Bug 1403316

Summary: [RFE] Ability for AD users to login to RHV via AAA using their usernames instead of UPN format
Product: Red Hat Enterprise Virtualization Manager Reporter: Anitha Udgiri <audgiri>
Component: ovirt-engine-extension-aaa-ldapAssignee: Martin Perina <mperina>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.0CC: bazulay, ddash, gklein, lsurette, mgoldboi, mperina, omachace, oourfali, pstehlik, Rhev-m-bugs, vinodkn, ykaul
Target Milestone: ovirt-4.1.0-betaKeywords: FutureFeature
Target Release: ---Flags: grafuls: testing_plan_complete+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-25 00:43:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anitha Udgiri 2016-12-09 15:53:46 UTC 
Description of problem:

At present users are required to login using their UPN format login ids.
Request for the usernames to be used for login purposes too.
Comment 2 Ondra Machacek 2017-01-10 15:07:39 UTC 
With a little change into the /etc/ovirt-engine/extensions.d/ad.properties file the users can use the SAM account name to login.

###################################################################
vars.default_domain = AD-W2K12R2

sequence.ad-resolve-user.010.description = add default domain prefix
sequence.ad-resolve-user.010.type = regex
sequence.ad-resolve-user.010.regex.value = ${seq:PrincipalRecord_PRINCIPAL}
sequence.ad-resolve-user.010.regex.pattern = ^[^\\\\]*$
sequence.ad-resolve-user.010.regex.replacement.PrincipalRecord_PRINCIPAL = ${global:vars.default_domain}\\\\${seq:PrincipalRecord_PRINCIPAL}

sequence.resolve-principal.010.type = regex
sequence.resolve-principal.010.regex.value = ${seq:PrincipalRecord_PRINCIPAL}
sequence.resolve-principal.010.regex.pattern = ^(?<domain>.*?)(?<backslash>\\\\)(?<user>.*?)$
sequence.resolve-principal.010.regex.replacement.PrincipalRecord_PRINCIPAL = ${user}

search.ad-resolve-upn.search-request.filter = &(sAMAccountName=${seq:PrincipalRecord_PRINCIPAL})
###################################################################

Please note that variable 'vars.default_domain' specify default domain name,
please be sure to change it to proper name. If AD is mutli-domain setup, users from different domains should use domain prefix before SAM account name, something like this:

 SUBDOMAIN.DOMAIN.COM\mysamaccount

Please note that we didn't test Virtual Machine SSO, so please test properly.
Comment 3 Martin Perina 2017-01-10 21:23:13 UTC 
Moved to ON_QA as this fix doesn't require any code changes on aaa-ldap side, but we have never tested using samAccountName so before releasing to customer as supported configuration we should test it (basic authentication/authorization flows and I'd suggest to test also VM SSO).
Comment 5 Martin Perina 2017-02-06 10:29:39 UTC 
(In reply to Ondra Machacek from comment #2)
> With a little change into the /etc/ovirt-engine/extensions.d/ad.properties
> file the users can use the SAM account name to login.

Just a small correction: the above path is specific for the customer, but generally users should edit relevant file in /etc/ovirt-engine/aaa/<PROFILE_NAME>.properties. For example if you use template from /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad then you should edit /etc/ovirt-engine/aaa/profile1.properties
Comment 6 Gonza 2017-02-06 10:39:07 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# ovirt-engine-extensions-tool aaa login-user --profile=ad-w2k12r2 --user-name=AD-W2K12R2\\user_sam
...
2017-02-06 12:35:31 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='AD-W2K12R2\user_sam'
2017-02-06 12:35:31 INFO    API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
...
Comment 7 Troy Dash 2017-03-05 20:51:26 UTC 
@Martin Perina, #5

So there is a method that we can use to be successful with this? is there something I could give the customer now?
Comment 8 Martin Perina 2017-03-06 08:48:05 UTC 
(In reply to Troy Dash from comment #7)
> @Martin Perina, #5
> 
> So there is a method that we can use to be successful with this? is there
> something I could give the customer now?

Yes, customer needs to update relevant /etc/ovirt-engine/aaa/<PROFILE>.properties file(s) as described in Comment 2 and Comment 3.
Comment 10 Vinod 2020-10-07 06:52:09 UTC 
Is there a document to set it up other than the bz? I am trying to set it up in my environment with no luck. Appreciate any guidance
Comment 11 Vinod 2020-10-08 12:48:52 UTC 
Just want to clarify i am able to connect using following command but it does not work with ovirt web portal.
ovirt-engine-extensions-tool aaa login-user --profile=mydomain --user-name=mydomain\\userid
Comment 12 Red Hat Bugzilla 2023-09-14 03:35:53 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days