<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p dir="ltr"><br>
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se>:<br>
><br>
><br>
> Den 24 mars 2016 11:26 em skrev Ondra Machacek <omachace@redhat.com>:<br>
> ><br>
> > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:<br>
> > ><br>
> > > Den 24 mars 2016 7:26 em skrev Ondra Machacek <omachace@redhat.com>:<br>
> > > ><br>
> > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:<br>
> > > > > Hi!<br>
> > > > ><br>
> > > > ><br>
> > > > > Starting new thread instead of jacking someone else´s.<br>
> > > > ><br>
> > > > ><br>
> > > > > Managed to migrate from old 'engine-manage-domains' auth to<br>
> > > aaa-ldap using:<br>
> > > > ><br>
> > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert<br>
> > > > > /tmp/ca.crt --apply<br>
> > > > > |<br>
> > > > ><br>
> > > > ><br>
> > > > > All OK, no errors, but cannot log in:<br>
> > > > ><br>
> > > > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new<br>
> > > > > --user-name=user:<br>
> > > ><br>
> > > > If you want to login with user with different upn suffix, then just<br>
> > > > append that suffix<br>
> > > ><br>
> > > > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new<br>
> > > > --user-name=user@foo.bar<br>
> > ><br>
> > > OK, some progress, that works!<br>
> > ><br>
> > > ><br>
> > > > If you have more suffixes and want to have some as default you can use<br>
> > > > following approach:<br>
> > > ><br>
> > > > 1) install ovirt-engine-extension-aaa-misc<br>
> > > ><br>
> > > > 2) create new mapping extension like this:<br>
> > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br>
> > > ><br>
> > > > ovirt.engine.extension.name = mapping-suffix<br>
> > > > ovirt.engine.extension.bindings.method = jbossmodule<br>
> > > > ovirt.engine.extension.binding.jbossmodule.module =<br>
> > > > org.ovirt.engine-extensions.aaa.misc<br>
> > > > ovirt.engine.extension.binding.jbossmodule.class =<br>
> > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br>
> > > > ovirt.engine.extension.provides =<br>
> > > > org.ovirt.engine.api.extensions.aaa.Mapping<br>
> > > > config.mapUser.type = regex<br>
> > > > config.mapUser.pattern = ^(?<user>[^@]*)$<br>
> > ><br>
> > > Is that supposed to really say '<user>' or should it be changed to a<br>
> > > real user name? Either way, it doesn't work, I tried it all.<br>
> ><br>
> > '?<user>' is just a named group in that regex so you can later use it in<br>
> > 'config.mapUser.replacement' option. It should take everything until <br>
> > first '@'.<br>
> ><br>
> > ><br>
> > > > config.mapUser.replacement = ${user}@foo.bar<br>
> > > > config.mapUser.mustMatch = false<br>
> > > ><br>
> > > > 3) select a mapping plugin in authn configuration:<br>
> > > ><br>
> > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix<br>
> > > ><br>
> > > > With above configuration in use, your user 'user' witll be mapped to<br>
> > > > user 'user@foo.bar'<br>
> > > > and users 'user@anotherdomain.foo.bar' will remain<br>
> > > > 'user@anotherdomain.foo.bar'.<br>
> > ><br>
> > > This however does not, it doesn't replace the suffix as it's supposed<br>
> > > to. I tried with many different types of the 'mapUser.pattern' but it<br>
> > > simply won't change it, even if I type in '= ^user@baz.foo.bar$', the<br>
> > > error is the same:(<br>
> ><br>
> > Hmm, hard to say what's wrong, try to run:<br>
> > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user <br>
> > --profile=baz.foo.bar-new --user-name=user<br>
> ><br>
> > and search for a mapping part in log.<br>
><br>
> Wow what a mouthfull:) Can you make anything out of it?<br>
><br>
> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download<br>
><br>
> /K</p>
<p dir="ltr">Just noticed after logging in to webadmin as "user@foo.bar" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd:<br>
user@foo.bar@baz.foo.bar-new-authz</p>
<p dir="ltr">/K</p>
<p dir="ltr">><br>
> ><br>
> > ><br>
> > > /K<br>
> > ><br>
> > > ><br>
> > > > ><br>
> > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS<br>
> > > > ><br>
> > > > ><br>
> > > > > but:<br>
> > > > ><br>
> > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD<br>
> > > > > principal='user@baz.foo.bar'<br>
> > > > > SEVERE Cannot resolve principal 'user@baz.foo.bar'<br>
> > > > ><br>
> > > > ><br>
> > > > > So it fails.<br>
> > > > ><br>
> > > > ><br>
> > > > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b<br>
> > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName |<br>
> > > > > grep 'userPrincipalName:'<br>
> > > > ><br>
> > > > > userPrincipalName: user@foo.bar<br>
> > > > ><br>
> > > > ><br>
> > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when<br>
> > > > > userPrincipalName ends only on '@foo.bar'?<br>
> > > > ><br>
> > > > > /K<br>
> > > > > |<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > Users mailing list<br>
> > > > > Users@ovirt.org<br>
> > > > > http://lists.ovirt.org/mailman/listinfo/users<br>
> > > > ><br>
> > ><br>
</p>
</body>
</html>