[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base
Karli Sjöberg
karli.sjoberg at slu.se
Thu Mar 24 17:16:07 UTC 2016
Hi!
Starting new thread instead of jacking someone else´s.
Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:
# ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply
All OK, no errors, but cannot log in:
# ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
but:
API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user at baz.foo.bar'
SEVERE Cannot resolve principal 'user at baz.foo.bar'
So it fails.
# ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'
userPrincipalName: user at foo.bar
How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?
/K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160324/f728c94d/attachment-0001.html>
More information about the Users
mailing list