On 09/21/2016 12:03 PM, Maxence Sartiaux wrote:

I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit
the login of AD users to ovirt.

For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch
and ovirt-engine-extension-aaa-misc.noarch

# ovirt-engine-extension-aaa-ldap-setup
- selected "Active Directory"
- Anonymous search user

I can run a search but when i try to login with the username alone
"testuser" -> error "CREDENTIALS_INCORRECT", if i login with the
user+domain "testu...@abc.lan <mailto:testu...@abc.lan>" my auth succeed
but -> "Cannot resolve principal 'testu...@abc.lan'"

# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
--user-name=testuser <mailto:--user-name=testu...@abc.lan>

2016-09-21 09:53:29 INFO    API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan'
2016-09-21 09:53:29 SEVERE  Authn.Result code is: CREDENTIALS_INCORRECT

# ovirt-engine-extensions-tool aaa login-user --profile=abc.lan

2016-09-21 09:52:02 INFO    API:
principal='testu...@abc.lan <mailto:principal='msarti...@abc.lan>'
2016-09-21 09:52:02 SEVERE  Cannot resolve principal 'testu...@abc.lan'

After some search i configured the mapping plugin to automaticaly add
@abc.lan to the user like that i don't need to add the @abc.lan to
connect but still the same error, cannot resolve principal ...

/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/

ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
ovirt.engine.extension.binding.jbossmodule.class =
ovirt.engine.extension.provides =
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?<user>[^@]*)$
config.mapUser.regex.replacement = ${user}@abc.lan <mailto:${user}@abc.lan>
config.mapUser.regex.mustMatch = false

/# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/

ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix

Any ideas ?

What's the user principal name of the user 'testuser'?
You can check out as follows:

$ ldapsearch -x -b 'DC=abc,DC=lan -H 'ldap://abc.lan' 'sAMAccountName=testuser' userPrincipalName

Is it indeed 'testu...@abc.lan' or different? If different then you need to use that UPN.

Anyway debug log of test tool of login command would be helpful.

$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=abc.lan --user-name=testuser

Thank you.

Users mailing list

Users mailing list

Reply via email to