz.foo.bar config.mapUser.regex.replacement = user@foo.bar
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:
On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > Hi! > > > Starting new thread instead of jacking someone else´s. > > > Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
> > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
> /tmp/ca.crt --apply > | > > > All OK, no errors, but cannot log in: > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > --user-name=user:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user@foo.bar
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.pattern = ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement = ${user}@foo.bar config.mapUser.mustMatch = false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar' and users 'user@anotherdomain.foo.bar' will remain 'user@anotherdomain.foo.bar'.
This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ...
Notice there was missing 'regex', after 'mapUser'.
/K
/K
> > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
> > > but: > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > principal='user@baz.foo.bar' > SEVERE Cannot resolve principal 'user@baz.foo.bar' > > > So it fails. > > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | > grep 'userPrincipalName:' > > userPrincipalName: user@foo.bar > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when > userPrincipalName ends only on '@foo.bar'? > > /K > | > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
--_000_39382EC000304ECEAFD87B99B0407E4Dsluse_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com<mailto:omacha= ce@redhat.com>> wrote: For me it's working completelly fine: ... config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@DOMAINX.com<http://DOMAINX.com=
config.mapUser.regex.mustMatch =3D false ... $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= ' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINX.com<mailto:user=3D'user@DOMAINX.com>' As you can see it's correctly mapped. Please check once again the regex is correct, if it still won't work, pleas= e send log output again. /etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextens= ions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false # ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profil= e=3Dbaz.foo.bar-new --user-name=3Duser@baz.foo.bar<mailto:user-name=3Duser@= baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar' And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download /K On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote: What the heck, my message disappeares! Trying again. Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern =3D user@baz.foo.bar<mailto:user@baz.foo.bar> config.mapUser.regex.replacement =3D user@foo.bar<mailto:user@foo.bar> And that isn't very useful. Please advice! /K On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote: Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <karli.sjoberg@slu.se<mailt= o:karli.sjoberg@slu.se>>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com<mail=
to:omachace@redhat.com>>:
On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com<m=
ailto:omachace@redhat.com>>:
On 03/24/2016 06:16 PM, Karli Sj=F6berg wrote:
Hi!
Starting new thread instead of jacking someone else=B4s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser@foo.bar<mailto:user-name=3Duser@foo.bar>
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type =3D regex config.mapUser.pattern =3D ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement =3D ${user}@foo.bar config.mapUser.mustMatch =3D false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin =3D mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar<mailto:user@foo.bar>' and users 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.f= oo.bar>' will remain 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.foo.bar>'.
This however does not, it doesn't replace the suffix as it's suppose= d to. I tried with many different types of the 'mapUser.pattern' but i= t simply won't change it, even if I type in '=3D ^user@baz.foo.bar<mai= lto:user@baz.foo.bar>$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar<mailto:user@foo.= bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar<mailto:user@foo.bar>@baz.foo.bar-new-authz Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false ... Notice there was missing 'regex', after 'mapUser'. /K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=3DSUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal=3D'user@baz.foo.bar<mailto:principal=3D'user@baz.foo.=
bar>'
SEVERE Cannot resolve principal 'user@baz.foo.bar<mailto:user@= baz.foo.bar>'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar<mailto:us= er@foo.bar> -W -b DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub "(samAccountName=3Duser)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user@foo.bar<mailto:user@foo.bar>
|How do you configure AAA with base 'DC=3Dbaz,DC=3Dfoo,DC=3Dbar= ' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--_000_39382EC000304ECEAFD87B99B0407E4Dsluse_ Content-Type: text/html; charset="Windows-1252" Content-ID: <1CA73BCC7CF55F48BC4A831A8EB17BED@ad.slu.se> Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> </head> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space;" class=3D""> <br class=3D""> <div> <blockquote type=3D"cite" class=3D""> <div class=3D"">On 26 Mar 2016, at 11:35, Ondra Machacek <<a href=3D"mai= lto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>> wrote:</div=
<br class=3D"Apple-interchange-newline"> <div class=3D"">For me it's working completelly fine:<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@<a href=3D"http://DOMAINX.com"= class=3D"">DOMAINX.com</a><br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' <a href=3D"mailto:user=3D'user@DOMAINX.com" class=3D""> user=3D'user@DOMAINX.com</a>'<br class=3D""> <br class=3D""> As you can see it's correctly mapped.<br class=3D""> <br class=3D""> Please check once again the regex is correct, if it still won't work, pleas= e send log output again.<br class=3D""> </div> </blockquote> <div><br class=3D""> </div> <span class=3D""> <div>/etc/ovirt-engine/extensions.d/mapping-suffix.properties:</div> </span><span class=3D"">ovirt.engine.extension.name =3D mapping-suffix<br c= lass=3D""> ovirt.engine.extension.bindings.method =3D jbossmodule<br class=3D""> ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc<br class=3D""> ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.enginee= xtensions.aaa.misc.mapping.MappingExtension<br class=3D""> ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false</span></div> <div><span class=3D""><br class=3D""> </span></div> <span class=3D""># ovirt-engine-extensions-tool --log-level=3DFINEST aaa lo= gin-user --profile=3Dbaz.foo.bar-new --<a href=3D"mailto:user-name=3Duser@b= az.foo.bar" class=3D"">user-name=3Duser@baz.foo.bar</a><br class=3D""> # grep Mapping.InvokeCommands.MAP_USER login.log <br class=3D""> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommand= s.MAP_USER user=3D'user@baz.foo.bar'<br class=3D""> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP= _USER user=3D'user@baz.foo.bar'<br class=3D""> </span><span class=3D""><br class=3D""> </span> <div><span class=3D"">And here is the log:</span></div> <div><span class=3D""><a href=3D"https://dropoff.slu.se/index.php/s/SK9T8vO= UO7yB3PM/download" class=3D"">https://dropoff.slu.se/index.php/s/SK9T8vOUO7= yB3PM/download</a></span></div> <div><span class=3D""><br class=3D""> </span></div> <div><span class=3D"">/K</span></div> <div><span class=3D""><br class=3D""> </span> <blockquote type=3D"cite" class=3D""> <div class=3D""><br class=3D""> On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D"">What the heck, my message disappeares!