[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base
Ondra Machacek
omachace at redhat.com
Sat Mar 26 20:32:32 UTC 2016
On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
>
>> On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg at slu.se
>> <mailto:Karli.Sjoberg at slu.se>> wrote:
>>
>>
>>> On 26 Mar 2016, at 11:35, Ondra Machacek <omachace at redhat.com
>>> <mailto:omachace at redhat.com>> wrote:
>>>
>>> For me it's working completelly fine:
>>>
>>> ...
>>> config.mapUser.type = regex
>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
>>> config.mapUser.regex.replacement = ${user}@DOMAINX.com
>>> <http://domainx.com/>
>>> config.mapUser.regex.mustMatch = false
>>> ...
>>>
>>> $ ovirt-engine-extensions-tool aaa login-user
>>> --password=pass:password --user-name=user at DOMAINY --profile=ad
>>>
>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
>>> user='user at DOMAINY'
>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
>>> user='user at DOMAINY'
>>>
>>> $ ovirt-engine-extensions-tool aaa login-user
>>> --password=pass:password --user-name=user --profile=ad
>>>
>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
>>> user='user at DOMAINX.com <mailto:user='user at DOMAINX.com>'
>>>
>>> As you can see it's correctly mapped.
>>>
>>> Please check once again the regex is correct, if it still won't work,
>>> please send log output again.
>>
>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties:
>> ovirt.engine.extension.name = mapping-suffix
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine-extensions.aaa.misc
>> ovirt.engine.extension.binding.jbossmodule.class
>> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Mapping
>> config.mapUser.type = regex
>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
>> config.mapUser.regex.replacement = ${user}@foo.bar
>> config.mapUser.regex.mustMatch = false
>>
>> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>> --profile=baz.foo.bar-new --user-name=user at baz.foo.bar
>> <mailto:user-name=user at baz.foo.bar>
>> # grep Mapping.InvokeCommands.MAP_USER login.log
>> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER
>> user='user at baz.foo.bar <mailto:user='user at baz.foo.bar>'
>> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER
>> user='user at baz.foo.bar <mailto:user='user at baz.foo.bar>'
>>
>> And here is the log:
>> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
>>
>> /K
>
> Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
> with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now
> it works, for some reason. Very strange, but anyway... How do I go about
> changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in
username.
>
> /K
>
>>
>>>
>>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
>>>> What the heck, my message disappeares! Trying again.
>>>>
>>>> Ok, so it's mapping now but the only thing working is:
>>>> config.mapUser.regex.pattern = user at baz.foo.bar
>>>> <mailto:user at baz.foo.bar>
>>>> config.mapUser.regex.replacement = user at foo.bar <mailto:user at foo.bar>
>>>>
>>>> And that isn't very useful. Please advice!
>>>>
>>>> /K
>>>>
>>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
>>>>>
>>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg at slu.se
>>>>> <mailto:karli.sjoberg at slu.se>>:
>>>>> >
>>>>> >
>>>>> > Den 24 mars 2016 11:26 em skrev Ondra Machacek
>>>>> <omachace at redhat.com <mailto:omachace at redhat.com>>:
>>>>> > >
>>>>> > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
>>>>> > > >
>>>>> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek
>>>>> <omachace at redhat.com <mailto:omachace at redhat.com>>:
>>>>> > > > >
>>>>> > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
>>>>> > > > > > Hi!
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > Starting new thread instead of jacking someone else´s.
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > Managed to migrate from old 'engine-manage-domains' auth to
>>>>> > > > aaa-ldap using:
>>>>> > > > > >
>>>>> > > > > > #| ovirt-engine-kerbldap-migration-tool --domain
>>>>> baz.foo.bar
>>>>> --cacert
>>>>> > > > > > /tmp/ca.crt --apply
>>>>> > > > > > |
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > All OK, no errors, but cannot log in:
>>>>> > > > > >
>>>>> > > > > > # ovirt-engine-extensions-tool aaa login-user
>>>>> --profile=baz.foo.bar-new
>>>>> > > > > > --user-name=user:
>>>>> > > > >
>>>>> > > > > If you want to login with user with different upn suffix,
>>>>> then
>>>>> just
>>>>> > > > > append that suffix
>>>>> > > > >
>>>>> > > > > $ ovirt-engine-extensions-tool aaa login-user
>>>>> --profile=baz.foo.bar-new
>>>>> > > > > --user-name=user at foo.bar <mailto:user-name=user at foo.bar>
>>>>> > > >
>>>>> > > > OK, some progress, that works!
