Den 28 mars 2016 7:39 em skrev Ondra Machacek <omach...@redhat.com>: > > On 03/27/2016 11:40 AM, Karli Sjöberg wrote: > > > >> On 26 Mar 2016, at 21:32, Ondra Machacek <omach...@redhat.com> wrote: > >> > >> On 03/26/2016 02:09 PM, Karli Sjöberg wrote: > >>> > >>>> On 26 Mar 2016, at 13:49, Karli Sjöberg <karli.sjob...@slu.se > >>>> <mailto:karli.sjob...@slu.se>> wrote: > >>>> > >>>> > >>>>> On 26 Mar 2016, at 11:35, Ondra Machacek <omach...@redhat.com > >>>>> <mailto:omach...@redhat.com>> wrote: > >>>>> > >>>>> For me it's working completelly fine: > >>>>> > >>>>> ... > >>>>> config.mapUser.type = regex > >>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ > >>>>> config.mapUser.regex.replacement = ${user}@DOMAINX.com > >>>>> <http://domainx.com/> > >>>>> config.mapUser.regex.mustMatch = false > >>>>> ... > >>>>> > >>>>> $ ovirt-engine-extensions-tool aaa login-user > >>>>> --password=pass:password --user-name=user@DOMAINY --profile=ad > >>>>> > >>>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' > >>>>> user='user@DOMAINY' > >>>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' > >>>>> user='user@DOMAINY' > >>>>> > >>>>> $ ovirt-engine-extensions-tool aaa login-user > >>>>> --password=pass:password --user-name=user --profile=ad > >>>>> > >>>>> INFO API: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user' > >>>>> INFO API: <--Mapping.InvokeCommands.MAP_USER profile='ad' > >>>>> user='u...@domainx.com <mailto:user='u...@domainx.com>' > >>>>> > >>>>> As you can see it's correctly mapped. > >>>>> > >>>>> Please check once again the regex is correct, if it still won't work, > >>>>> please send log output again. > >>>> > >>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties: > >>>> ovirt.engine.extension.name = mapping-suffix > >>>> ovirt.engine.extension.bindings.method = jbossmodule > >>>> ovirt.engine.extension.binding.jbossmodule.module = > >>>> org.ovirt.engine-extensions.aaa.misc > >>>> ovirt.engine.extension.binding.jbossmodule.class > >>>> = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > >>>> ovirt.engine.extension.provides = > >>>> org.ovirt.engine.api.extensions.aaa.Mapping > >>>> config.mapUser.type = regex > >>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ > >>>> config.mapUser.regex.replacement = ${user}@foo.bar > >>>> config.mapUser.regex.mustMatch = false > >>>> > >>>> # ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > >>>> --profile=baz.foo.bar-new --user-name=u...@baz.foo.bar > >>>> <mailto:user-name=u...@baz.foo.bar> > >>>> # grep Mapping.InvokeCommands.MAP_USER login.log > >>>> 2016-03-26 13:27:40 INFO API: -->Mapping.InvokeCommands.MAP_USER > >>>> user='u...@baz.foo.bar <mailto:user='u...@baz.foo.bar>' > >>>> 2016-03-26 13:27:40 INFO API: <--Mapping.InvokeCommands.MAP_USER > >>>> user='u...@baz.foo.bar <mailto:user='u...@baz.foo.bar>' > >>>> > >>>> And here is the log: > >>>> https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download > >>>> > >>>> /K > >>> > >>> Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one > >>> with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now > >>> it works, for some reason. Very strange, but anyway... How do I go about > >>> changing from UPN to samAccountName, if I´d want that instead? > >> > >> Well, we support only UPN, because sam support only 15characters in > >> username. > > > > OK, thank you. From here comes the really daunting part, which is to go > > through all the VMs, check their permissions, add same user(s) from the new > > provider and delete the old. Probably going to start a new thread for doing > > that with Python, but I´ll cross that bridge when I get to it, this was > > only a virtual test environment for going from 3.4 to 3.6. > > Not sure I understand, why would you do that? This is what migration > tool do for you as well, > so why do you need it to do again?