= Trying again.<br class=3D""> <br class=3D""> Ok, so it's mapping now but the only thing working is:<br class=3D""> config.mapUser.regex.pattern =3D <a href=3D"mailto:user@baz.foo.bar" class= =3D"">user@baz.foo.bar</a><br class=3D""> config.mapUser.regex.replacement =3D <a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a><br class=3D""> <br class=3D""> And that isn't very useful. Please advice!<br class=3D""> <br class=3D""> /K<br class=3D""> <br class=3D""> On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <<a href=3D"mailto:karli= .sjoberg@slu.se" class=3D"">karli.sjoberg@slu.se</a>>:<br class=3D""> ><br class=3D""> ><br class=3D""> > Den 24 mars 2016 11:26 em skrev Ondra Machacek <<a href=3D"ma= ilto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<br class= =3D""> > ><br class=3D""> > > On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:<br class=3D"= "> > > ><br class=3D""> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <<a h= ref=3D"mailto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<= br class=3D""> > > > ><br class=3D""> > > > > On 03/24/2016 06:16 PM, Karli Sj=F6berg wro= te:<br class=3D""> > > > > > Hi!<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Starting new thread instead of jacking= someone else=B4s.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Managed to migrate from old 'engine-ma= nage-domains' auth to<br class=3D""> > > > aaa-ldap using:<br class=3D""> > > > > ><br class=3D""> > > > > > #| ovirt-engine-kerbldap-migration-too= l --domain baz.foo.bar<br class=3D""> --cacert<br class=3D""> > > > > > /tmp/ca.crt --apply<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > All OK, no errors, but cannot log in:<= br class=3D""> > > > > ><br class=3D""> > > > > > # ovirt-engine-extensions-tool aaa log= in-user<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > > --user-name=3Duser:<br class=3D""> > > > ><br class=3D""> > > > > If you want to login with user with differe= nt upn suffix, then<br class=3D""> just<br class=3D""> > > > > append that suffix<br class=3D""> > > > ><br class=3D""> > > > > $ ovirt-engine-extensions-tool aaa login-us= er<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > --<a href=3D"mailto:user-name=3Duser@foo.ba= r" class=3D"">user-name=3Duser@foo.bar</a><br class=3D""> > > ><br class=3D""> > > > OK, some progress, that works!<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > If you have more suffixes and want to have = some as default you<br class=3D""> can use<br class=3D""> > > > > following approach:<br class=3D""> > > > ><br class=3D""> > > > > 1) install ovirt-engine-extension-aaa-misc<= br class=3D""> > > > ><br class=3D""> > > > > 2) create new mapping extension like this:<= br class=3D""> > > > > /etc/ovirt-engine/extensions.d/mapping-suff= ix.properties<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.extension.name =3D mapping-suf= fix<br class=3D""> > > > > ovirt.engine.extension.bindings.method =3D = jbossmodule<br class=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= module =3D<br class=3D""> > > > > org.ovirt.engine-extensions.aaa.misc<br cla= ss=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= class =3D<br class=3D""> > > > > org.ovirt.engineextensions.aaa.misc.mapping= .MappingExtension<br class=3D""> > > > > ovirt.engine.extension.provides =3D<br clas= s=3D""> > > > > org.ovirt.engine.api.extensions.aaa.Mapping= <br class=3D""> > > > > config.mapUser.type =3D regex<br class=3D""=
> > > > config.mapUser.pattern =3D ^(?<user>[= ^@]*)$<br class=3D""> > > ><br class=3D""> > > > Is that supposed to really say '<user>' or shoul= d it be changed to a<br class=3D""> > > > real user name? Either way, it doesn't work, I tried i= t all.<br class=3D""> > ><br class=3D""> > > '?<user>' is just a named group in that regex so you = can later use<br class=3D""> it in<br class=3D""> > > 'config.mapUser.replacement' option. It should take e= verything until<br class=3D""> > > first '@'.<br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > > config.mapUser.replacement =3D ${user}@foo.= bar<br class=3D""> > > > > config.mapUser.mustMatch =3D false<br class= =3D""> > > > ><br class=3D""> > > > > 3) select a mapping plugin in authn configu= ration:<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.aaa.authn.mapping.plugin =3D m= apping-suffix<br class=3D""> > > > ><br class=3D""> > > > > With above configuration in use, your user = 'user' witll be<br class=3D""> mapped to<br class=3D""> > > > > user '<a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a>'<br class=3D""> > > > > and users '<a href=3D"mailto:user@anotherdo= main.foo.bar" class=3D"">user@anotherdomain.foo.bar</a>' will remain<br cla= ss=3D""> > > > > '<a href=3D"mailto:user@anotherdomain.foo.b= ar" class=3D"">user@anotherdomain.foo.bar</a>'.<br class=3D""> > > ><br class=3D""> > > > This however does not, it doesn't replace the suffix a= s it's supposed<br class=3D""> > > > to. I tried with many different types of the 'mapUser.= pattern' but it<br class=3D""> > > > simply won't change it, even if I type in '=3D ^<a hre= f=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>$', the<br cla= ss=3D""> > > > error is the same:(<br class=3D""> > ><br class=3D""> > > Hmm, hard to say what's wrong, try to run:<br class=3D""> > > $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa log= in-user<br class=3D""> > > --profile=3Dbaz.foo.bar-new --user-name=3Duser<br class=3D"= "> > ><br class=3D""> > > and search for a mapping part in log.<br class=3D""> ><br class=3D""> > Wow what a mouthfull:) Can you make anything out of it?<br class= =3D""> ><br class=3D""> > <a href=3D"https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/do= wnload" class=3D""> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download</a><br class=3D= ""> ><br class=3D""> > /K<br class=3D""> <br class=3D""> Just noticed after logging in to webadmin as "<a href=3D"mailto:user@f= oo.bar" class=3D"">user@foo.bar</a>" (which<br class=3D""> worked btw, so good there) that the "User Name" in Users main tab= looks<br class=3D""> really odd:<br class=3D""> <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a>@baz.foo.bar-new= -authz<br class=3D""> </blockquote> <br class=3D""> Sorry you are right, it don't work. I've sent you incorrect<br class=3D""> cofiguration, the correct one is:<br class=3D""> <br class=3D""> /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> Notice there was missing 'regex', after 'mapUser'.