[ovirt-users] Extension aaa: No search for principal
Daniel Helgenberger
daniel.helgenberger at m-box.de
Tue Sep 15 11:41:02 UTC 2015
On 11.09.2015 17:00, Alon Bar-Lev wrote:
>
>
> ----- Original Message -----
>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: Users at ovirt.org
>> Sent: Friday, September 11, 2015 5:33:21 PM
>> Subject: Re: [ovirt-users] Extension aaa: No search for principal
>>
>> sorry, forgot one:
>>
>> On 11.09.2015 12:48, Alon Bar-Lev wrote:
>>> Hi!
>>>
>>> Thank you for the information, for some reason the administrator user
>>> cannot be resolved to userPrincipalName during login, is it specific for
>>> Administrator or any user?
>> This is the default domain administrator account witch exits in any
>> forest. But just in case I created a new domain user just for the
>> purpose; same outcome
>
Sorry for the delay, Alon.
> I am unsure what actually happens...
I might have an idea, at least from the commands you supplied.
> Something in global catalog is out of sync.
> Usually - you do not add domain administrator to external application... there is no need to expose it.
> By default Administrator does not have "login from network" and "user principal suffix".
>
> Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager.
>
> So please use regular unprivileged users which belongs to "Domain Users" from now on.
>
> To test if user has userPrincipalName use the following command (assuming we search for user at int.corp.de):
>
> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' '(userPrincipalName=user at int.corp.de)' cn userPrincipalName
It seams with Active Directory (at least) the search base cannot be
empty (-b '') but needs to be provided.
In my case, the above command fails with:
> # search result
> search: 2
> result: 32 No such object
> text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
While adding the most basic search path it succeeds:
$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
ldap://int.corp.de:389/ -x -D 'bind at int.corp.de' -w PASSWORD -b
'dc=int,dc=corp,dc=de' '(userPrincipalName=administrator at int.corp.de)'
cn userPrincipalName
> # search reference
> ref: ldap://ForestDnsZones.int.corp.de/DC=ForestDnsZones,DC=int,DC=corp,DC=de
>
> # search reference
> ref: ldap://DomainDnsZones.int.corp.de/DC=DomainDnsZones,DC=int,DC=corp,DC=de
>
> # search reference
> ref: ldap://int.corp.de/CN=Configuration,DC=int,DC=corp,DC=de
>
> # search result
> search: 2
> result: 0 Success
> control: 1.2.840.113556.1.4.319 false DDDDDDDSSSDDMM=
> pagedresults: cookie=
>
> # numResponses: 4
> # numReferences: 3
It succeeds with every user I tried.
I would set the search base; but i am not sure where to do so.
>
> This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty.
>
> To find user without userPrincipalName such as Administrator use the following command:
>
> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName
>
> For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work.
>
> You can dump entire GC and send me a user record if no result so I can determine what is different from expectations:
>
> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'bind at int.corp.de' -w PASSWORD -b '' > /tmp/dump.out
If you still require a dump (its even a small one..) please drop a mail.
>
> Regards,
> Alon
>
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
More information about the Users
mailing list