Ah, I must have misread the instructions. So if it turns out to be necessary, I know who to blame:P Thanks for pointing that out! /K > > > > > /K > > > >> > >>> > >>> /K > >>> > >>>> > >>>>> > >>>>> On 03/26/2016 10:07 AM, Karli Sjöberg wrote: > >>>>>> What the heck, my message disappeares! Trying again. > >>>>>> > >>>>>> Ok, so it's mapping now but the only thing working is: > >>>>>> config.mapUser.regex.pattern = u...@baz.foo.bar > >>>>>> <mailto:u...@baz.foo.bar> > >>>>>> config.mapUser.regex.replacement = u...@foo.bar <mailto:u...@foo.bar> > >>>>>> > >>>>>> And that isn't very useful. Please advice! > >>>>>> > >>>>>> /K > >>>>>> > >>>>>> On 03/25/2016 12:26 AM, Karli Sjöberg wrote: > >>>>>>> > >>>>>>> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg <karli.sjob...@slu.se > >>>>>>> <mailto:karli.sjob...@slu.se>>: > >>>>>>>> > >>>>>>>> > >>>>>>>> Den 24 mars 2016 11:26 em skrev Ondra Machacek > >>>>>>> <omach...@redhat.com <mailto:omach...@redhat.com>>: > >>>>>>>>> > >>>>>>>>> On 03/24/2016 11:14 PM, Karli Sjöberg wrote: > >>>>>>>>>> > >>>>>>>>>> Den 24 mars 2016 7:26 em skrev Ondra Machacek > >>>>>>> <omach...@redhat.com <mailto:omach...@redhat.com>>: > >>>>>>>>>> > > >>>>>>>>>> > On 03/24/2016 06:16 PM, Karli Sjöberg wrote: > >>>>>>>>>> > > Hi! > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > Starting new thread instead of jacking someone else´s. > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > Managed to migrate from old 'engine-manage-domains' auth to > >>>>>>>>>> aaa-ldap using: > >>>>>>>>>> > > > >>>>>>>>>> > > #| ovirt-engine-kerbldap-migration-tool --domain > >>>>>>> baz.foo.bar > >>>>>>> --cacert > >>>>>>>>>> > > /tmp/ca.crt --apply > >>>>>>>>>> > > | > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > All OK, no errors, but cannot log in: > >>>>>>>>>> > > > >>>>>>>>>> > > # ovirt-engine-extensions-tool aaa login-user > >>>>>>> --profile=baz.foo.bar-new > >>>>>>>>>> > > --user-name=user: > >>>>>>>>>> > > >>>>>>>>>> > If you want to login with user with different upn suffix, > >>>>>>> then > >>>>>>> just > >>>>>>>>>> > append that suffix > >>>>>>>>>> > > >>>>>>>>>> > $ ovirt-engine-extensions-tool aaa login-user > >>>>>>> --profile=baz.foo.bar-new > >>>>>>>>>> > --user-name=u...@foo.bar <mailto:user-name=u...@foo.bar> > >>>>>>>>>> > >>>>>>>>>> OK, some progress, that works! > >>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>>> > If you have more suffixes and want to have some as > >>>>>>> default you > >>>>>>> can use > >>>>>>>>>> > following approach: > >>>>>>>>>> > > >>>>>>>>>> > 1) install ovirt-engine-extension-aaa-misc > >>>>>>>>>> > > >>>>>>>>>> > 2) create new mapping extension like this: > >>>>>>>>>> > /etc/ovirt-engine/extensions.d/mapping-suffix.properties > >>>>>>>>>> > > >>>>>>>>>> > ovirt.engine.extension.name = mapping-suffix > >>>>>>>>>> > ovirt.engine.extension.bindings.method = jbossmodule > >>>>>>>>>> > ovirt.engine.extension.binding.jbossmodule.module = > >>>>>>>>>> > org.ovirt.engine-extensions.aaa.misc > >>>>>>>>>> > ovirt.engine.extension.binding.jbossmodule.class = > >>>>>>>>>> > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > >>>>>>>>>> > ovirt.engine.extension.provides = > >>>>>>>>>> > org.ovirt.engine.api.extensions.aaa.Mapping > >>>>>>>>>> > config.mapUser.type = regex > >>>>>>>>>> > config.mapUser.pattern = ^(?<user>[^@]*)$ > >>>>>>>>>> > >>>>>>>>>> Is that supposed to really say '<user>' or should it be > >>>>>>> changed to a > >>>>>>>>>> real user name? Either way, it doesn't work, I tried it all. > >>>>>>>>> > >>>>>>>>> '?