[ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

Karli Sjöberg karli.sjoberg at slu.se
Mon Mar 28 18:01:59 UTC 2016


Den 28 mars 2016 7:39 em skrev Ondra Machacek <omachace at redhat.com>:
>
> On 03/27/2016 11:40 AM, Karli Sjöberg wrote:
> >
> >> On 26 Mar 2016, at 21:32, Ondra Machacek <omachace at redhat.com> wrote:
> >>
> >> On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
> >>>
> >>>> On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg at slu.se
> >>>> <mailto:Karli.Sjoberg at slu.se>> wrote:
> >>>>
> >>>>
> >>>>> On 26 Mar 2016, at 11:35, Ondra Machacek <omachace at redhat.com
> >>>>> <mailto:omachace at redhat.com>> wrote:
> >>>>>
> >>>>> For me it's working completelly fine:
> >>>>>
> >>>>> ...
> >>>>> config.mapUser.type = regex
> >>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> >>>>> config.mapUser.regex.replacement = ${user}@DOMAINX.com
> >>>>> <http://domainx.com/>
> >>>>> config.mapUser.regex.mustMatch = false
> >>>>> ...
> >>>>>
> >>>>> $ ovirt-engine-extensions-tool aaa login-user
> >>>>> --password=pass:password --user-name=user at DOMAINY --profile=ad
> >>>>>
> >>>>> INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
> >>>>> user='user at DOMAINY'
> >>>>> INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
> >>>>> user='user at DOMAINY'
> >>>>>
> >>>>> $ ovirt-engine-extensions-tool aaa login-user
> >>>>> --password=pass:password --user-name=user --profile=ad
> >>>>>
> >>>>> INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
> >>>>> INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
> >>>>> user='user at DOMAINX.com <mailto:user='user at DOMAINX.com>'
> >>>>>
> >>>>> As you can see it's correctly mapped.
> >>>>>
> >>>>> Please check once again the regex is correct, if it still won't work,
> >>>>> please send log output again.
> >>>>
> >>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties:
> >>>> ovirt.engine.extension.name = mapping-suffix
> >>>> ovirt.engine.extension.bindings.method = jbossmodule
> >>>> ovirt.engine.extension.binding.jbossmodule.module =
> >>>> org.ovirt.engine-extensions.aaa.misc
> >>>> ovirt.engine.extension.binding.jbossmodule.class
> >>>> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> >>>> ovirt.engine.extension.provides =
> >>>> org.ovirt.engine.api.extensions.aaa.Mapping
> >>>> config.mapUser.type = regex
> >>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> >>>> config.mapUser.regex.replacement = ${user}@foo.bar
> >>>> config.mapUser.regex.mustMatch = false
> >>>>
> >>>> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> >>>> --profile=baz.foo.bar-new --user-name=user at baz.foo.bar
> >>>> <mailto:user-name=user at baz.foo.bar>
> >>>> # grep Mapping.InvokeCommands.MAP_USER login.log
> >>>> 2016-03-26 13:27:40 INFO    API: -->Mapping.InvokeCommands.MAP_USER
> >>>> user='user at baz.foo.bar <mailto:user='user at baz.foo.bar>'
> >>>> 2016-03-26 13:27:40 INFO    API: <--Mapping.InvokeCommands.MAP_USER
> >>>> user='user at baz.foo.bar <mailto:user='user at baz.foo.bar>'
> >>>>
> >>>> And here is the log:
> >>>> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
> >>>>
> >>>> /K
> >>>
> >>> Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
> >>> with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now
> >>> it works, for some reason. Very strange, but anyway... How do I go about
> >>> changing from UPN to samAccountName, if I´d want that instead?
> >>
> >> Well, we support only UPN, because sam support only 15characters in username.
> >
> > OK, thank you. From here comes the really daunting part, which is to go through all the VMs, check their permissions, add same user(s) from the new provider and delete the old. Probably going to start a new thread for doing that with Python, but I´ll cross that bridge when I get to it, this was only a virtual test environment for going from 3.4 to 3.6.
>
> Not sure I understand, why would you do that? This is what migration
> tool do for you as well,
> so why do you need it to do again?

Ah, I must have misread the instructions. So if it turns out to be necessary, I know who to blame:P Thanks for pointing that out!

