----- Original Message ----- > From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > To: "Alon Bar-Lev" <alo...@redhat.com> > Cc: Users@ovirt.org > Sent: Friday, September 11, 2015 5:33:21 PM > Subject: Re: [ovirt-users] Extension aaa: No search for principal > > sorry, forgot one: > > On 11.09.2015 12:48, Alon Bar-Lev wrote: > > Hi! > > > > Thank you for the information, for some reason the administrator user > > cannot be resolved to userPrincipalName during login, is it specific for > > Administrator or any user? > This is the default domain administrator account witch exits in any > forest. But just in case I created a new domain user just for the > purpose; same outcome
I am unsure what actually happens... Something in global catalog is out of sync. Usually - you do not add domain administrator to external application... there is no need to expose it. By default Administrator does not have "login from network" and "user principal suffix". Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager. So please use regular unprivileged users which belongs to "Domain Users" from now on. To test if user has userPrincipalName use the following command (assuming we search for u...@int.corp.de): $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' '(userPrincipalName=u...@int.corp.de)' cn userPrincipalName This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty. To find user without userPrincipalName such as Administrator use the following command: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work. You can dump entire GC and send me a user record if no result so I can determine what is different from expectations: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' > /tmp/dump.out Regards, Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
