On 26 Mar 2016, at 11:35, Ondra Machacek <omach...@redhat.com<mailto:omach...@redhat.com>> wrote:
For me it's working completelly fine: ... config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@DOMAINX.com<http://DOMAINX.com> config.mapUser.regex.mustMatch = false ... $ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user@DOMAINY --profile=ad INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY' $ ovirt-engine-extensions-tool aaa login-user --password=pass:password --user-name=user --profile=ad INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='u...@domainx.com<mailto:user='u...@domainx.com>' As you can see it's correctly mapped. Please check once again the regex is correct, if it still won't work, please send log output again. /etc/ovirt-engine/extensions.d/mapping-suffix.properties: ovirt.engine.extension.name = mapping-suffix ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapUser.type = regex config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=baz.foo.bar-new --user-name=u...@baz.foo.bar<mailto:user-name=u...@baz.foo.bar> # grep Mapping.InvokeCommands.MAP_USER login.log 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER user='u...@baz.foo.bar' 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER user='u...@baz.foo.bar' And here is the log: https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download /K On 03/26/2016 10:07 AM, Karli Sjöberg wrote: What the heck, my message disappeares! Trying again. Ok, so it's mapping now but the only thing working is: config.mapUser.regex.pattern = u...@baz.foo.bar<mailto:u...@baz.foo.bar> config.mapUser.regex.replacement = u...@foo.bar<mailto:u...@foo.bar> And that isn't very useful. Please advice! /K On 03/25/2016 12:26 AM, Karli Sjöberg wrote: Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjob...@slu.se<mailto:karli.sjob...@slu.se>>: > > > Den 24 mars 2016 11:26 em skrev Ondra Machacek > <omach...@redhat.com<mailto:omach...@redhat.com>>: > > > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote: > > > > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek > > > <omach...@redhat.com<mailto:omach...@redhat.com>>: > > > > > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > > > > > Hi! > > > > > > > > > > > > > > > Starting new thread instead of jacking someone else´s. > > > > > > > > > > > > > > > Managed to migrate from old 'engine-manage-domains' auth to > > > aaa-ldap using: > > > > > > > > > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar --cacert > > > > > /tmp/ca.crt --apply > > > > > | > > > > > > > > > > > > > > > All OK, no errors, but cannot log in: > > > > > > > > > > # ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > > > --user-name=user: > > > > > > > > If you want to login with user with different upn suffix, then just > > > > append that suffix > > > > > > > > $ ovirt-engine-extensions-tool aaa login-user --profile=baz.foo.bar-new > > > > --user-name=u...@foo.bar<mailto:user-name=u...@foo.bar> > > > > > > OK, some progress, that works! > > > > > > > > > > > If you have more suffixes and want to have some as default you can use > > > > following approach: > > > > > > > > 1) install ovirt-engine-extension-aaa-misc > > > > > > > > 2) create new mapping extension like this: > > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties > > > > > > > > ovirt.engine.extension.name = mapping-suffix > > > > ovirt.engine.extension.bindings.method = jbossmodule > > > > ovirt.engine.extension.binding.jbossmodule.module = > > > > org.ovirt.engine-extensions.aaa.misc > > > > ovirt.engine.extension.binding.jbossmodule.class = > > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > > > > ovirt.engine.extension.provides = > > > > org.ovirt.engine.api.extensions.aaa.Mapping > > > > config.mapUser.type = regex > > > > config.mapUser.pattern = ^(?<user>[^@]*)$ > > > > > > Is that supposed to really say '<user>' or should it be changed to a > > > real user name? Either way, it doesn't work, I tried it all. > > > > '?<user>' is just a named group in that regex so you can later use it in > > 'config.mapUser.replacement' option. It should take everything until > > first '@'. > > > > > > > > > config.mapUser.replacement = ${user}@foo.bar > > > > config.mapUser.mustMatch = false > > > > > > > > 3) select a mapping plugin in authn configuration: > > > > > > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix > > > > > > > > With above configuration in use, your user 'user' witll be mapped to > > > > user 'u...@foo.bar<mailto:u...@foo.bar>' > > > > and users > > > 'u...@anotherdomain.foo.bar<mailto:u...@anotherdomain.foo.bar>' will > > > remain > > > > 'u...@anotherdomain.foo.bar<mailto:u...@anotherdomain.foo.bar>'. > > > > > > This however does not, it doesn't replace the suffix as it's supposed > > > to. I tried with many different types of the 'mapUser.pattern' but it > > > simply won't change it, even if I type in '= > > > ^u...@baz.foo.bar<mailto:u...@baz.foo.bar>$', the > > > error is the same:( > > > > Hmm, hard to say what's wrong, try to run: > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > > --profile=baz.foo.bar-new --user-name=user > > > > and search for a mapping part in log. > > Wow what a mouthfull:) Can you make anything out of it? > > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download > > /K Just noticed after logging in to webadmin as "u...@foo.bar<mailto:u...@foo.bar>" (which worked btw, so good there) that the "User Name" in Users main tab looks really odd: u...@foo.bar<mailto:u...@foo.bar>@baz.foo.bar-new-authz Sorry you are right, it don't work. I've sent you incorrect cofiguration, the correct one is: /etc/ovirt-engine/extensions.d/mapping-suffix.properties ... config.mapUser.regex.pattern = ^(?<user>[^@]*)$ config.mapUser.regex.replacement = ${user}@foo.bar config.mapUser.regex.mustMatch = false ... Notice there was missing 'regex', after 'mapUser'. /K > > > > > > > > > /K > > > > > > > > > > > > > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS > > > > > > > > > > > > > > > but: > > > > > > > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > > > > > principal='u...@baz.foo.bar<mailto:principal='u...@baz.foo.bar>' > > > > > SEVERE Cannot resolve principal > > > 'u...@baz.foo.bar<mailto:u...@baz.foo.bar>' > > > > > > > > > > > > > > > So it fails. > > > > > > > > > > > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D > > > u...@foo.bar<mailto:u...@foo.bar> -W -b > > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" userPrincipalName | > > > > > grep 'userPrincipalName:' > > > > > > > > > > userPrincipalName: u...@foo.bar<mailto:u...@foo.bar> > > > > > > > > > > > > > > > |How do you configure AAA with base 'DC=baz,DC=foo,DC=bar' when > > > > > userPrincipalName ends only on '@foo.bar'? > > > > > > > > > > /K > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org<mailto:Users@ovirt.org> > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users