<br class=3D""> <br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> /K<br class=3D""> <br class=3D""> ><br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > /K<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > API: <--Authn.InvokeCommands.AUTHEN= TICATE_CREDENTIALS<br class=3D""> result=3DSUCCESS<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > but:<br class=3D""> > > > > ><br class=3D""> > > > > > API: -->Authz.InvokeCommands.FETCH_= PRINCIPAL_RECORD<br class=3D""> > > > > > <a href=3D"mailto:principal=3D'user@ba= z.foo.bar" class=3D"">principal=3D'user@baz.foo.bar</a>'<br class=3D""> > > > > > SEVERE Cannot resolve principal = '<a href=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>'<br cl= ass=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > So it fails.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > # ldapsearch -x -H <a href=3D"ldap://b= az.foo.bar" class=3D"">ldap://baz.foo.bar</a> -D <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a> -W -b<br class= =3D""> > > > > > DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub &quo= t;(samAccountName=3Duser)"<br class=3D""> userPrincipalName |<br class=3D""> > > > > > grep 'userPrincipalName:'<br class=3D"= "> > > > > ><br class=3D""> > > > > > userPrincipalName: <a href=3D"mailto:u= ser@foo.bar" class=3D"">user@foo.bar</a><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > |How do you configure AAA with base 'D= C=3Dbaz,DC=3Dfoo,DC=3Dbar' when<br class=3D""> > > > > > userPrincipalName ends only on '@foo.b= ar'?<br class=3D""> > > > > ><br class=3D""> > > > > > /K<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > ______________________________________= _________<br class=3D""> > > > > > Users mailing list<br class=3D""> > > > > > <a href=3D"mailto:Users@ovirt.org" cla= ss=3D"">Users@ovirt.org</a><br class=3D""> > > > > > <a href=3D"http://lists.ovirt.org/mail= man/listinfo/users" class=3D"">http://lists.ovirt.org/mailman/listinfo/user= s</a><br class=3D""> > > > > ><br class=3D""> > > ><br class=3D""> <br class=3D""> </blockquote> </blockquote> </div> </blockquote> </div> <br class=3D""> </body> </html> --_000_39382EC000304ECEAFD87B99B0407E4Dsluse_--
--_000_DC6968B979404A68B4986B61460DEDD9sluse_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable On 26 Mar 2016, at 13:49, Karli Sj=F6berg <Karli.Sjoberg@slu.se<mailto:Karl= i.Sjoberg@slu.se>> wrote: On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com<mailto:omacha= ce@redhat.com>> wrote: For me it's working completelly fine: ... config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@DOMAINX.com<http://domainx.com= /> config.mapUser.regex.mustMatch =3D false ... $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINY' $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad INFO API: -->Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= ' INFO API: <--Mapping.InvokeCommands.MAP_USER profile=3D'ad' user=3D'user= @DOMAINX.com<mailto:user=3D'user@DOMAINX.com>' As you can see it's correctly mapped. Please check once again the regex is correct, if it still won't work, pleas= e send log output again. /etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextens= ions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping config.mapUser.type =3D regex config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false # ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profil= e=3Dbaz.foo.bar-new --user-name=3Duser@baz.foo.bar<mailto:user-name=3Duser@= baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user=3D= 'user@baz.foo.bar<mailto:user=3D'user@baz.foo.bar>' And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download /K Eureka! I changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from = one with suffix =91@baz.foo.bar=92 to mine that has a =91@foo.bar=92 ending= and now it works, for some reason. Very strange, but anyway... How do I go= about changing from UPN to samAccountName, if I=B4d want that instead? /K On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote: What the heck, my message disappeares! Trying again. Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern =3D user@baz.foo.bar<mailto:user@baz.foo.bar> config.mapUser.regex.replacement =3D user@foo.bar<mailto:user@foo.bar> And that isn't very useful. Please advice! /K On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote: Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <karli.sjoberg@slu.se<mailt= o:karli.sjoberg@slu.se>>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com<mail=
to:omachace@redhat.com>>:
On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com<m=
ailto:omachace@redhat.com>>:
On 03/24/2016 06:16 PM, Karli Sj=F6berg wrote:
Hi!
Starting new thread instead of jacking someone else=B4s.
Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
#| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
/tmp/ca.crt --apply |
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser:
If you want to login with user with different upn suffix, then just append that suffix
$ ovirt-engine-extensions-tool aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser@foo.bar<mailto:user-name=3Duser@foo.bar>
OK, some progress, that works!
If you have more suffixes and want to have some as default you
can use
following approach:
1) install ovirt-engine-extension-aaa-misc
2) create new mapping extension like this: /etc/ovirt-engine/extensions.d/mapping-suffix.properties
ovirt.engine.extension.name =3D mapping-suffix ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type =3D regex config.mapUser.pattern =3D ^(?<user>[^@]*)$
Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.
'?<user>' is just a named group in that regex so you can later use it in 'config.mapUser.replacement' option. It should take everything until first '@'.
config.mapUser.replacement =3D ${user}@foo.bar config.mapUser.mustMatch =3D false
3) select a mapping plugin in authn configuration:
ovirt.engine.aaa.authn.mapping.plugin =3D mapping-suffix
With above configuration in use, your user 'user' witll be
mapped to
user 'user@foo.bar<mailto:user@foo.bar>' and users 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.f= oo.bar>' will remain 'user@anotherdomain.foo.bar<mailto:user@anotherdomain.foo.bar>'.
This however does not, it doesn't replace the suffix as it's suppose= d to. I tried with many different types of the 'mapUser.pattern' but i= t simply won't change it, even if I type in '=3D ^user@baz.foo.bar<mai= lto:user@baz.foo.bar>$', the error is the same:(
Hmm, hard to say what's wrong, try to run: $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profile=3Dbaz.foo.bar-new --user-name=3Duser
and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar<mailto:user@foo.= bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar<mailto:user@foo.bar>@baz.foo.bar-new-authz Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$ config.mapUser.regex.replacement =3D ${user}@foo.bar config.mapUser.regex.mustMatch =3D false ... Notice there was missing 'regex', after 'mapUser'. /K
/K
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=3DSUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal=3D'user@baz.foo.bar<mailto:principal=3D'user@baz.foo.=
bar>'
SEVERE Cannot resolve principal 'user@baz.foo.bar<mailto:user@= baz.foo.bar>'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar<mailto:us= er@foo.bar> -W -b DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub "(samAccountName=3Duser)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user@foo.bar<mailto:user@foo.bar>
|How do you configure AAA with base 'DC=3Dbaz,DC=3Dfoo,DC=3Dbar= ' when userPrincipalName ends only on '@foo.bar'?