<user>' is just a named group in that regex so you can later use > >>>>>>> it in > >>>>>>>>> 'config.mapUser.replacement' option. It should take > >>>>>>> everything until > >>>>>>>>> first '@'. > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > config.mapUser.replacement = ${user}@foo.bar > >>>>>>>>>> > config.mapUser.mustMatch = false > >>>>>>>>>> > > >>>>>>>>>> > 3) select a mapping plugin in authn configuration: > >>>>>>>>>> > > >>>>>>>>>> > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix > >>>>>>>>>> > > >>>>>>>>>> > With above configuration in use, your user 'user' witll be > >>>>>>> mapped to > >>>>>>>>>> > user 'u...@foo.bar <mailto:u...@foo.bar>' > >>>>>>>>>> > and users 'u...@anotherdomain.foo.bar > >>>>>>> <mailto:u...@anotherdomain.foo.bar>' will remain > >>>>>>>>>> > 'u...@anotherdomain.foo.bar > >>>>>>> <mailto:u...@anotherdomain.foo.bar>'. > >>>>>>>>>> > >>>>>>>>>> This however does not, it doesn't replace the suffix as it's > >>>>>>> supposed > >>>>>>>>>> to. I tried with many different types of the > >>>>>>> 'mapUser.pattern' but it > >>>>>>>>>> simply won't change it, even if I type in '= > >>>>>>> ^u...@baz.foo.bar <mailto:u...@baz.foo.bar>$', the > >>>>>>>>>> error is the same:( > >>>>>>>>> > >>>>>>>>> Hmm, hard to say what's wrong, try to run: > >>>>>>>>> $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > >>>>>>>>> --profile=baz.foo.bar-new --user-name=user > >>>>>>>>> > >>>>>>>>> and search for a mapping part in log. > >>>>>>>> > >>>>>>>> Wow what a mouthfull:) Can you make anything out of it? > >>>>>>>> > >>>>>>>> https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download > >>>>>>>> > >>>>>>>> /K > >>>>>>> > >>>>>>> Just noticed after logging in to webadmin as "u...@foo.bar > >>>>>>> <mailto:u...@foo.bar>" (which > >>>>>>> worked btw, so good there) that the "User Name" in Users main tab > >>>>>>> looks > >>>>>>> really odd: > >>>>>>> u...@foo.bar <mailto:u...@foo.bar>@baz.foo.bar-new-authz > >>>>>> > >>>>>> Sorry you are right, it don't work. I've sent you incorrect > >>>>>> cofiguration, the correct one is: > >>>>>> > >>>>>> /etc/ovirt-engine/extensions.d/mapping-suffix.properties > >>>>>> > >>>>>> ... > >>>>>> config.mapUser.regex.pattern = ^(?<user>[^@]*)$ > >>>>>> config.mapUser.regex.replacement = ${user}@foo.bar > >>>>>> config.mapUser.regex.mustMatch = false > >>>>>> ... > >>>>>> > >>>>>> Notice there was missing 'regex', after 'mapUser'. > >>>>>> > >>>>>>> > >>>>>>> /K > >>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> /K > >>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>>> > > > >>>>>>>>>> > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS > >>>>>>> result=SUCCESS > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > but: > >>>>>>>>>> > > > >>>>>>>>>> > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD > >>>>>>>>>> > > principal='u...@baz.foo.bar > >>>>>>> <mailto:principal='u...@baz.foo.bar>' > >>>>>>>>>> > > SEVERE Cannot resolve principal 'u...@baz.foo.bar > >>>>>>> <mailto:u...@baz.foo.bar>' > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > So it fails. > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > # ldapsearch -x -H ldap://baz.foo.bar -D u...@foo.bar > >>>>>>> <mailto:u...@foo.bar> -W -b > >>>>>>>>>> > > DC=baz,DC=foo,DC=bar -s sub "(samAccountName=user)" > >>>>>>> userPrincipalName | > >>>>>>>>>> > > grep 'userPrincipalName:' > >>>>>>>>>> > > > >>>>>>>>>> > > userPrincipalName: u...@foo.bar <mailto:u...@foo.bar> > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > |How do you configure AAA with base > >>>>>>> 'DC=baz,DC=foo,DC=bar' when > >>>>>>>>>> > > userPrincipalName ends only on '@foo.bar'? > >>>>>>>>>> > > > >>>>>>>>>> > > /K > >>>>>>>>>> > > | > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> > > _______________________________________________ > >>>>>>>>>> > > Users mailing list > >>>>>>>>>> > > Users@ovirt.org <mailto:Users@ovirt.org> > >>>>>>>>>> > > http://lists.ovirt.org/mailman/listinfo/users > >>>>>>>>>> > > > >>>>>>>>>> > >>>>>>> > >>>> > >>> > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users