> On 26 Mar 2016, at 21:32, Ondra Machacek <[email protected]> wrote: > > On 03/26/2016 02:09 PM, Karli Sjöberg wrote: >> >>> On 26 Mar 2016, at 13:49, Karli Sjöberg <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>>> On 26 Mar 2016, at 11:35, Ondra Machacek <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> For me it's working completelly fine: >>>> >>>> ... >>>> config.mapUser.type = regex >>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ >>>> config.mapUser.regex.replacement = ${user}@DOMAINX.com >>>> <http://domainx.com/> >>>> config.mapUser.regex.mustMatch = false >>>> ... >>>> >>>> $ ovirt-engine-extensions-tool aaa login-user >>>> --password=pass:password --user-name=user@DOMAINY --profile=ad >>>> >>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' >>>> user='user@DOMAINY' >>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' >>>> user='user@DOMAINY' >>>> >>>> $ ovirt-engine-extensions-tool aaa login-user >>>> --password=pass:password --user-name=user --profile=ad >>>> >>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' >>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' >>>> user='[email protected] <mailto:user='[email protected]>' >>>> >>>> As you can see it's correctly mapped. >>>> >>>> Please check once again the regex is correct, if it still won't work, >>>> please send log output again. >>> >>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties: >>> ovirt.engine.extension.name = mapping-suffix >>> ovirt.engine.extension.bindings.method = jbossmodule >>> ovirt.engine.extension.binding.jbossmodule.module = >>> org.ovirt.engine-extensions.aaa.misc >>> ovirt.engine.extension.binding.jbossmodule.class >>> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension >>> ovirt.engine.extension.provides = >>> org.ovirt.engine.api.extensions.aaa.Mapping >>> config.mapUser.type = regex >>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ >>> config.mapUser.regex.replacement = ${user}@foo.bar >>> config.mapUser.regex.mustMatch = false >>> >>> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >>> --profile=baz.foo.bar-new [email protected] >>> <mailto:[email protected]> >>> # grep Mapping.InvokeCommands.MAP_USER login.log >>> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER >>> user='[email protected] <mailto:user='[email protected]>' >>> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER >>> user='[email protected] <mailto:user='[email protected]>' >>> >>> And here is the log: >>> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download >>> >>> /K >> >> Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one >> with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now >> it works, for some reason. Very strange, but anyway... How do I go about >> changing from UPN to samAccountName, if I´d want that instead? > > Well, we support only UPN, because sam support only 15characters in username.
OK, thank you. From here comes the really daunting part, which is to go through all the VMs, check their permissions, add same user(s) from the new provider and delete the old. Probably going to start a new thread for doing that with Python, but I´ll cross that bridge when I get to it, this was only a virtual test environment for going from 3.4 to 3.6. /K > >> >> /K >> >>> >>>> >>>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote: >>>>> What the heck, my message disappeares! Trying again. >>>>> >>>>> Ok, so it's mapping now but the only thing working is: >>>>> config.mapUser.regex.pattern = [email protected] >>>>> <mailto:[email protected]> >>>>> config.mapUser.regex.replacement = [email protected] <mailto:[email protected]> >>>>> >>>>> And that isn't very useful. Please advice! >>>>> >>>>> /K >>>>> >>>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote: >>>>>> >>>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <[email protected] >>>>>> <mailto:[email protected]>>: >>>>>> > >>>>>> > >>>>>> > Den 24 mars 2016 11:26 em skrev Ondra Machacek >>>>>> <[email protected] <mailto:[email protected]>>: >>>>>> > > >>>>>> > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote: >>>>>> > > > >>>>>> > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek >>>>>> <[email protected] <mailto:[email protected]>>: >>>>>> > > > > >>>>>> > > > > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: >>>>>> > > > > > Hi! >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > Starting new thread instead of jacking someone else´s. >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > Managed to migrate from old 'engine-manage-domains' auth to >>>>>> > > > aaa-ldap using: >>>>>> > > > > > >>>>>> > > > > > #| ovirt-engine-kerbldap-migration-tool --domain >>>>>> baz.foo.bar >>>>>> --cacert >>>>>> > > > > > /tmp/ca.crt --apply >>>>>> > > > > > | >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > All OK, no errors, but cannot log in: >>>>>> > > > > > >>>>>> > > > > > # ovirt-engine-extensions-tool aaa login-user >>>>>> --profile=baz.foo.bar-new >>>>>> > > > > > --user-name=user: >>>>>> > > > > >>>>>> > > > > If you want to login with user with different upn suffix, >>>>>> then >>>>>> just >>>>>> > > > > append that suffix >>>>>> > > > > >>>>>> > > > > $ ovirt-engine-extensions-tool aaa login-user >>>>>> --profile=baz.foo.bar-new >>>>>> > > > > [email protected] <mailto:[email protected]> >>>>>> > > > >>>>>> > > > OK, some progress, that works! >>>>>> > > > >>>>>> > > > > >>>>>> > > > > If you have more suffixes and want to have some as >>>>>> default you >>>>>> can use >>>>>> > > > > following approach: >>>>>> > > > > >>>>>> > > > > 1) install ovirt-engine-extension-aaa-misc >>>>>> > > > > >>>>>> > > > > 2) create new mapping extension like this: >>>>>> > > > > /etc/ovirt-engine/extensions.d/mapping-suffix.properties >>>>>> > > > > >>>>>> > > > > ovirt.engine.extension.name = mapping-suffix >>>>>> > > > > ovirt.engine.extension.bindings.method = jbossmodule >>>>>> > > > > ovirt.engine.extension.binding.jbossmodule.module = >>>>>> > > > > org.ovirt.engine-extensions.aaa.misc >>>>>> > > > > ovirt.engine.extension.binding.jbossmodule.class = >>>>>> > > > > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension >>>>>> > > > > ovirt.engine.extension.provides = >>>>>> > > > > org.ovirt.engine.api.extensions.aaa.Mapping >>>>>> > > > > config.mapUser.type = regex >>>>>> > > > > config.mapUser.pattern = ^(?<user>[^@]*)$ >>>>>> > > > >>>>>> > > > Is that supposed to really say '<user>' or should it be >>>>>> changed to a >>>>>> > > > real user name? Either way, it doesn't work, I tried it all. >>>>>> > > >>>>>> > > '?<user>' is just a named group in that regex so you can later use >>>>>> it in >>>>>> > > 'config.mapUser.replacement' option. It should take >>>>>> everything until >>>>>> > > first '@'. >>>>>> > > >>>>>> > > > >>>>>> > > > > config.mapUser.replacement = ${user}@foo.bar >>>>>> > > > > config.mapUser.mustMatch = false >>>>>> > > > > >>>>>> > > > > 3) select a mapping plugin in authn configuration: >>>>>> > > > > >>>>>> > > > > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix >>>>>> > > > > >>>>>> > > > > With above configuration in use, your user 'user' witll be >>>>>> mapped to >>>>>> > > > > user '[email protected] <mailto:[email protected]>' >>>>>> > > > > and users '[email protected] >>>>>> <mailto:[email protected]>' will remain >>>>>> > > > > '[email protected] >>>>>> <mailto:[email protected]>'. >>>>>> > > > >>>>>> > > > This however does not, it doesn't replace the suffix as it's >>>>>> supposed >>>>>> > > > to. I tried with many different types of the >>>>>> 'mapUser.pattern' but it >>>>>> > > > simply won't change it, even if I type in '= >>>>>> ^[email protected] <mailto:[email protected]>$', the >>>>>> > > > error is the same:( >>>>>> > > >>>>>> > > Hmm, hard to say what's wrong, try to run: >>>>>> > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >>>>>> > > --profile=baz.foo.bar-new --user-name=user >>>>>> > > >>>>>> > > and search for a mapping part in log. >>>>>> > >>>>>> > Wow what a mouthfull:) Can you make anything out of it? >>>>>> > >>>>>> > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download >>>>>> > >>>>>> > /K >>>>>> >>>>>> Just noticed after logging in to webadmin as "[email protected] >>>>>> <mailto:[email protected]>" (which >>>>>> worked btw, so good there) that the "User Name" in Users main tab looks >>>>>> really odd: >>>>>> [email protected] <mailto:[email protected]>@baz.foo.bar-new-authz >>>>> >>>>> Sorry you are right, it don't work. I've sent you incorrect >>>>> cofiguration, the correct one is: >>>>> >>>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties >>>>> >>>>> ... >>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ >>>>> config.mapUser.regex.replacement = ${user}@foo.bar >>>>> config.mapUser.regex.mustMatch = false >>>>> ... >>>>> >>>>> Notice there was missing 'regex', after 'mapUser'. >>>>> >>>>>> >>>>>> /K >>>>>> >>>>>> > >>>>>> > > >>>>>> > > > >>>>>> > > > /K >>>>>> > > > >>>>>> > > > > >>>>>> > > > > > >>>>>> > > > > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS >>>>>> result=SUCCESS >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > but: >>>>>> > > > > > >>>>>> > > > > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD >>>>>> > > > > > principal='[email protected] >>>>>> <mailto:principal='[email protected]>' >>>>>> > > > > > SEVERE Cannot resolve principal '[email protected] >>>>>> <mailto:[email protected]>' >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > So it fails. >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > # ldapsearch -x -H ldap://baz.foo.bar -D [email protected] >>>>>> <mailto:[email protected]> -W -b >>>>>> > > > > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" >>>>>> userPrincipalName | >>>>>> > > > > > grep 'userPrincipalName:' >>>>>> > > > > > >>>>>> > > > > > userPrincipalName: [email protected] <mailto:[email protected]> >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > |How do you configure AAA with base >>>>>> 'DC=baz,DC=foo,DC=bar' when >>>>>> > > > > > userPrincipalName ends only on '@foo.bar'? >>>>>> > > > > > >>>>>> > > > > > /K >>>>>> > > > > > | >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > >>>>>> > > > > > _______________________________________________ >>>>>> > > > > > Users mailing list >>>>>> > > > > > [email protected] <mailto:[email protected]> >>>>>> > > > > > http://lists.ovirt.org/mailman/listinfo/users >>>>>> > > > > > >>>>>> > > > >>>>>> >>> >> _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