/K |
_______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--_000_DC6968B979404A68B4986B61460DEDD9sluse_ Content-Type: text/html; charset="Windows-1252" Content-ID: <7C99868A39F0CD4E83EED89EDD689798@ad.slu.se> Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> </head> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space;" class=3D""> <br class=3D""> <div> <blockquote type=3D"cite" class=3D""> <div class=3D"">On 26 Mar 2016, at 13:49, Karli Sj=F6berg <<a href=3D"ma= ilto:Karli.Sjoberg@slu.se" class=3D"">Karli.Sjoberg@slu.se</a>> wrote:</= div> <br class=3D"Apple-interchange-newline"> <div class=3D""> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line= -break: after-white-space;" class=3D""> <br class=3D""> <div class=3D""> <blockquote type=3D"cite" class=3D""> <div class=3D"">On 26 Mar 2016, at 11:35, Ondra Machacek <<a href=3D"mai= lto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>> wrote:</div=
<br class=3D"Apple-interchange-newline"> <div class=3D"">For me it's working completelly fine:<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@<a href=3D"http://domainx.com/= " class=3D"">DOMAINX.com</a><br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser@DOMAINY --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user@DOMAINY'<br class=3D""> <br class=3D""> $ ovirt-engine-extensions-tool aaa login-user --password=3Dpass:password --= user-name=3Duser --profile=3Dad<br class=3D""> <br class=3D""> INFO API: -->Mapping.InvokeCommands.MAP_USER profile= =3D'ad' user=3D'user'<br class=3D""> INFO API: <--Mapping.InvokeCommands.MAP_USER profile= =3D'ad' <a href=3D"mailto:user=3D'user@DOMAINX.com" class=3D""> user=3D'user@DOMAINX.com</a>'<br class=3D""> <br class=3D""> As you can see it's correctly mapped.<br class=3D""> <br class=3D""> Please check once again the regex is correct, if it still won't work, pleas= e send log output again.<br class=3D""> </div> </blockquote> <div class=3D""><br class=3D""> </div> <span class=3D""> <div class=3D"">/etc/ovirt-engine/extensions.d/mapping-suffix.properties:</= div> </span><span class=3D"">ovirt.engine.extension.name =3D mapping-suffix<br c= lass=3D""> ovirt.engine.extension.bindings.method =3D jbossmodule<br class=3D""> ovirt.engine.extension.binding.jbossmodule.module =3D org.ovirt.engine-exte= nsions.aaa.misc<br class=3D""> ovirt.engine.extension.binding.jbossmodule.class =3D org.ovirt.enginee= xtensions.aaa.misc.mapping.MappingExtension<br class=3D""> ovirt.engine.extension.provides =3D org.ovirt.engine.api.extensions.aaa.Map= ping<br class=3D""> config.mapUser.type =3D regex<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false</span></div> <div class=3D""><span class=3D""><br class=3D""> </span></div> <span class=3D""># ovirt-engine-extensions-tool --log-level=3DFINEST aaa lo= gin-user --profile=3Dbaz.foo.bar-new --<a href=3D"mailto:user-name=3Duser@b= az.foo.bar" class=3D"">user-name=3Duser@baz.foo.bar</a><br class=3D""> # grep Mapping.InvokeCommands.MAP_USER login.log <br class=3D""> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommand= s.MAP_USER <a href=3D"mailto:user=3D'user@baz.foo.bar" class=3D"">user= =3D'user@baz.foo.bar</a>'<br class=3D""> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP= _USER <a href=3D"mailto:user=3D'user@baz.foo.bar" class=3D"">user=3D'u= ser@baz.foo.bar</a>'<br class=3D""> </span><span class=3D""><br class=3D""> </span> <div class=3D""><span class=3D"">And here is the log:</span></div> <div class=3D""><span class=3D""><a href=3D"https://dropoff.slu.se/index.ph= p/s/SK9T8vOUO7yB3PM/download" class=3D"">https://dropoff.slu.se/index.php/s= /SK9T8vOUO7yB3PM/download</a></span></div> <div class=3D""><span class=3D""><br class=3D""> </span></div> <div class=3D""><span class=3D"">/K</span></div> </div> </div> </blockquote> <div><br class=3D""> </div> Eureka! I changed =91vars.user=92 in =91baz.foo.bar-new.properties=92 from = one with suffix =91@baz.foo.bar=92 to mine that has a =91@foo.bar=92 ending= and now it works, for some reason. Very strange, but anyway... How do I go= about changing from UPN to samAccountName, if I=B4d want that instead?</div> <div><br class=3D""> </div> <div>/K</div> <div><br class=3D""> <blockquote type=3D"cite" class=3D""> <div class=3D""> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line= -break: after-white-space;" class=3D""> <div class=3D""><span class=3D""><br class=3D""> </span> <blockquote type=3D"cite" class=3D""> <div class=3D""><br class=3D""> On 03/26/2016 10:07 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D"">What the heck, my message disappeares!= Trying again.<br class=3D""> <br class=3D""> Ok, so it's mapping now but the only thing working is:<br class=3D""> config.mapUser.regex.pattern =3D <a href=3D"mailto:user@baz.foo.bar" class= =3D"">user@baz.foo.bar</a><br class=3D""> config.mapUser.regex.replacement =3D <a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a><br class=3D""> <br class=3D""> And that isn't very useful. Please advice!<br class=3D""> <br class=3D""> /K<br class=3D""> <br class=3D""> On 03/25/2016 12:26 AM, Karli Sj=F6berg wrote:<br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> Den 25 mars 2016 12:10 fm skrev Karli Sj=F6berg <<a href=3D"mailto:karli= .sjoberg@slu.se" class=3D"">karli.sjoberg@slu.se</a>>:<br class=3D""> ><br class=3D""> ><br class=3D""> > Den 24 mars 2016 11:26 em skrev Ondra Machacek <<a href=3D"ma= ilto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<br class= =3D""> > ><br class=3D""> > > On 03/24/2016 11:14 PM, Karli Sj=F6berg wrote:<br class=3D"= "> > > ><br class=3D""> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <<a h= ref=3D"mailto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>:<= br class=3D""> > > > ><br class=3D""> > > > > On 03/24/2016 06:16 PM, Karli Sj=F6berg wro= te:<br class=3D""> > > > > > Hi!<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Starting new thread instead of jacking= someone else=B4s.