[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

Ondra Machacek omachace at redhat.com
Sat Mar 26 10:35:55 UTC 2016 

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user at DOMAINY --profile=ad

  INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad' 
user='user at DOMAINY'
  INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='user at DOMAINY'

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user --profile=ad

  INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
  INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='user at DOMAINX.com'

As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work, 
please send log output again.

On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
> What the heck, my message disappeares! Trying again.
>
> Ok, so it's mapping now but the only thing working is:
> config.mapUser.regex.pattern = user at baz.foo.bar
> config.mapUser.regex.replacement = user at foo.bar
>
> And that isn't very useful. Please advice!
>
> /K
>
> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
>>
>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg at slu.se>:
>>   >
>>   >
>>   > Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace at redhat.com>:
>>   > >
>>   > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
>>   > > >
>>   > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace at redhat.com>:
>>   > > >  >
>>   > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
>>   > > >  > > Hi!
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > Starting new thread instead of jacking someone else´s.
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
>>   > > > aaa-ldap using:
>>   > > >  > >
>>   > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
>> --cacert
>>   > > >  > > /tmp/ca.crt --apply
>>   > > >  > > |
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > All OK, no errors, but cannot log in:
>>   > > >  > >
>>   > > >  > > # ovirt-engine-extensions-tool aaa login-user
>> --profile=baz.foo.bar-new
>>   > > >  > > --user-name=user:
>>   > > >  >
>>   > > >  > If you want to login with user with different upn suffix, then
>> just
>>   > > >  > append that suffix
>>   > > >  >
>>   > > >  > $ ovirt-engine-extensions-tool aaa login-user
>> --profile=baz.foo.bar-new
>>   > > >  > --user-name=user at foo.bar
>>   > > >
>>   > > > OK, some progress, that works!
>>   > > >
>>   > > >  >
>>   > > >  > If you have more suffixes and want to have some as default you
>> can use
>>   > > >  > following approach:
>>   > > >  >
>>   > > >  > 1) install ovirt-engine-extension-aaa-misc
>>   > > >  >
>>   > > >  > 2) create new mapping extension like this:
>>   > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>>   > > >  >
>>   > > >  > ovirt.engine.extension.name = mapping-suffix
>>   > > >  > ovirt.engine.extension.bindings.method = jbossmodule
>>   > > >  > ovirt.engine.extension.binding.jbossmodule.module =
>>   > > >  > org.ovirt.engine-extensions.aaa.misc
>>   > > >  > ovirt.engine.extension.binding.jbossmodule.class =
>>   > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>>   > > >  > ovirt.engine.extension.provides =
>>   > > >  > org.ovirt.engine.api.extensions.aaa.Mapping
>>   > > >  > config.mapUser.type = regex
>>   > > >  > config.mapUser.pattern = ^(?<user>[^@]*)$
>>   > > >
>>   > > > Is that supposed to really say '<user>' or should it be changed to a
>>   > > > real user name? Either way, it doesn't work, I tried it all.
>>   > >
>>   > > '?<user>' is just a named group in that regex so you can later use
>> it in
>>   > > 'config.mapUser.replacement'  option. It should take everything until
>>   > > first '@'.
>>   > >
>>   > > >
>>   > > >  > config.mapUser.replacement = ${user}@foo.bar
>>   > > >  > config.mapUser.mustMatch = false
>>   > > >  >
>>   > > >  > 3) select a mapping plugin in authn configuration:
>>   > > >  >
>>   > > >  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>>   > > >  >
>>   > > >  > With above configuration in use, your user 'user' witll be
>> mapped to
>>   > > >  > user 'user at foo.bar'
>>   > > >  > and users 'user at anotherdomain.foo.bar' will remain
>>   > > >  > 'user at anotherdomain.foo.bar'.
>>   > > >
>>   > > > This however does not, it doesn't replace the suffix as it's supposed
>>   > > > to. I tried with many different types of the 'mapUser.pattern' but it
>>   > > > simply won't change it, even if I type in '= ^user at baz.foo.bar$', the
>>   > > > error is the same:(
>>   > >
>>   > > Hmm, hard to say what's wrong, try to run:
>>   > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>   > > --profile=baz.foo.bar-new --user-name=user
>>   > >
>>   > > and search for a mapping part in log.
>>   >
>>   > Wow what a mouthfull:) Can you make anything out of it?
>>   >
>>   > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>>   >
>>   > /K
>>
>> Just noticed after logging in to webadmin as "user at foo.bar" (which
>> worked btw, so good there) that the "User Name" in Users main tab looks
>> really odd:
>> user at foo.bar@baz.foo.bar-new-authz
>
> Sorry you are right, it don't work. I've sent you incorrect
> cofiguration,  the correct one is:
>
> /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>
> ...
> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> config.mapUser.regex.replacement = ${user}@foo.bar
> config.mapUser.regex.mustMatch = false
> ...
>
> Notice there was missing 'regex', after 'mapUser'.
>
>>
>> /K
>>
>>   >
>>   > >
>>   > > >
>>   > > > /K
>>   > > >
>>   > > >  >
>>   > > >  > >
>>   > > >  > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
>> result=SUCCESS
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > but:
>>   > > >  > >
>>   > > >  > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
>>   > > >  > > principal='user at baz.foo.bar'
>>   > > >  > > SEVERE  Cannot resolve principal 'user at baz.foo.bar'
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > So it fails.
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > # ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar -W -b
>>   > > >  > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
>> userPrincipalName |
>>   > > >  > > grep 'userPrincipalName:'
>>   > > >  > >
>>   > > >  > > userPrincipalName: user at foo.bar
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when
>>   > > >  > > userPrincipalName ends only on '@foo.bar'?
>>   > > >  > >
>>   > > >  > > /K
>>   > > >  > > |
>>   > > >  > >
>>   > > >  > >
>>   > > >  > >
>>   > > >  > >
>>   > > >  > > _______________________________________________
>>   > > >  > > Users mailing list
>>   > > >  > > Users at ovirt.org
>>   > > >  > > http://lists.ovirt.org/mailman/listinfo/users
>>   > > >  > >
>>   > > >
>>

More information about the Users mailing list