Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

[Ondra Machacek]

On 03/27/2016 11:40 AM, Karli Sjöberg wrote:

On 26 Mar 2016, at 21:32, Ondra Machacek <omach...@redhat.com> wrote:

On 03/26/2016 02:09 PM, Karli Sjöberg wrote:

On 26 Mar 2016, at 13:49, Karli Sjöberg <karli.sjob...@slu.se
<mailto:karli.sjob...@slu.se>> wrote:


On 26 Mar 2016, at 11:35, Ondra Machacek <omach...@redhat.com
<mailto:omach...@redhat.com>> wrote:

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
<http://domainx.com/>
config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user@DOMAINY --profile=ad

INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'
INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'

$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user --profile=ad

INFO    API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
INFO    API: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='u...@domainx.com <mailto:user='u...@domainx.com>'

As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work,
please send log output again.

/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class
= org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false

# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--profile=baz.foo.bar-new --user-name=u...@baz.foo.bar
<mailto:user-name=u...@baz.foo.bar>
# grep Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFO    API: -->Mapping.InvokeCommands.MAP_USER
user='u...@baz.foo.bar <mailto:user='u...@baz.foo.bar>'
2016-03-26 13:27:40 INFO    API: <--Mapping.InvokeCommands.MAP_USER
user='u...@baz.foo.bar <mailto:user='u...@baz.foo.bar>'

And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download

/K

Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now
it works, for some reason. Very strange, but anyway... How do I go about
changing from UPN to samAccountName, if I´d want that instead?

Well, we support only UPN, because sam support only 15characters in username.

OK, thank you. From here comes the really daunting part, which is to go through 
all the VMs, check their permissions, add same user(s) from the new provider 
and delete the old. Probably going to start a new thread for doing that with 
Python, but I´ll cross that bridge when I get to it, this was only a virtual 
test environment for going from 3.4 to 3.6.

Not sure I understand, why would you do that? This is what migration 
tool do for you as well,
so why do you need it to do again?


/K



/K



On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar
<mailto:u...@baz.foo.bar>
config.mapUser.regex.replacement = u...@foo.bar <mailto:u...@foo.bar>

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:

Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjob...@slu.se
<mailto:karli.sjob...@slu.se>>:


Den 24 mars 2016 11:26 em skrev Ondra Machacek
<omach...@redhat.com <mailto:omach...@redhat.com>>:

On 03/24/2016 11:14 PM, Karli Sjöberg wrote:

Den 24 mars 2016 7:26 em skrev Ondra Machacek
<omach...@redhat.com <mailto:omach...@redhat.com>>:
  >
  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
  > > Hi!
  > >
  > >
  > > Starting new thread instead of jacking someone else´s.
  > >
  > >
  > > Managed to migrate from old 'engine-manage-domains' auth to
aaa-ldap using:
  > >
  > > #| ovirt-engine-kerbldap-migration-tool --domain
baz.foo.bar
--cacert
  > > /tmp/ca.crt --apply
  > > |
  > >
  > >
  > > All OK, no errors, but cannot log in:
  > >
  > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
  > > --user-name=user:
  >
  > If you want to login with user with different upn suffix,
then
just
  > append that suffix
  >
  > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
  > --user-name=u...@foo.bar <mailto:user-name=u...@foo.bar>

OK, some progress, that works!

  >
  > If you have more suffixes and want to have some as
default you
can use
  > following approach:
  >
  > 1) install ovirt-engine-extension-aaa-misc
  >
  > 2) create new mapping extension like this:
  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
  >
  > ovirt.engine.extension.name = mapping-suffix
  > ovirt.engine.extension.bindings.method = jbossmodule
  > ovirt.engine.extension.binding.jbossmodule.module =
  > org.ovirt.engine-extensions.aaa.misc
  > ovirt.engine.extension.binding.jbossmodule.class =
  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
  > ovirt.engine.extension.provides =
  > org.ovirt.engine.api.extensions.aaa.Mapping
  > config.mapUser.type = regex
  > config.mapUser.pattern = ^(?<user>[^@]*)$

Is that supposed to really say '<user>' or should it be
changed to a
real user name? Either way, it doesn't work, I tried it all.

'?<user>' is just a named group in that regex so you can later use
it in
'config.mapUser.replacement'  option. It should take
everything until
first '@'.


  > config.mapUser.replacement = ${user}@foo.bar
  > config.mapUser.mustMatch = false
  >
  > 3) select a mapping plugin in authn configuration:
  >
  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
  >
  > With above configuration in use, your user 'user' witll be
mapped to
  > user 'u...@foo.bar <mailto:u...@foo.bar>'
  > and users 'u...@anotherdomain.foo.bar
<mailto:u...@anotherdomain.foo.bar>' will remain
  > 'u...@anotherdomain.foo.bar
<mailto:u...@anotherdomain.foo.bar>'.

This however does not, it doesn't replace the suffix as it's
supposed
to. I tried with many different types of the
'mapUser.pattern' but it
simply won't change it, even if I type in '=
^u...@baz.foo.bar <mailto:u...@baz.foo.bar>$', the
error is the same:(

Hmm, hard to say what's wrong, try to run:
$ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--profile=baz.foo.bar-new --user-name=user

and search for a mapping part in log.

Wow what a mouthfull:) Can you make anything out of it?

https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download

/K

Just noticed after logging in to webadmin as "u...@foo.bar
<mailto:u...@foo.bar>" (which
worked btw, so good there) that the "User Name" in Users main tab looks
really odd:
u...@foo.bar <mailto:u...@foo.bar>@baz.foo.bar-new-authz

Sorry you are right, it don't work. I've sent you incorrect
cofiguration,  the correct one is:

/etc/ovirt-engine/extensions.d/mapping-suffix.properties

...
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false
...

Notice there was missing 'regex', after 'mapUser'.


/K




/K

  >
  > >
  > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
result=SUCCESS
  > >
  > >
  > > but:
  > >
  > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
  > > principal='u...@baz.foo.bar
<mailto:principal='u...@baz.foo.bar>'
  > > SEVERE  Cannot resolve principal 'u...@baz.foo.bar
<mailto:u...@baz.foo.bar>'
  > >
  > >
  > > So it fails.
  > >
  > >
  > > # ldapsearch -x -H ldap://baz.foo.bar -D u...@foo.bar
<mailto:u...@foo.bar> -W -b
  > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)"
userPrincipalName |
  > > grep 'userPrincipalName:'
  > >
  > > userPrincipalName: u...@foo.bar <mailto:u...@foo.bar>
  > >
  > >
  > > |How do you configure AAA with base
'DC=baz,DC=foo,DC=bar' when
  > > userPrincipalName ends only on '@foo.bar'?
  > >
  > > /K
  > > |
  > >
  > >
  > >
  > >
  > > _______________________________________________
  > > Users mailing list
  > > Users@ovirt.org <mailto:Users@ovirt.org>
  > > http://lists.ovirt.org/mailman/listinfo/users
  > >





_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users