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > Managed to migrate from old 'engine-ma= nage-domains' auth to<br class=3D""> > > > aaa-ldap using:<br class=3D""> > > > > ><br class=3D""> > > > > > #| ovirt-engine-kerbldap-migration-too= l --domain baz.foo.bar<br class=3D""> --cacert<br class=3D""> > > > > > /tmp/ca.crt --apply<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > All OK, no errors, but cannot log in:<= br class=3D""> > > > > ><br class=3D""> > > > > > # ovirt-engine-extensions-tool aaa log= in-user<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > > --user-name=3Duser:<br class=3D""> > > > ><br class=3D""> > > > > If you want to login with user with differe= nt upn suffix, then<br class=3D""> just<br class=3D""> > > > > append that suffix<br class=3D""> > > > ><br class=3D""> > > > > $ ovirt-engine-extensions-tool aaa login-us= er<br class=3D""> --profile=3Dbaz.foo.bar-new<br class=3D""> > > > > --<a href=3D"mailto:user-name=3Duser@foo.ba= r" class=3D"">user-name=3Duser@foo.bar</a><br class=3D""> > > ><br class=3D""> > > > OK, some progress, that works!<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > If you have more suffixes and want to have = some as default you<br class=3D""> can use<br class=3D""> > > > > following approach:<br class=3D""> > > > ><br class=3D""> > > > > 1) install ovirt-engine-extension-aaa-misc<= br class=3D""> > > > ><br class=3D""> > > > > 2) create new mapping extension like this:<= br class=3D""> > > > > /etc/ovirt-engine/extensions.d/mapping-suff= ix.properties<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.extension.name =3D mapping-suf= fix<br class=3D""> > > > > ovirt.engine.extension.bindings.method =3D = jbossmodule<br class=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= module =3D<br class=3D""> > > > > org.ovirt.engine-extensions.aaa.misc<br cla= ss=3D""> > > > > ovirt.engine.extension.binding.jbossmodule.= class =3D<br class=3D""> > > > > org.ovirt.engineextensions.aaa.misc.mapping= .MappingExtension<br class=3D""> > > > > ovirt.engine.extension.provides =3D<br clas= s=3D""> > > > > org.ovirt.engine.api.extensions.aaa.Mapping= <br class=3D""> > > > > config.mapUser.type =3D regex<br class=3D""=
> > > > config.mapUser.pattern =3D ^(?<user>[= ^@]*)$<br class=3D""> > > ><br class=3D""> > > > Is that supposed to really say '<user>' or shoul= d it be changed to a<br class=3D""> > > > real user name? Either way, it doesn't work, I tried i= t all.<br class=3D""> > ><br class=3D""> > > '?<user>' is just a named group in that regex so you = can later use<br class=3D""> it in<br class=3D""> > > 'config.mapUser.replacement' option. It should take e= verything until<br class=3D""> > > first '@'.<br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > > config.mapUser.replacement =3D ${user}@foo.= bar<br class=3D""> > > > > config.mapUser.mustMatch =3D false<br class= =3D""> > > > ><br class=3D""> > > > > 3) select a mapping plugin in authn configu= ration:<br class=3D""> > > > ><br class=3D""> > > > > ovirt.engine.aaa.authn.mapping.plugin =3D m= apping-suffix<br class=3D""> > > > ><br class=3D""> > > > > With above configuration in use, your user = 'user' witll be<br class=3D""> mapped to<br class=3D""> > > > > user '<a href=3D"mailto:user@foo.bar" class= =3D"">user@foo.bar</a>'<br class=3D""> > > > > and users '<a href=3D"mailto:user@anotherdo= main.foo.bar" class=3D"">user@anotherdomain.foo.bar</a>' will remain<br cla= ss=3D""> > > > > '<a href=3D"mailto:user@anotherdomain.foo.b= ar" class=3D"">user@anotherdomain.foo.bar</a>'.<br class=3D""> > > ><br class=3D""> > > > This however does not, it doesn't replace the suffix a= s it's supposed<br class=3D""> > > > to. I tried with many different types of the 'mapUser.= pattern' but it<br class=3D""> > > > simply won't change it, even if I type in '=3D ^<a hre= f=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>$', the<br cla= ss=3D""> > > > error is the same:(<br class=3D""> > ><br class=3D""> > > Hmm, hard to say what's wrong, try to run:<br class=3D""> > > $ ovirt-engine-extensions-tool --log-level=3DFINEST aaa log= in-user<br class=3D""> > > --profile=3Dbaz.foo.bar-new --user-name=3Duser<br class=3D"= "> > ><br class=3D""> > > and search for a mapping part in log.<br class=3D""> ><br class=3D""> > Wow what a mouthfull:) Can you make anything out of it?<br class= =3D""> ><br class=3D""> > <a href=3D"https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/do= wnload" class=3D""> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download</a><br class=3D= ""> ><br class=3D""> > /K<br class=3D""> <br class=3D""> Just noticed after logging in to webadmin as "<a href=3D"mailto:user@f= oo.bar" class=3D"">user@foo.bar</a>" (which<br class=3D""> worked btw, so good there) that the "User Name" in Users main tab= looks<br class=3D""> really odd:<br class=3D""> <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a>@baz.foo.bar-new= -authz<br class=3D""> </blockquote> <br class=3D""> Sorry you are right, it don't work. I've sent you incorrect<br class=3D""> cofiguration, the correct one is:<br class=3D""> <br class=3D""> /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br class=3D""> <br class=3D""> ...<br class=3D""> config.mapUser.regex.pattern =3D ^(?<user>[^@]*)$<br class=3D""> config.mapUser.regex.replacement =3D ${user}@foo.bar<br class=3D""> config.mapUser.regex.mustMatch =3D false<br class=3D""> ...<br class=3D""> <br class=3D""> Notice there was missing 'regex', after 'mapUser'.<br class=3D""> <br class=3D""> <blockquote type=3D"cite" class=3D""><br class=3D""> /K<br class=3D""> <br class=3D""> ><br class=3D""> > ><br class=3D""> > > ><br class=3D""> > > > /K<br class=3D""> > > ><br class=3D""> > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > API: <--Authn.InvokeCommands.AUTHEN= TICATE_CREDENTIALS<br class=3D""> result=3DSUCCESS<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > but:<br class=3D""> > > > > ><br class=3D""> > > > > > API: -->Authz.InvokeCommands.FETCH_= PRINCIPAL_RECORD<br class=3D""> > > > > > <a href=3D"mailto:principal=3D'user@ba= z.foo.bar" class=3D"">principal=3D'user@baz.foo.bar</a>'<br class=3D""> > > > > > SEVERE Cannot resolve principal = '<a href=3D"mailto:user@baz.foo.bar" class=3D"">user@baz.foo.bar</a>'<br cl= ass=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > So it fails.