/K

>
> >
> > /K
> >
> >>
> >>>
> >>> /K
> >>>
> >>>>
> >>>>>
> >>>>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
> >>>>>> What the heck, my message disappeares! Trying again.
> >>>>>>
> >>>>>> Ok, so it's mapping now but the only thing working is:
> >>>>>> config.mapUser.regex.pattern = user at baz.foo.bar
> >>>>>> <mailto:user at baz.foo.bar>
> >>>>>> config.mapUser.regex.replacement = user at foo.bar <mailto:user at foo.bar>
> >>>>>>
> >>>>>> And that isn't very useful. Please advice!
> >>>>>>
> >>>>>> /K
> >>>>>>
> >>>>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
> >>>>>>>
> >>>>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg at slu.se
> >>>>>>> <mailto:karli.sjoberg at slu.se>>:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Den 24 mars 2016 11:26 em skrev Ondra Machacek
> >>>>>>> <omachace at redhat.com <mailto:omachace at redhat.com>>:
> >>>>>>>>>
> >>>>>>>>> On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
> >>>>>>>>>>
> >>>>>>>>>> Den 24 mars 2016 7:26 em skrev Ondra Machacek
> >>>>>>> <omachace at redhat.com <mailto:omachace at redhat.com>>:
> >>>>>>>>>>   >
> >>>>>>>>>>   > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
> >>>>>>>>>>   > > Hi!
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > Starting new thread instead of jacking someone else´s.
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > Managed to migrate from old 'engine-manage-domains' auth to
> >>>>>>>>>> aaa-ldap using:
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > #| ovirt-engine-kerbldap-migration-tool --domain
> >>>>>>> baz.foo.bar
> >>>>>>> --cacert
> >>>>>>>>>>   > > /tmp/ca.crt --apply
> >>>>>>>>>>   > > |
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > All OK, no errors, but cannot log in:
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > # ovirt-engine-extensions-tool aaa login-user
> >>>>>>> --profile=baz.foo.bar-new
> >>>>>>>>>>   > > --user-name=user:
> >>>>>>>>>>   >
> >>>>>>>>>>   > If you want to login with user with different upn suffix,
> >>>>>>> then
> >>>>>>> just
> >>>>>>>>>>   > append that suffix
> >>>>>>>>>>   >
> >>>>>>>>>>   > $ ovirt-engine-extensions-tool aaa login-user
> >>>>>>> --profile=baz.foo.bar-new
> >>>>>>>>>>   > --user-name=user at foo.bar <mailto:user-name=user at foo.bar>
> >>>>>>>>>>
> >>>>>>>>>> OK, some progress, that works!
> >>>>>>>>>>
> >>>>>>>>>>   >
> >>>>>>>>>>   > If you have more suffixes and want to have some as
> >>>>>>> default you
> >>>>>>> can use
> >>>>>>>>>>   > following approach:
> >>>>>>>>>>   >
> >>>>>>>>>>   > 1) install ovirt-engine-extension-aaa-misc
> >>>>>>>>>>   >
> >>>>>>>>>>   > 2) create new mapping extension like this:
> >>>>>>>>>>   > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
> >>>>>>>>>>   >
> >>>>>>>>>>   > ovirt.engine.extension.name = mapping-suffix
> >>>>>>>>>>   > ovirt.engine.extension.bindings.method = jbossmodule
> >>>>>>>>>>   > ovirt.engine.extension.binding.jbossmodule.module =
> >>>>>>>>>>   > org.ovirt.engine-extensions.aaa.misc
> >>>>>>>>>>   > ovirt.engine.extension.binding.jbossmodule.class =
> >>>>>>>>>>   > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> >>>>>>>>>>   > ovirt.engine.extension.provides =
> >>>>>>>>>>   > org.ovirt.engine.api.extensions.aaa.Mapping
> >>>>>>>>>>   > config.mapUser.type = regex
> >>>>>>>>>>   > config.mapUser.pattern = ^(?<user>[^@]*)$
> >>>>>>>>>>
> >>>>>>>>>> Is that supposed to really say '<user>' or should it be
> >>>>>>> changed to a
> >>>>>>>>>> real user name? Either way, it doesn't work, I tried it all.
> >>>>>>>>>
> >>>>>>>>> '?<user>' is just a named group in that regex so you can later use
> >>>>>>> it in
> >>>>>>>>> 'config.mapUser.replacement'  option. It should take
> >>>>>>> everything until
> >>>>>>>>> first '@'.
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>   > config.mapUser.replacement = ${user}@foo.bar
> >>>>>>>>>>   > config.mapUser.mustMatch = false
