<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p dir="ltr"><br>
Den 28 mars 2016 7:39 em skrev Ondra Machacek <omachace@redhat.com>:<br>
><br>
> On 03/27/2016 11:40 AM, Karli Sjöberg wrote:<br>
> ><br>
> >> On 26 Mar 2016, at 21:32, Ondra Machacek <omachace@redhat.com> wrote:<br>
> >><br>
> >> On 03/26/2016 02:09 PM, Karli Sjöberg wrote:<br>
> >>><br>
> >>>> On 26 Mar 2016, at 13:49, Karli Sjöberg <Karli.Sjoberg@slu.se<br>
> >>>> <mailto:Karli.Sjoberg@slu.se>> wrote:<br>
> >>>><br>
> >>>><br>
> >>>>> On 26 Mar 2016, at 11:35, Ondra Machacek <omachace@redhat.com<br>
> >>>>> <mailto:omachace@redhat.com>> wrote:<br>
> >>>>><br>
> >>>>> For me it's working completelly fine:<br>
> >>>>><br>
> >>>>> ...<br>
> >>>>> config.mapUser.type = regex<br>
> >>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br>
> >>>>> config.mapUser.regex.replacement = ${user}@DOMAINX.com<br>
> >>>>> <http://domainx.com/><br>
> >>>>> config.mapUser.regex.mustMatch = false<br>
> >>>>> ...<br>
> >>>>><br>
> >>>>> $ ovirt-engine-extensions-tool aaa login-user<br>
> >>>>> --password=pass:password --user-name=user@DOMAINY --profile=ad<br>
> >>>>><br>
> >>>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad'<br>
> >>>>> user='user@DOMAINY'<br>
> >>>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'<br>
> >>>>> user='user@DOMAINY'<br>
> >>>>><br>
> >>>>> $ ovirt-engine-extensions-tool aaa login-user<br>
> >>>>> --password=pass:password --user-name=user --profile=ad<br>
> >>>>><br>
> >>>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'<br>
> >>>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'<br>
> >>>>> user='user@DOMAINX.com <mailto:user='user@DOMAINX.com>'<br>
> >>>>><br>
> >>>>> As you can see it's correctly mapped.<br>
> >>>>><br>
> >>>>> Please check once again the regex is correct, if it still won't work,<br>
> >>>>> please send log output again.<br>
> >>>><br>
> >>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties:<br>
> >>>> ovirt.engine.extension.name = mapping-suffix<br>
> >>>> ovirt.engine.extension.bindings.method = jbossmodule<br>
> >>>> ovirt.engine.extension.binding.jbossmodule.module =<br>
> >>>> org.ovirt.engine-extensions.aaa.misc<br>
> >>>> ovirt.engine.extension.binding.jbossmodule.class<br>
> >>>> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br>
> >>>> ovirt.engine.extension.provides =<br>
> >>>> org.ovirt.engine.api.extensions.aaa.Mapping<br>
> >>>> config.mapUser.type = regex<br>
> >>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br>
> >>>> config.mapUser.regex.replacement = ${user}@foo.bar<br>
> >>>> config.mapUser.regex.mustMatch = false<br>
> >>>><br>
> >>>> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user<br>
> >>>> --profile=baz.foo.bar-new --user-name=user@baz.foo.bar<br>
> >>>> <mailto:user-name=user@baz.foo.bar><br>
> >>>> # grep Mapping.InvokeCommands.MAP_USER login.log<br>
> >>>> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER<br>
> >>>> user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>'<br>
> >>>> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER<br>
> >>>> user='user@baz.foo.bar <mailto:user='user@baz.foo.bar>'<br>
> >>>><br>
> >>>> And here is the log:<br>
> >>>> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download<br>
> >>>><br>
> >>>> /K<br>
> >>><br>
> >>> Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one<br>
> >>> with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now<br>
> >>> it works, for some reason. Very strange, but anyway... How do I go about<br>
> >>> changing from UPN to samAccountName, if I´d want that instead?<br>
> >><br>
> >> Well, we support only UPN, because sam support only 15characters in username.<br>
> ><br>
> > OK, thank you. From here comes the really daunting part, which is to go through all the VMs, check their permissions, add same user(s) from the new provider and delete the old. Probably going to start a new thread for doing that with Python, but I´ll cross
that bridge when I get to it, this was only a virtual test environment for going from 3.4 to 3.6.<br>
><br>
> Not sure I understand, why would you do that? This is what migration <br>
> tool do for you as well,<br>