<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > # ldapsearch -x -H <a href=3D"ldap://b= az.foo.bar" class=3D"">ldap://baz.foo.bar</a> -D <a href=3D"mailto:user@foo.bar" class=3D"">user@foo.bar</a> -W -b<br class= =3D""> > > > > > DC=3Dbaz,DC=3Dfoo,DC=3Dbar -s sub &quo= t;(samAccountName=3Duser)"<br class=3D""> userPrincipalName |<br class=3D""> > > > > > grep 'userPrincipalName:'<br class=3D"= "> > > > > ><br class=3D""> > > > > > userPrincipalName: <a href=3D"mailto:u= ser@foo.bar" class=3D"">user@foo.bar</a><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > |How do you configure AAA with base 'D= C=3Dbaz,DC=3Dfoo,DC=3Dbar' when<br class=3D""> > > > > > userPrincipalName ends only on '@foo.b= ar'?<br class=3D""> > > > > ><br class=3D""> > > > > > /K<br class=3D""> > > > > > |<br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > ><br class=3D""> > > > > > ______________________________________= _________<br class=3D""> > > > > > Users mailing list<br class=3D""> > > > > > <a href=3D"mailto:Users@ovirt.org" cla= ss=3D"">Users@ovirt.org</a><br class=3D""> > > > > > <a href=3D"http://lists.ovirt.org/mail= man/listinfo/users" class=3D"">http://lists.ovirt.org/mailman/listinfo/user= s</a><br class=3D""> > > > > ><br class=3D""> > > ><br class=3D""> <br class=3D""> </blockquote> </blockquote> </div> </blockquote> </div> <br class=3D""> </div> </div> </blockquote> </div> <br class=3D""> </body> </html> --_000_DC6968B979404A68B4986B61460DEDD9sluse_--
On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg@slu.se <mailto:Karli.Sjoberg@slu.se>> wrote:
On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
For me it's working completelly fine:
... config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@DOMAINX.com <http://domainx.com/> config.mapUser.regex.mustMatch = false ...
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINX.com <mailto:user='user@DOMAINX.com>'
As you can see it's correctly mapped.
Please check once again the regex is correct, if it still won't work, please send log output again.
/etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false
# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user@baz.foo.bar <mailto:user-name=user@baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>'
And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
/K
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now it works, for some reason. Very strange, but anyway... How do I go about changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in username.
/K
On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = user@baz.foo.bar <mailto:user@baz.foo.bar> config.mapUser.regex.replacement = user@foo.bar <mailto:user@foo.bar>
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se <mailto:karli.sjoberg@slu.se>>:
Den 24 mars 2016 11:26 em skrev Ondra Machacek
> > On 03/24/2016 11:14 PM, Karli Sjöberg wrote: > > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>: > > > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > > > > Hi! > > > > > > > > > > > > Starting new thread instead of jacking someone else´s. > > > > > > > > > > > > Managed to migrate from old 'engine-manage-domains' auth to > > aaa-ldap using: > > > > > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert > > > > /tmp/ca.crt --apply > > > > | > > > > > > > > > > > > All OK, no errors, but cannot log in: > > > > > > > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > > --user-name=user: > > > > > > If you want to login with user with different upn suffix,
<omachace@redhat.com <mailto:omachace@redhat.com>>: then just
> > > append that suffix > > > > > > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > --user-name=user@foo.bar <mailto:user-name=user@foo.bar> > > > > OK, some progress, that works! > > > > > > > > If you have more suffixes and want to have some as default you can use > > > following approach: > > > > > > 1) install ovirt-engine-extension-aaa-misc > > > > > > 2) create new mapping extension like this: > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties > > > > > > ovirt.engine.extension.name = mapping-suffix > > > ovirt.engine.extension.bindings.method = jbossmodule > > > ovirt.engine.extension.binding.jbossmodule.module = > > > org.ovirt.engine-extensions.aaa.misc > > > ovirt.engine.extension.binding.jbossmodule.class = > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > > > ovirt.engine.extension.provides = > > > org.ovirt.engine.api.extensions.aaa.Mapping > > > config.mapUser.type = regex > > > config.mapUser.pattern = ^(?<user>[^@]*)$ > > > > Is that supposed to really say '<user>' or should it be changed to a > > real user name? Either way, it doesn't work, I tried it all. > > '?<user>' is just a named group in that regex so you can later use it in > 'config.mapUser.replacement' option. It should take everything until > first '@'. > > > > > > config.mapUser.replacement = ${user}@foo.bar > > > config.mapUser.mustMatch = false > > > > > > 3) select a mapping plugin in authn configuration: > > > > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix > > > > > > With above configuration in use, your user 'user' witll be mapped to > > > user 'user@foo.bar <mailto:user@foo.bar>' > > > and users 'user@anotherdomain.foo.bar <mailto:user@anotherdomain.foo.bar>' will remain > > > 'user@anotherdomain.foo.bar <mailto:user@anotherdomain.foo.bar>'. > > > > This however does not, it doesn't replace the suffix as it's supposed > > to. I tried with many different types of the 'mapUser.pattern' but it > > simply won't change it, even if I type in '= ^user@baz.foo.bar <mailto:user@baz.foo.bar>$', the > > error is the same:( > > Hmm, hard to say what's wrong, try to run: > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > --profile=baz.foo.bar-new --user-name=user > > and search for a mapping part in log.
Wow what a mouthfull:) Can you make anything out of it?
https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
/K
Just noticed after logging in to webadmin as "user@foo.bar <mailto:user@foo.bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar <mailto:user@foo.bar>@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ...
