Re: [ovirt-users] Samba 4 Active Directory & ovirt 4

2016-09-21 Thread Maxence Sartiaux 
Thank you for the response, with the log level i saw my error.

I had an authorization problem, i've configure the "Search user" and it
worked.

Sorry for the inconvenience.

On Wed, 2016-09-21 at 12:16 +0200, Ondra Machacek wrote:
> On 09/21/2016 12:03 PM, Maxence Sartiaux wrote:
> > 
> > Hello,
> > 
> > I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to
> > permit
> > the login of AD users to ovirt.
> > 
> > For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch
> > and ovirt-engine-extension-aaa-misc.noarch
> > 
> > # ovirt-engine-extension-aaa-ldap-setup
> > - selected "Active Directory"
> > - Anonymous search user
> > 
> > I can run a search but when i try to login with the username alone
> > "testuser" -> error "CREDENTIALS_INCORRECT", if i login with the
> > user+domain "testu...@abc.lan " my auth
> > succeed
> > but -> "Cannot resolve principal 'testu...@abc.lan'"
> > 
> > 
> > # ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
> > --user-name=testuser 
> > 
> > ...
> > 2016-09-21 09:53:29 INFOAPI:
> > <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan'
> > result=CREDENTIALS_INCORRECT
> > 2016-09-21 09:53:29 SEVERE  Authn.Result code is:
> > CREDENTIALS_INCORRECT
> > 
> > # ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
> > --user-name=testu...@abc.lan
> > 
> > ...
> > 2016-09-21 09:52:02 INFOAPI:
> > -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> > principal='testu...@abc.lan '
> > 2016-09-21 09:52:02 SEVERE  Cannot resolve principal 'testuser@abc.
> > lan'
> > 
> > 
> > After some search i configured the mapping plugin to automaticaly
> > add
> > @abc.lan to the user like that i don't need to add the @abc.lan to
> > connect but still the same error, cannot resolve principal ...
> > 
> > /# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
> > 
> > ovirt.engine.extension.name = mapping-suffix
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.misc
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> > ovirt.engine.extension.provides =
> > org.ovirt.engine.api.extensions.aaa.Mapping
> > config.mapUser.type = regex
> > config.mapUser.regex.pattern = ^(?[^@]*)$
> > config.mapUser.regex.replacement = ${user}@abc.lan  > abc.lan>
> > config.mapUser.regex.mustMatch = false
> > 
> > /# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
> > 
> > ...
> > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
> > 
> > Any ideas ?
> 
> What's the user principal name of the user 'testuser'?
> You can check out as follows:
> 
>   $ ldapsearch -x -b 'DC=abc,DC=lan -H 'ldap://abc.lan' 
> 'sAMAccountName=testuser' userPrincipalName
> 
> Is it indeed 'testu...@abc.lan' or different? If different then you
> need 
> to use that UPN.
> 
> Anyway debug log of test tool of login command would be helpful.
> 
>   $ ovirt-engine-extensions-tool --log-level=FINEST 
> --log-file=/tmp/aaa.log aaa login-user --profile=abc.lan 
> --user-name=testuser
> 
> > 
> > 
> > Thank you.
> > 
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Samba 4 Active Directory & ovirt 4

2016-09-21 Thread Ondra Machacek 

On 09/21/2016 12:03 PM, Maxence Sartiaux wrote:

Hello,

I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit
the login of AD users to ovirt.

For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch
and ovirt-engine-extension-aaa-misc.noarch

# ovirt-engine-extension-aaa-ldap-setup
- selected "Active Directory"
- Anonymous search user

I can run a search but when i try to login with the username alone
"testuser" -> error "CREDENTIALS_INCORRECT", if i login with the
user+domain "testu...@abc.lan " my auth succeed
but -> "Cannot resolve principal 'testu...@abc.lan'"


# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
--user-name=testuser 

...
2016-09-21 09:53:29 INFOAPI:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan'
result=CREDENTIALS_INCORRECT
2016-09-21 09:53:29 SEVERE  Authn.Result code is: CREDENTIALS_INCORRECT

# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
--user-name=testu...@abc.lan

...
2016-09-21 09:52:02 INFOAPI:
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
principal='testu...@abc.lan '
2016-09-21 09:52:02 SEVERE  Cannot resolve principal 'testu...@abc.lan'


After some search i configured the mapping plugin to automaticaly add
@abc.lan to the user like that i don't need to add the @abc.lan to
connect but still the same error, cannot resolve principal ...

/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/

ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@abc.lan 
config.mapUser.regex.mustMatch = false

/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/

...
ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix

Any ideas ?


What's the user principal name of the user 'testuser'?
You can check out as follows:

 $ ldapsearch -x -b 'DC=abc,DC=lan -H 'ldap://abc.lan' 
'sAMAccountName=testuser' userPrincipalName


Is it indeed 'testu...@abc.lan' or different? If different then you need 
to use that UPN.


Anyway debug log of test tool of login command would be helpful.

 $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa login-user --profile=abc.lan 
--user-name=testuser




Thank you.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users