>>>>> > > >
>>>>> > > > >
>>>>> > > > > If you have more suffixes and want to have some as
>>>>> default you
>>>>> can use
>>>>> > > > > following approach:
>>>>> > > > >
>>>>> > > > > 1) install ovirt-engine-extension-aaa-misc
>>>>> > > > >
>>>>> > > > > 2) create new mapping extension like this:
>>>>> > > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>>>>> > > > >
>>>>> > > > > ovirt.engine.extension.name = mapping-suffix
>>>>> > > > > ovirt.engine.extension.bindings.method = jbossmodule
>>>>> > > > > ovirt.engine.extension.binding.jbossmodule.module =
>>>>> > > > > org.ovirt.engine-extensions.aaa.misc
>>>>> > > > > ovirt.engine.extension.binding.jbossmodule.class =
>>>>> > > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>>>>> > > > > ovirt.engine.extension.provides =
>>>>> > > > > org.ovirt.engine.api.extensions.aaa.Mapping
>>>>> > > > > config.mapUser.type = regex
>>>>> > > > > config.mapUser.pattern = ^(?<user>[^@]*)$
>>>>> > > >
>>>>> > > > Is that supposed to really say '<user>' or should it be
>>>>> changed to a
>>>>> > > > real user name? Either way, it doesn't work, I tried it all.
>>>>> > >
>>>>> > > '?<user>' is just a named group in that regex so you can later use
>>>>> it in
>>>>> > > 'config.mapUser.replacement' option. It should take
>>>>> everything until
>>>>> > > first '@'.
>>>>> > >
>>>>> > > >
>>>>> > > > > config.mapUser.replacement = ${user}@foo.bar
>>>>> > > > > config.mapUser.mustMatch = false
>>>>> > > > >
>>>>> > > > > 3) select a mapping plugin in authn configuration:
>>>>> > > > >
>>>>> > > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>>>>> > > > >
>>>>> > > > > With above configuration in use, your user 'user' witll be
>>>>> mapped to
>>>>> > > > > user 'user at foo.bar <mailto:user at foo.bar>'
>>>>> > > > > and users 'user at anotherdomain.foo.bar
>>>>> <mailto:user at anotherdomain.foo.bar>' will remain
>>>>> > > > > 'user at anotherdomain.foo.bar
>>>>> <mailto:user at anotherdomain.foo.bar>'.
>>>>> > > >
>>>>> > > > This however does not, it doesn't replace the suffix as it's
>>>>> supposed
>>>>> > > > to. I tried with many different types of the
>>>>> 'mapUser.pattern' but it
>>>>> > > > simply won't change it, even if I type in '=
>>>>> ^user at baz.foo.bar <mailto:user at baz.foo.bar>$', the
>>>>> > > > error is the same:(
>>>>> > >
>>>>> > > Hmm, hard to say what's wrong, try to run:
>>>>> > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>> > > --profile=baz.foo.bar-new --user-name=user
>>>>> > >
>>>>> > > and search for a mapping part in log.
>>>>> >
>>>>> > Wow what a mouthfull:) Can you make anything out of it?
>>>>> >
>>>>> > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>>>>> >
>>>>> > /K
>>>>>
>>>>> Just noticed after logging in to webadmin as "user at foo.bar
>>>>> <mailto:user at foo.bar>" (which
>>>>> worked btw, so good there) that the "User Name" in Users main tab looks
>>>>> really odd:
>>>>> user at foo.bar <mailto:user at foo.bar>@baz.foo.bar-new-authz
>>>>
>>>> Sorry you are right, it don't work. I've sent you incorrect
>>>> cofiguration, the correct one is:
>>>>
>>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>>>>
>>>> ...
>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
>>>> config.mapUser.regex.replacement = ${user}@foo.bar
>>>> config.mapUser.regex.mustMatch = false
>>>> ...
>>>>
>>>> Notice there was missing 'regex', after 'mapUser'.
>>>>
>>>>>
>>>>> /K
>>>>>
>>>>> >
>>>>> > >
>>>>> > > >
>>>>> > > > /K
>>>>> > > >
>>>>> > > > >
>>>>> > > > > >
>>>>> > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
>>>>> result=SUCCESS
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > but:
>>>>> > > > > >
>>>>> > > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
>>>>> > > > > > principal='user at baz.foo.bar
>>>>> <mailto:principal='user at baz.foo.bar>'
>>>>> > > > > > SEVERE Cannot resolve principal 'user at baz.foo.bar
>>>>> <mailto:user at baz.foo.bar>'
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > So it fails.
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar
>>>>> <mailto:user at foo.bar> -W -b
>>>>> > > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
>>>>> userPrincipalName |
>>>>> > > > > > grep 'userPrincipalName:'
>>>>> > > > > >
>>>>> > > > > > userPrincipalName: user at foo.bar <mailto:user at foo.bar>
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > |How do you configure AAA with base
>>>>> 'DC=baz,DC=foo,DC=bar' when
>>>>> > > > > > userPrincipalName ends only on '@foo.bar'?
>>>>> > > > > >
>>>>> > > > > > /K
>>>>> > > > > > |
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > >
>>>>> > > > > > _______________________________________________
>>>>> > > > > > Users mailing list
>>>>> > > > > > Users at ovirt.org <mailto:Users at ovirt.org>
>>>>> > > > > > http://lists.ovirt.org/mailman/listinfo/users
>>>>> > > > > >
>>>>> > > >
>>>>>
>>
>
More information about the Users
mailing list