Notice there was missing 'regex', after 'mapUser'.
/K
> > > > > /K > > > > > > > > > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
> > > > > > > > > > > > but: > > > > > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > > > > principal='user@baz.foo.bar <mailto:principal='user@baz.foo.bar>' > > > > SEVERE Cannot resolve principal 'user@baz.foo.bar <mailto:user@baz.foo.bar>' > > > > > > > > > > > > So it fails. > > > > > > > > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar <mailto:user@foo.bar> -W -b > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | > > > > grep 'userPrincipalName:' > > > > > > > > userPrincipalName: user@foo.bar <mailto:user@foo.bar> > > > > > > > > > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when > > > > userPrincipalName ends only on '@foo.bar'? > > > > > > > > /K > > > > | > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > Users@ovirt.org <mailto:Users@ovirt.org> > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > >
On 26 Mar 2016, at 21:32, Ondra Machacek <omachace@redhat.com> wrote:
On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg@slu.se <mailto:Karli.Sjoberg@slu.se>> wrote:
On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
For me it's working completelly fine:
... config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@DOMAINX.com <http://domainx.com/> config.mapUser.regex.mustMatch = false ...
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINX.com <mailto:user='user@DOMAINX.com>'
As you can see it's correctly mapped.
Please check once again the regex is correct, if it still won't work, please send log output again.
/etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false
# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user@baz.foo.bar <mailto:user-name=user@baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>'
And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
/K
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now it works, for some reason. Very strange, but anyway... How do I go about changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in username.
OK, thank you. From here comes the really daunting part, which is to go through all the VMs, check their permissions, add same user(s) from the new provider and delete the old. Probably going to start a new thread for doing that with Python, but I´ll cross that bridge when I get to it, this was only a virtual test environment for going from 3.4 to 3.6. /K
/K
On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = user@baz.foo.bar <mailto:user@baz.foo.bar> config.mapUser.regex.replacement = user@foo.bar <mailto:user@foo.bar>
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se <mailto:karli.sjoberg@slu.se>>: > > > Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>: > > > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote: > > > > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>: > > > > > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > > > > > Hi! > > > > > > > > > > > > > > > Starting new thread instead of jacking someone else´s. > > > > > > > > > > > > > > > Managed to migrate from old 'engine-manage-domains' auth to > > > aaa-ldap using: > > > > > > > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert > > > > > /tmp/ca.crt --apply > > > > > | > > > > > > > > > > > > > > > All OK, no errors, but cannot log in: > > > > > > > > > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > > > --user-name=user: > > > > > > > > If you want to login with user with different upn suffix, then just > > > > append that suffix > > > > > > > > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > > --user-name=user@foo.bar <mailto:user-name=user@foo.bar> > > > > > > OK, some progress, that works! > > > > > > > > > > > If you have more suffixes and want to have some as default you can use > > > > following approach: > > > > > > > > 1) install ovirt-engine-extension-aaa-misc > > > > > > > > 2) create new mapping extension like this: > > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties > > > > > > > > ovirt.engine.extension.name = mapping-suffix > > > > ovirt.engine.extension.bindings.method = jbossmodule > > > > ovirt.engine.extension.binding.jbossmodule.module = > > > > org.ovirt.engine-extensions.aaa.misc > > > > ovirt.engine.extension.binding.jbossmodule.class = > > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > > > > ovirt.engine.extension.provides = > > > > org.ovirt.engine.api.extensions.aaa.Mapping > > > > config.mapUser.type = regex > > > > config.mapUser.pattern = ^(?<user>[^@]*)$ > > > > > > Is that supposed to really say '<user>' or should it be changed to a > > > real user name? Either way, it doesn't work, I tried it all. > > > > '?<user>' is just a named group in that regex so you can later use it in > > 'config.mapUser.replacement' option. It should take everything until > > first '@'. > > > > > > > > > config.mapUser.replacement = ${user}@foo.bar > > > > config.mapUser.mustMatch = false > > > > > > > > 3) select a mapping plugin in authn configuration: > > > > > > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix > > > > > > > > With above configuration in use, your user 'user' witll be mapped to > > > > user 'user@foo.bar <mailto:user@foo.bar>' > > > > and users 'user@anotherdomain.foo.bar <mailto:user@anotherdomain.foo.bar>' will remain > > > > 'user@anotherdomain.foo.bar <mailto:user@anotherdomain.foo.bar>'. > > > > > > This however does not, it doesn't replace the suffix as it's supposed > > > to. I tried with many different types of the 'mapUser.pattern' but it > > > simply won't change it, even if I type in '= ^user@baz.foo.bar <mailto:user@baz.foo.bar>$', the > > > error is the same:( > > > > Hmm, hard to say what's wrong, try to run: > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > > --profile=baz.foo.bar-new --user-name=user > > > > and search for a mapping part in log. > > Wow what a mouthfull:) Can you make anything out of it? > > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download > > /K
Just noticed after logging in to webadmin as "user@foo.bar <mailto:user@foo.bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: user@foo.bar <mailto:user@foo.bar>@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ...
Notice there was missing 'regex', after 'mapUser'.
/K
> > > > > > > > > /K > > > > > > > > > > > > > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS > > > > > > > > > > > > > > > but: > > > > > > > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > > > > > principal='user@baz.foo.bar <mailto:principal='user@baz.foo.bar>' > > > > > SEVERE Cannot resolve principal 'user@baz.foo.bar <mailto:user@baz.foo.bar>' > > > > > > > > > > > > > > > So it fails. > > > > > > > > > > > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar <mailto:user@foo.bar> -W -b > > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | > > > > > grep 'userPrincipalName:' > > > > > > > > > > userPrincipalName: user@foo.bar <mailto:user@foo.bar> > > > > > > > > > > > > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when > > > > > userPrincipalName ends only on '@foo.bar'? > > > > > > > > > > /K > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > >
On 03/27/2016 11:40 AM, Karli Sjöberg wrote:
On 26 Mar 2016, at 21:32, Ondra Machacek <omachace@redhat.com> wrote:
On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg@slu.se <mailto:Karli.Sjoberg@slu.se>> wrote:
On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
For me it's working completelly fine:
... config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@DOMAINX.com <http://domainx.com/> config.mapUser.regex.mustMatch = false ...