> so why do you need it to do again?</p>
<p dir="ltr">Ah, I must have misread the instructions. So if it turns out to be necessary, I know who to blame:P Thanks for pointing that out!</p>
<p dir="ltr">/K</p>
<p dir="ltr">><br>
> ><br>
> > /K<br>
> ><br>
> >><br>
> >>><br>
> >>> /K<br>
> >>><br>
> >>>><br>
> >>>>><br>
> >>>>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote:<br>
> >>>>>> What the heck, my message disappeares! Trying again.<br>
> >>>>>><br>
> >>>>>> Ok, so it's mapping now but the only thing working is:<br>
> >>>>>> config.mapUser.regex.pattern = user@baz.foo.bar<br>
> >>>>>> <mailto:user@baz.foo.bar><br>
> >>>>>> config.mapUser.regex.replacement = user@foo.bar <mailto:user@foo.bar><br>
> >>>>>><br>
> >>>>>> And that isn't very useful. Please advice!<br>
> >>>>>><br>
> >>>>>> /K<br>
> >>>>>><br>
> >>>>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:<br>
> >>>>>>><br>
> >>>>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjoberg@slu.se<br>
> >>>>>>> <mailto:karli.sjoberg@slu.se>>:<br>
> >>>>>>>><br>
> >>>>>>>><br>
> >>>>>>>> Den 24 mars 2016 11:26 em skrev Ondra Machacek<br>
> >>>>>>> <omachace@redhat.com <mailto:omachace@redhat.com>>:<br>
> >>>>>>>>><br>
> >>>>>>>>> On 03/24/2016 11:14 PM, Karli Sjöberg wrote:<br>
> >>>>>>>>>><br>
> >>>>>>>>>> Den 24 mars 2016 7:26 em skrev Ondra Machacek<br>
> >>>>>>> <omachace@redhat.com <mailto:omachace@redhat.com>>:<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:<br>
> >>>>>>>>>> > > Hi!<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > Starting new thread instead of jacking someone else´s.<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > Managed to migrate from old 'engine-manage-domains' auth to<br>
> >>>>>>>>>> aaa-ldap using:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > #| ovirt-engine-kerbldap-migration-tool --domain<br>
> >>>>>>> baz.foo.bar<br>
> >>>>>>> --cacert<br>
> >>>>>>>>>> > > /tmp/ca.crt --apply<br>
> >>>>>>>>>> > > |<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > All OK, no errors, but cannot log in:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > # ovirt-engine-extensions-tool aaa login-user<br>
> >>>>>>> --profile=baz.foo.bar-new<br>
> >>>>>>>>>> > > --user-name=user:<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > If you want to login with user with different upn suffix,<br>
> >>>>>>> then<br>
> >>>>>>> just<br>
> >>>>>>>>>> > append that suffix<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > $ ovirt-engine-extensions-tool aaa login-user<br>
> >>>>>>> --profile=baz.foo.bar-new<br>
> >>>>>>>>>> > --user-name=user@foo.bar <mailto:user-name=user@foo.bar><br>
> >>>>>>>>>><br>
> >>>>>>>>>> OK, some progress, that works!<br>
> >>>>>>>>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > If you have more suffixes and want to have some as<br>
> >>>>>>> default you<br>
> >>>>>>> can use<br>
> >>>>>>>>>> > following approach:<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > 1) install ovirt-engine-extension-aaa-misc<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > 2) create new mapping extension like this:<br>
> >>>>>>>>>> > /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > ovirt.engine.extension.name = mapping-suffix<br>
> >>>>>>>>>> > ovirt.engine.extension.bindings.method = jbossmodule<br>
> >>>>>>>>>> > ovirt.engine.extension.binding.jbossmodule.module =<br>
> >>>>>>>>>> > org.ovirt.engine-extensions.aaa.misc<br>
> >>>>>>>>>> > ovirt.engine.extension.binding.jbossmodule.class =<br>
> >>>>>>>>>> > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br>
> >>>>>>>>>> > ovirt.engine.extension.provides =<br>
> >>>>>>>>>> > org.ovirt.engine.api.extensions.aaa.Mapping<br>
> >>>>>>>>>> > config.mapUser.type = regex<br>
> >>>>>>>>>> > config.mapUser.pattern = ^(?<user>[^@]*)$<br>
> >>>>>>>>>><br>
> >>>>>>>>>> Is that supposed to really say '<user>' or should it be<br>
> >>>>>>> changed to a<br>
> >>>>>>>>>> real user name? Either way, it doesn't work, I tried it all.<br>
> >>>>>>>>><br>
> >>>>>>>>> '?<user>' is just a named group in that regex so you can later use<br>
> >>>>>>> it in<br>
> >>>>>>>>> 'config.mapUser.replacement' option. It should take<br>
> >>>>>>> everything until<br>
