[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

Ondra Machacek omachace at redhat.com
Thu Mar 24 18:28:11 UTC 2016 

On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
> Hi!
>
>
> Starting new thread instead of jacking someone else´s.
>
>
> Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:
>
> #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert
> /tmp/ca.crt --apply
> |
>
>
> All OK, no errors, but cannot log in:
>
> # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
> --user-name=user:

If you want to login with user with different upn suffix, then just 
append that suffix

$ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new 
--user-name=user at foo.bar

If you have more suffixes and want to have some as default you can use 
following approach:

1) install ovirt-engine-extension-aaa-misc

2) create new mapping extension like this:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties

ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = 
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.pattern = ^(?<user>[^@]*)$
config.mapUser.replacement = ${user}@foo.bar
config.mapUser.mustMatch = false

3) select a mapping plugin in authn configuration:

ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix

With above configuration in use, your user 'user' witll be mapped to 
user 'user at foo.bar'
and users 'user at anotherdomain.foo.bar' will remain 
'user at anotherdomain.foo.bar'.

>
> API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
>
>
> but:
>
> API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> principal='user at baz.foo.bar'
> SEVERE  Cannot resolve principal 'user at baz.foo.bar'
>
>
> So it fails.
>
>
> # ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar -W -b
> DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName |
> grep 'userPrincipalName:'
>
> userPrincipalName: user at foo.bar
>
>
> |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when
> userPrincipalName ends only on '@foo.bar'?
>
> /K
> |
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list