<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi!</p>
<p><br style="">
</p>
<p>Starting new thread instead of jacking someone else´s.</p>
<p><br style="">
</p>
<p>Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using:</p>
<p>#<code style=""><span style=""> ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert /tmp/ca.crt --apply</span><br style="">
</code></p>
<p><br style="">
</p>
<p><span style="font-family: Calibri,Arial,Helvetica,sans-serif;">All OK, no errors, but cannot log in:<br style="">
</span></p>
<p># ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new --user-name=user:</p>
<p>API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS</p>
<p><br style="">
</p>
<p>but:</p>
<p><span style="font-family: Calibri,Arial,Helvetica,sans-serif;">API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='user@baz.foo.bar'<br style="">
SEVERE Cannot resolve principal 'user@baz.foo.bar'</span></p>
<p><br style="">
</p>
<p>So it fails.</p>
<p><br style="">
</p>
<p># ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar -W -b DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | grep 'userPrincipalName:'</p>
<p>userPrincipalName: user@foo.bar</p>
<p><br style="">
</p>
<pre><code style="font-family: Calibri,Arial,Helvetica,sans-serif;">How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when userPrincipalName ends only on '@foo.bar'?<br style=""><br style="">/K<br style=""></code></pre>
<p><br style="">
</p>
</body>
</html>