> >>>>>>>>> first '@'.<br>
> >>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>> > config.mapUser.replacement = ${user}@foo.bar<br>
> >>>>>>>>>> > config.mapUser.mustMatch = false<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > 3) select a mapping plugin in authn configuration:<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix<br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > With above configuration in use, your user 'user' witll be<br>
> >>>>>>> mapped to<br>
> >>>>>>>>>> > user 'user@foo.bar <mailto:user@foo.bar>'<br>
> >>>>>>>>>> > and users 'user@anotherdomain.foo.bar<br>
> >>>>>>> <mailto:user@anotherdomain.foo.bar>' will remain<br>
> >>>>>>>>>> > 'user@anotherdomain.foo.bar<br>
> >>>>>>> <mailto:user@anotherdomain.foo.bar>'.<br>
> >>>>>>>>>><br>
> >>>>>>>>>> This however does not, it doesn't replace the suffix as it's<br>
> >>>>>>> supposed<br>
> >>>>>>>>>> to. I tried with many different types of the<br>
> >>>>>>> 'mapUser.pattern' but it<br>
> >>>>>>>>>> simply won't change it, even if I type in '=<br>
> >>>>>>> ^user@baz.foo.bar <mailto:user@baz.foo.bar>$', the<br>
> >>>>>>>>>> error is the same:(<br>
> >>>>>>>>><br>
> >>>>>>>>> Hmm, hard to say what's wrong, try to run:<br>
> >>>>>>>>> $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user<br>
> >>>>>>>>> --profile=baz.foo.bar-new --user-name=user<br>
> >>>>>>>>><br>
> >>>>>>>>> and search for a mapping part in log.<br>
> >>>>>>>><br>
> >>>>>>>> Wow what a mouthfull:) Can you make anything out of it?<br>
> >>>>>>>><br>
> >>>>>>>> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download<br>
> >>>>>>>><br>
> >>>>>>>> /K<br>
> >>>>>>><br>
> >>>>>>> Just noticed after logging in to webadmin as "user@foo.bar<br>
> >>>>>>> <mailto:user@foo.bar>" (which<br>
> >>>>>>> worked btw, so good there) that the "User Name" in Users main tab looks<br>
> >>>>>>> really odd:<br>
> >>>>>>> user@foo.bar <mailto:user@foo.bar>@baz.foo.bar-new-authz<br>
> >>>>>><br>
> >>>>>> Sorry you are right, it don't work. I've sent you incorrect<br>
> >>>>>> cofiguration, the correct one is:<br>
> >>>>>><br>
> >>>>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties<br>
> >>>>>><br>
> >>>>>> ...<br>
> >>>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$<br>
> >>>>>> config.mapUser.regex.replacement = ${user}@foo.bar<br>
> >>>>>> config.mapUser.regex.mustMatch = false<br>
> >>>>>> ...<br>
> >>>>>><br>
> >>>>>> Notice there was missing 'regex', after 'mapUser'.<br>
> >>>>>><br>
> >>>>>>><br>
> >>>>>>> /K<br>
> >>>>>>><br>
> >>>>>>>><br>
> >>>>>>>>><br>
> >>>>>>>>>><br>
> >>>>>>>>>> /K<br>
> >>>>>>>>>><br>
> >>>>>>>>>> ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS<br>
> >>>>>>> result=SUCCESS<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > but:<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD<br>
> >>>>>>>>>> > > principal='user@baz.foo.bar<br>
> >>>>>>> <mailto:principal='user@baz.foo.bar>'<br>
> >>>>>>>>>> > > SEVERE Cannot resolve principal 'user@baz.foo.bar<br>
> >>>>>>> <mailto:user@baz.foo.bar>'<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > So it fails.<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > # ldapsearch -x -H ldap://baz.foo.bar -D user@foo.bar<br>
> >>>>>>> <mailto:user@foo.bar> -W -b<br>
> >>>>>>>>>> > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"<br>
> >>>>>>> userPrincipalName |<br>
> >>>>>>>>>> > > grep 'userPrincipalName:'<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > userPrincipalName: user@foo.bar <mailto:user@foo.bar><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > |How do you configure AAA with base<br>
> >>>>>>> 'DC=baz,DC=foo,DC=bar' when<br>
> >>>>>>>>>> > > userPrincipalName ends only on '@foo.bar'?<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > /K<br>
> >>>>>>>>>> > > |<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>> > > _______________________________________________<br>
> >>>>>>>>>> > > Users mailing list<br>
> >>>>>>>>>> > > Users@ovirt.org <mailto:Users@ovirt.org><br>
> >>>>>>>>>> > > http://lists.ovirt.org/mailman/listinfo/users<br>
> >>>>>>>>>> > ><br>
> >>>>>>>>>><br>
> >>>>>>><br>
> >>>><br>
> >>><br>
> ><br>
</p>
</body>
</html>