[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

Karli Sjöberg karli.sjoberg at slu.se
Thu Mar 24 17:16:07 UTC 2016


Hi!


Starting new thread instead of jacking someone else´s.


Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:

# ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply


All OK, no errors, but cannot log in:

# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:

API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS


but:

API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user at baz.foo.bar'
SEVERE  Cannot resolve principal 'user at baz.foo.bar'


So it fails.


# ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'

userPrincipalName: user at foo.bar


How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?

/K

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160324/f728c94d/attachment-0001.html>


More information about the Users mailing list