<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p dir="ltr"><br>
Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:<br>
><br>
> On 03/24/2016 06:16 PM, Karli Sjöberg wrote:<br>
> > Hi!<br>
> ><br>
> ><br>
> > Starting new thread instead of jacking someone else´s.<br>
> ><br>
> ><br>
> > Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:<br>
> ><br>
> > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert<br>
> > /tmp/ca.crt --apply<br>
> > |<br>
> ><br>
> ><br>
> > All OK, no errors, but cannot log in:<br>
> ><br>
> > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new<br>
> > --user-name=user:<br>
><br>
> If you want to login with user with different upn suffix, then just <br>
> append that suffix<br>
><br>
> $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new <br>
> --user-name=user@foo.bar</p>
<p dir="ltr">OK, some progress, that works!</p>
<p dir="ltr">><br>
> If you have more suffixes and want to have some as default you can use <br>
> following approach:<br>
><br>
> 1) install ovirt-engine-extension-aaa-misc<br>
><br>
> 2) create new mapping extension like this:<br>
> /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br>
><br>
> ovirt.engine.extension.name = mapping-suffix<br>
> ovirt.engine.extension.bindings.method = jbossmodule<br>
> ovirt.engine.extension.binding.jbossmodule.module = <br>
> org.ovirt.engine-extensions.aaa.misc<br>
> ovirt.engine.extension.binding.jbossmodule.class = <br>
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br>
> ovirt.engine.extension.provides = <br>
> org.ovirt.engine.api.extensions.aaa.Mapping<br>
> config.mapUser.type = regex<br>
> config.mapUser.pattern = ^(?<user>[^@]*)$</p>
<p dir="ltr">Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all.</p>
<p dir="ltr">> config.mapUser.replacement = ${user}@foo.bar<br>
> config.mapUser.mustMatch = false<br>
><br>
> 3) select a mapping plugin in authn configuration:<br>
><br>
> ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix<br>
><br>
> With above configuration in use, your user 'user' witll be mapped to <br>
> user 'user@foo.bar'<br>
> and users 'user@anotherdomain.foo.bar' will remain <br>
> 'user@anotherdomain.foo.bar'.</p>
<p dir="ltr">This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^user@baz.foo.bar$', the error is the same:(</p>
<p dir="ltr">/K</p>
<p dir="ltr">><br>
> ><br>
> > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS<br>
> ><br>
> ><br>
> > but:<br>
> ><br>
> > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD<br>
> > principal='user@baz.foo.bar'<br>
> > SEVERE Cannot resolve principal 'user@baz.foo.bar'<br>
> ><br>
> ><br>
> > So it fails.<br>
> ><br>
> ><br>
> > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b<br>
> > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName |<br>
> > grep 'userPrincipalName:'<br>
> ><br>
> > userPrincipalName: user@foo.bar<br>
> ><br>
> ><br>
> > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when<br>
> > userPrincipalName ends only on '@foo.bar'?<br>
> ><br>
> > /K<br>
> > |<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > Users@ovirt.org<br>
> > http://lists.ovirt.org/mailman/listinfo/users<br>
> ><br>
</p>
</body>
</html>