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'
$ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINX.com <mailto:user='user@DOMAINX.com>'
As you can see it's correctly mapped.
Please check once again the regex is correct, if it still won't work, please send log output again.
/etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false
# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=user@baz.foo.bar <mailto:user-name=user@baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>'
And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
/K
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now it works, for some reason. Very strange, but anyway... How do I go about changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in username.
OK, thank you. From here comes the really daunting part, which is to go through all the VMs, check their permissions, add same user(s) from the new provider and delete the old. Probably going to start a new thread for doing that with Python, but I´ll cross that bridge when I get to it, this was only a virtual test environment for going from 3.4 to 3.6.
Not sure I understand, why would you do that? This is what migration tool do for you as well, so why do you need it to do again?
/K
/K
On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = user@baz.foo.bar <mailto:user@baz.foo.bar> config.mapUser.regex.replacement = user@foo.bar <mailto:user@foo.bar>
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sjöberg wrote: > > Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se > <mailto:karli.sjoberg@slu.se>>: >> >> >> Den 24 mars 2016 11:26 em skrev Ondra Machacek > <omachace@redhat.com <mailto:omachace@redhat.com>>: >>> >>> On 03/24/2016 11:14 PM, Karli Sjöberg wrote: >>>> >>>> Den 24 mars 2016 7:26 em skrev Ondra Machacek > <omachace@redhat.com <mailto:omachace@redhat.com>>: >>>> > >>>> > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: >>>> > > Hi! >>>> > > >>>> > > >>>> > > Starting new thread instead of jacking someone else´s. >>>> > > >>>> > > >>>> > > Managed to migrate from old 'engine-manage-domains' auth to >>>> aaa-ldap using: >>>> > > >>>> > > #| ovirt-engine-kerbldap-migration-tool --domain > baz.foo.bar > --cacert >>>> > > /tmp/ca.crt --apply >>>> > > | >>>> > > >>>> > > >>>> > > All OK, no errors, but cannot log in: >>>> > > >>>> > > # ovirt-engine-extensions-tool aaa login-user > --profile=baz.foo.bar-new >>>> > > --user-name=user: >>>> > >>>> > If you want to login with user with different upn suffix, > then > just >>>> > append that suffix >>>> > >>>> > $ ovirt-engine-extensions-tool aaa login-user > --profile=baz.foo.bar-new >>>> > --user-name=user@foo.bar <mailto:user-name=user@foo.bar> >>>> >>>> OK, some progress, that works! >>>> >>>> > >>>> > If you have more suffixes and want to have some as > default you > can use >>>> > following approach: >>>> > >>>> > 1) install ovirt-engine-extension-aaa-misc >>>> > >>>> > 2) create new mapping extension like this: >>>> > /etc/ovirt-engine/extensions.d/mapping-suffix.properties >>>> > >>>> > ovirt.engine.extension.name = mapping-suffix >>>> > ovirt.engine.extension.bindings.method = jbossmodule >>>> > ovirt.engine.extension.binding.jbossmodule.module = >>>> > org.ovirt.engine-extensions.aaa.misc >>>> > ovirt.engine.extension.binding.jbossmodule.class = >>>> > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension >>>> > ovirt.engine.extension.provides = >>>> > org.ovirt.engine.api.extensions.aaa.Mapping >>>> > config.mapUser.type = regex >>>> > config.mapUser.pattern = ^(?<user>[^@]*)$ >>>> >>>> Is that supposed to really say '<user>' or should it be > changed to a >>>> real user name? Either way, it doesn't work, I tried it all. >>> >>> '?<user>' is just a named group in that regex so you can later use > it in >>> 'config.mapUser.replacement' option. It should take > everything until >>> first '@'. >>> >>>> >>>> > config.mapUser.replacement = ${user}@foo.bar >>>> > config.mapUser.mustMatch = false >>>> > >>>> > 3) select a mapping plugin in authn configuration: >>>> > >>>> > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix >>>> > >>>> > With above configuration in use, your user 'user' witll be > mapped to >>>> > user 'user@foo.bar <mailto:user@foo.bar>' >>>> > and users 'user@anotherdomain.foo.bar > <mailto:user@anotherdomain.foo.bar>' will remain >>>> > 'user@anotherdomain.foo.bar > <mailto:user@anotherdomain.foo.bar>'. >>>> >>>> This however does not, it doesn't replace the suffix as it's > supposed >>>> to. I tried with many different types of the > 'mapUser.pattern' but it >>>> simply won't change it, even if I type in '= > ^user@baz.foo.bar <mailto:user@baz.foo.bar>$', the >>>> error is the same:( >>> >>> Hmm, hard to say what's wrong, try to run: >>> $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >>> --profile=baz.foo.bar-new --user-name=user >>> >>> and search for a mapping part in log. >> >> Wow what a mouthfull:) Can you make anything out of it? >> >> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download >> >> /K > > Just noticed after logging in to webadmin as "user@foo.bar > <mailto:user@foo.bar>" (which > worked btw, so good there) that the "User Name" in Users main tab looks > really odd: > user@foo.bar <mailto:user@foo.bar>@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ...
Notice there was missing 'regex', after 'mapUser'.
> > /K > >> >>> >>>> >>>> /K >>>> >>>> > >>>> > > >>>> > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS > result=SUCCESS >>>> > > >>>> > > >>>> > > but: >>>> > > >>>> > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD >>>> > > principal='user@baz.foo.bar > <mailto:principal='user@baz.foo.bar>' >>>> > > SEVERE Cannot resolve principal 'user@baz.foo.bar > <mailto:user@baz.foo.bar>' >>>> > > >>>> > > >>>> > > So it fails. >>>> > > >>>> > > >>>> > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar > <mailto:user@foo.bar> -W -b >>>> > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" > userPrincipalName | >>>> > > grep 'userPrincipalName:' >>>> > > >>>> > > userPrincipalName: user@foo.bar <mailto:user@foo.bar> >>>> > > >>>> > > >>>> > > |How do you configure AAA with base > 'DC=baz,DC=foo,DC=bar' when >>>> > > userPrincipalName ends only on '@foo.bar'? >>>> > > >>>> > > /K >>>> > > | >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > _______________________________________________ >>>> > > Users mailing list >>>> > > Users@ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/mailman/listinfo/users >>>> > > >>>> >
participants (2)
-
Karli Sjöberg -
Ondra Machacek