> >>>>>>>>>>   >
> >>>>>>>>>>   > 3) select a mapping plugin in authn configuration:
> >>>>>>>>>>   >
> >>>>>>>>>>   > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
> >>>>>>>>>>   >
> >>>>>>>>>>   > With above configuration in use, your user 'user' witll be
> >>>>>>> mapped to
> >>>>>>>>>>   > user 'user at foo.bar <mailto:user at foo.bar>'
> >>>>>>>>>>   > and users 'user at anotherdomain.foo.bar
> >>>>>>> <mailto:user at anotherdomain.foo.bar>' will remain
> >>>>>>>>>>   > 'user at anotherdomain.foo.bar
> >>>>>>> <mailto:user at anotherdomain.foo.bar>'.
> >>>>>>>>>>
> >>>>>>>>>> This however does not, it doesn't replace the suffix as it's
> >>>>>>> supposed
> >>>>>>>>>> to. I tried with many different types of the
> >>>>>>> 'mapUser.pattern' but it
> >>>>>>>>>> simply won't change it, even if I type in '=
> >>>>>>> ^user at baz.foo.bar <mailto:user at baz.foo.bar>$', the
> >>>>>>>>>> error is the same:(
> >>>>>>>>>
> >>>>>>>>> Hmm, hard to say what's wrong, try to run:
> >>>>>>>>> $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> >>>>>>>>> --profile=baz.foo.bar-new --user-name=user
> >>>>>>>>>
> >>>>>>>>> and search for a mapping part in log.
> >>>>>>>>
> >>>>>>>> Wow what a mouthfull:) Can you make anything out of it?
> >>>>>>>>
> >>>>>>>> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
> >>>>>>>>
> >>>>>>>> /K
> >>>>>>>
> >>>>>>> Just noticed after logging in to webadmin as "user at foo.bar
> >>>>>>> <mailto:user at foo.bar>" (which
> >>>>>>> worked btw, so good there) that the "User Name" in Users main tab looks
> >>>>>>> really odd:
> >>>>>>> user at foo.bar <mailto:user at foo.bar>@baz.foo.bar-new-authz
> >>>>>>
> >>>>>> Sorry you are right, it don't work. I've sent you incorrect
> >>>>>> cofiguration,  the correct one is:
> >>>>>>
> >>>>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties
> >>>>>>
> >>>>>> ...
> >>>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> >>>>>> config.mapUser.regex.replacement = ${user}@foo.bar
> >>>>>> config.mapUser.regex.mustMatch = false
> >>>>>> ...
> >>>>>>
> >>>>>> Notice there was missing 'regex', after 'mapUser'.
> >>>>>>
> >>>>>>>
> >>>>>>> /K
> >>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> /K
> >>>>>>>>>>
> >>>>>>>>>>   >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> >>>>>>> result=SUCCESS
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > but:
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> >>>>>>>>>>   > > principal='user at baz.foo.bar
> >>>>>>> <mailto:principal='user at baz.foo.bar>'
> >>>>>>>>>>   > > SEVERE  Cannot resolve principal 'user at baz.foo.bar
> >>>>>>> <mailto:user at baz.foo.bar>'
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > So it fails.
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > # ldapsearch -x -H ldap://baz.foo.bar -D user at foo.bar
> >>>>>>> <mailto:user at foo.bar> -W -b
> >>>>>>>>>>   > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
> >>>>>>> userPrincipalName |
> >>>>>>>>>>   > > grep 'userPrincipalName:'
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > userPrincipalName: user at foo.bar <mailto:user at foo.bar>
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > |How do you configure AAA with base
> >>>>>>> 'DC=baz,DC=foo,DC=bar' when
> >>>>>>>>>>   > > userPrincipalName ends only on '@foo.bar'?
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > /K
> >>>>>>>>>>   > > |
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > >
> >>>>>>>>>>   > > _______________________________________________
> >>>>>>>>>>   > > Users mailing list
> >>>>>>>>>>   > > Users at ovirt.org <mailto:Users at ovirt.org>
> >>>>>>>>>>   > > http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>>>   > >
> >>>>>>>>>>
> >>>>>>>
> >>>>
> >>>
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160328/ed7dee0b/attachment-0001.html>


More information about the Users mailing list