[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

Karli Sjöberg karli.sjoberg at slu.se
Thu Mar 24 23:10:05 UTC 2016 

Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace at redhat.com>:
>
> On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
> >
> > Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace at redhat.com>:
> >  >
> >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
> >  > > Hi!
> >  > >
> >  > >
> >  > > Starting new thread instead of jacking someone else´s.
> >  > >
> >  > >
> >  > > Managed to migrate from old 'engine-manage-domains' auth to
> > aaa-ldap using:
> >  > >
> >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert
> >  > > /tmp/ca.crt --apply
> >  > > |
> >  > >
> >  > >
> >  > > All OK, no errors, but cannot log in:
> >  > >
> >  > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
> >  > > --user-name=user:
> >  >
> >  > If you want to login with user with different upn suffix, then just
> >  > append that suffix
> >  >
> >  > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new
> >  > --user-name=user at foo.bar
> >
> > OK, some progress, that works!
> >
> >  >
> >  > If you have more suffixes and want to have some as default you can use
> >  > following approach:
> >  >
> >  > 1) install ovirt-engine-extension-aaa-misc
> >  >
> >  > 2) create new mapping extension like this:
> >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
> >  >
> >  > ovirt.engine.extension.name = mapping-suffix
> >  > ovirt.engine.extension.bindings.method = jbossmodule
> >  > ovirt.engine.extension.binding.jbossmodule.module =
> >  > org.ovirt.engine-extensions.aaa.misc
> >  > ovirt.engine.extension.binding.jbossmodule.class =
> >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> >  > ovirt.engine.extension.provides =
> >  > org.ovirt.engine.api.extensions.aaa.Mapping
> >  > config.mapUser.type = regex
> >  > config.mapUser.pattern = ^(?<user>[^@]*)$
> >
> > Is that supposed to really say '<user>' or should it be changed to a
> > real user name? Either way, it doesn't work, I tried it all.
>
> '?<user>' is just a named group in that regex so you can later use it in
> 'config.mapUser.replacement'  option. It should take everything until
> first '@'.
>
> >
> >  > config.mapUser.replacement = ${user}@foo.bar
> >  > config.mapUser.mustMatch = false
> >  >
> >  > 3) select a mapping plugin in authn configuration:
> >  >
> >  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
> >  >
> >  > With above configuration in use, your user 'user' witll be mapped to
> >  > user 'user at foo.bar'
> >  > and users 'user at anotherdomain.foo.bar' will remain
> >  > 'user at anotherdomain.foo.bar'.
> >
> > This however does not, it doesn't replace the suffix as it's supposed
> > to. I tried with many different types of the 'mapUser.pattern' but it
> > simply won't change it, even if I type in '= ^user at baz.foo.bar$', the
> > error is the same:(
>
> Hmm, hard to say what's wrong, try to run:
> $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> --profile=baz.foo.bar-new --user-name=user
>
> and search for a mapping part in log.

Wow what a mouthfull:) Can you make anything out of it?

https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download

/K

>
> >
> > /K
> >
> >  >
> >  > >
> >  > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
> >  > >
> >  > >
> >  > > but:
> >  > >
> >  > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> >  > > principal='user at baz.foo.bar'
> >  > > SEVERE  Cannot resolve principal 'user at baz.foo.bar'
> >  > >
> >  > >
> >  > > So it fails.
> >  > >
> >  > >
> >  > > # ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar -W -b
> >  > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName |
> >  > > grep 'userPrincipalName:'
> >  > >
> >  > > userPrincipalName: user at foo.bar
> >  > >
> >  > >
> >  > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when
> >  > > userPrincipalName ends only on '@foo.bar'?
> >  > >
> >  > > /K
> >  > > |
> >  > >
> >  > >
> >  > >
> >  > >
> >  > > _______________________________________________
> >  > > Users mailing list
> >  > > Users at ovirt.org
> >  > > http://lists.ovirt.org/mailman/listinfo/users
> >  > >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160324/7dd2f222/attachment-0001.html>

More information about the Users mailing list