On 03/26/2016 02:09 PM, Karli Sjöberg wrote:
On 26 Mar 2016, at 13:49, Karli Sjöberg <[email protected]
<mailto:[email protected]>> wrote:
On 26 Mar 2016, at 11:35, Ondra Machacek <[email protected]
<mailto:[email protected]>> wrote:
For me it's working completelly fine:
...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
<http://domainx.com/>
config.mapUser.regex.mustMatch = false
...
$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user@DOMAINY --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'
INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'
$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user --profile=ad
INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='[email protected] <mailto:user='[email protected]>'
As you can see it's correctly mapped.
Please check once again the regex is correct, if it still won't work,
please send log output again.
/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class
= org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false
# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--profile=baz.foo.bar-new [email protected]
<mailto:[email protected]>
# grep Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER
user='[email protected] <mailto:user='[email protected]>'
2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER
user='[email protected] <mailto:user='[email protected]>'
And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download
/K
Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now
it works, for some reason. Very strange, but anyway... How do I go about
changing from UPN to samAccountName, if I´d want that instead?
Well, we support only UPN, because sam support only 15characters in
username.
/K
On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.
Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = [email protected]
<mailto:[email protected]>
config.mapUser.regex.replacement = [email protected] <mailto:[email protected]>
And that isn't very useful. Please advice!
/K
On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <[email protected]
<mailto:[email protected]>>:
>
>
> Den 24 mars 2016 11:26 em skrev Ondra Machacek
<[email protected] <mailto:[email protected]>>:
> >
> > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
> > >
> > > Den 24 mars 2016 7:26 em skrev Ondra Machacek
<[email protected] <mailto:[email protected]>>:
> > > >
> > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
> > > > > Hi!
> > > > >
> > > > >
> > > > > Starting new thread instead of jacking someone else´s.
> > > > >
> > > > >
> > > > > Managed to migrate from old 'engine-manage-domains' auth to
> > > aaa-ldap using:
> > > > >
> > > > > #| ovirt-engine-kerbldap-migration-tool --domain
baz.foo.bar
--cacert
> > > > > /tmp/ca.crt --apply
> > > > > |
> > > > >
> > > > >
> > > > > All OK, no errors, but cannot log in:
> > > > >
> > > > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
> > > > > --user-name=user:
> > > >
> > > > If you want to login with user with different upn suffix,
then
just
> > > > append that suffix
> > > >
> > > > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
> > > > [email protected] <mailto:[email protected]>
> > >
> > > OK, some progress, that works!
> > >
> > > >
> > > > If you have more suffixes and want to have some as
default you
can use
> > > > following approach:
> > > >
> > > > 1) install ovirt-engine-extension-aaa-misc
> > > >
> > > > 2) create new mapping extension like this:
> > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
> > > >
> > > > ovirt.engine.extension.name = mapping-suffix
> > > > ovirt.engine.extension.bindings.method = jbossmodule
> > > > ovirt.engine.extension.binding.jbossmodule.module =
> > > > org.ovirt.engine-extensions.aaa.misc
> > > > ovirt.engine.extension.binding.jbossmodule.class =
> > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> > > > ovirt.engine.extension.provides =
> > > > org.ovirt.engine.api.extensions.aaa.Mapping
> > > > config.mapUser.type = regex
> > > > config.mapUser.pattern = ^(?<user>[^@]*)$
> > >
> > > Is that supposed to really say '<user>' or should it be
changed to a
> > > real user name? Either way, it doesn't work, I tried it all.
> >
> > '?<user>' is just a named group in that regex so you can later use
it in
> > 'config.mapUser.replacement' option. It should take
everything until
> > first '@'.
> >
> > >
> > > > config.mapUser.replacement = ${user}@foo.bar
> > > > config.mapUser.mustMatch = false
> > > >
> > > > 3) select a mapping plugin in authn configuration:
> > > >
> > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
> > > >
> > > > With above configuration in use, your user 'user' witll be
mapped to
> > > > user '[email protected] <mailto:[email protected]>'
> > > > and users '[email protected]
<mailto:[email protected]>' will remain
> > > > '[email protected]
<mailto:[email protected]>'.
> > >
> > > This however does not, it doesn't replace the suffix as it's
supposed
> > > to. I tried with many different types of the
'mapUser.pattern' but it
> > > simply won't change it, even if I type in '=
^[email protected] <mailto:[email protected]>$', the
> > > error is the same:(
> >
> > Hmm, hard to say what's wrong, try to run:
> > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> > --profile=baz.foo.bar-new --user-name=user
> >
> > and search for a mapping part in log.
>
> Wow what a mouthfull:) Can you make anything out of it?
>
> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>
> /K
Just noticed after logging in to webadmin as "[email protected]
<mailto:[email protected]>" (which
worked btw, so good there) that the "User Name" in Users main tab looks
really odd:
[email protected] <mailto:[email protected]>@baz.foo.bar-new-authz
Sorry you are right, it don't work. I've sent you incorrect
cofiguration, the correct one is:
/etc/ovirt-engine/extensions.d/mapping-suffix.properties
...
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false
...
Notice there was missing 'regex', after 'mapUser'.
/K
>
> >
> > >
> > > /K
> > >
> > > >
> > > > >
> > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
> > > > >
> > > > >
> > > > > but:
> > > > >
> > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> > > > > principal='[email protected]
<mailto:principal='[email protected]>'
> > > > > SEVERE Cannot resolve principal '[email protected]
<mailto:[email protected]>'
> > > > >
> > > > >
> > > > > So it fails.
> > > > >
> > > > >
> > > > > # ldapsearch -x -H ldap://baz.foo.bar -D [email protected]
<mailto:[email protected]> -W -b
> > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
> > > > > grep 'userPrincipalName:'
> > > > >
> > > > > userPrincipalName: [email protected] <mailto:[email protected]>
> > > > >
> > > > >
> > > > > |How do you configure AAA with base
'DC=baz,DC=foo,DC=bar' when
> > > > > userPrincipalName ends only on '@foo.bar'?
> > > > >
> > > > > /K
> > > > > |
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > [email protected] <mailto:[email protected]>
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > >
_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users
