Den 24 mars 2016 7:26 em skrev Ondra Machacek <omach...@redhat.com>: > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > > Hi! > > > > > > Starting new thread instead of jacking someone else´s. > > > > > > Managed to migrate from old 'engine-manage-domains' auth to aaa-ldap using: > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert > > /tmp/ca.crt --apply > > | > > > > > > All OK, no errors, but cannot log in: > > > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > --user-name=user: > > If you want to login with user with different upn suffix, then just > append that suffix > > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > --user-name=u...@foo.bar
OK, some progress, that works! > > If you have more suffixes and want to have some as default you can use > following approach: > > 1) install ovirt-engine-extension-aaa-misc > > 2) create new mapping extension like this: > /etc/ovirt-engine/extensions.d/mapping-suffix.properties > > ovirt.engine.extension.name = mapping-suffix > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.misc > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > ovirt.engine.extension.provides = > org.ovirt.engine.api.extensions.aaa.Mapping > config.mapUser.type = regex > config.mapUser.pattern = ^(?<user>[^@]*)$ Is that supposed to really say '<user>' or should it be changed to a real user name? Either way, it doesn't work, I tried it all. > config.mapUser.replacement = ${user}@foo.bar > config.mapUser.mustMatch = false > > 3) select a mapping plugin in authn configuration: > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix > > With above configuration in use, your user 'user' witll be mapped to > user 'u...@foo.bar' > and users 'u...@anotherdomain.foo.bar' will remain > 'u...@anotherdomain.foo.bar'. This however does not, it doesn't replace the suffix as it's supposed to. I tried with many different types of the 'mapUser.pattern' but it simply won't change it, even if I type in '= ^u...@baz.foo.bar$', the error is the same:( /K > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS > > > > > > but: > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > > principal='u...@baz.foo.bar' > > SEVERE Cannot resolve principal 'u...@baz.foo.bar' > > > > > > So it fails. > > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D u...@foo.bar -W -b > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | > > grep 'userPrincipalName:' > > > > userPrincipalName: u...@foo.bar > > > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when > > userPrincipalName ends only on '@foo.bar'? > > > > /K > > | > > > > > > > > > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users