[ovirt-users] Extension aaa: No search for principal

Alon Bar-Lev alonbl at redhat.com
Fri Sep 11 15:00:38 UTC 2015 


----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: Users at ovirt.org
> Sent: Friday, September 11, 2015 5:33:21 PM
> Subject: Re: [ovirt-users] Extension aaa: No search for principal
> 
> sorry, forgot one:
> 
> On 11.09.2015 12:48, Alon Bar-Lev wrote:
> > Hi!
> >
> > Thank you for the information, for some reason the administrator user
> > cannot be resolved to userPrincipalName during login, is it specific for
> > Administrator or any user?
> This is the default domain administrator account witch exits in any
> forest. But just in case I created a new domain user just for the
> purpose; same outcome

I am unsure what actually happens...
Something in global catalog is out of sync.
Usually - you do not add domain administrator to external application... there is no need to expose it.
By default Administrator does not have "login from network" and "user principal suffix".

Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager.

So please use regular unprivileged users which belongs to "Domain Users" from now on.

To test if user has userPrincipalName use the following command (assuming we search for user at int.corp.de):

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' '(userPrincipalName=user at int.corp.de)' cn userPrincipalName

This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty.

To find user without userPrincipalName such as Administrator use the following command:

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName

For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work.

You can dump entire GC and send me a user record if no result so I can determine what is different from expectations:

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' > /tmp/dump.out

Regards,
Alon

More information about the Users mailing list