It's same situation as before, but now you are missing ldap SRV record.
With same steps you used to add _gc SRV record add also _ldap SRV
record. But it's strange that you don't already have them.
On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get
the
following:
2015-01-29 14:28:35,891 WARN
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to query DNS in order to retrieve SRV records
with name '_ldap._tcp.ldap.mydomain.com
<
http://tcp.ldap.mydomain.com>';: javax.naming.NameNotFoundException:
DNS name not found [response code 3]; remaining name
'_ldap._tcp.ldap.mydomain.com <
http://tcp.ldap.mydomain.com>'
2015-01-29 14:28:35,924 WARN
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to query DNS in order to retrieve SRV records
with name '_ldap._tcp.ldap.mydomain.com
<
http://tcp.ldap.mydomain.com>';: javax.naming.NameNotFoundException:
DNS name not found [response code 3]; remaining name
'_ldap._tcp.ldap.mydomain.com <
http://tcp.ldap.mydomain.com>'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace(a)redhat.com
<mailto:omachace@redhat.com>>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-)
WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension]
(MSC service
thread 1-2) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn]
Cannot initialize LDAP framework, deferring initialization. Error:
Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
#
# Active directory domain name.
#
vars.domain =
ldap.mydomain.com <
http://ldap.mydomain.com>
<
http://ldap.mydomain.com> (this one
resolves to and gives ping back, front end of the pool)
#
# Search user and its password.
#
vars.user = juniper-admin(a)mydomain.com
<mailto:juniper-admin@mydomain.com>
<mailto:juniper-admin@__mydomain.com
<mailto:juniper-admin@mydomain.com>>
vars.password = *****
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these
resolve and give a ping back)
pool.default.serverset.type = srvrecord
#pool.default.serverset.__single.server = ${global:vars.server}
pool.default.serverset.__srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.__bindDN = ${global:vars.user}
pool.default.auth.simple.__password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url
=
${global:vars.dns}
pool.default.socketfactory.__resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com
<mailto:alonbl@redhat.com>
<mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>:
----- Original Message -----
> From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com
<mailto:vanoppen.koen@gmail.com>
<mailto:vanoppen.koen@gmail.__com
<mailto:vanoppen.koen@gmail.com>>>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com
<mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>>
> Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> Sent: Thursday, January 29, 2015 2:41:52 PM
> Subject: Re: [ovirt-users] AAA
>
> Yes We have:
>
> [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com
<
http://srvdc03.mydomain.com> <
http://srvdc03.mydomain.com> SRV
_gc._
>tcp.mydomain.com <
http://tcp.mydomain.com>
<
http://tcp.mydomain.com>
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1
<<>>
@srvdc03.mydomain.com <
http://srvdc03.mydomain.com>
<
http://srvdc03.mydomain.com>
> SRV
_gc._tcp.mydomain.com <
http://tcp.mydomain.com>
<
http://tcp.mydomain.com>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;_gc._tcp.mydomain.com <
http://tcp.mydomain.com>
<
http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you
sure you
replace
mydomain.com <
http://mydomain.com>
<
http://mydomain.com> with your actual active
directory domain name?
have you tried to look into your dns manager for this
information as
well?
>
> ;; AUTHORITY SECTION:
>
mydomain.com <
http://mydomain.com>
<
http://mydomain.com>. 3600 IN SOA
srvdc03.mydomain.com <
http://srvdc03.mydomain.com>
<
http://srvdc03.mydomain.com>.
> hostmaster.airport. 1398582 900 600 86400 3600
>
> ;; Query time: 12 msec
> ;; SERVER: 10.110.3.123#53(10.110.3.123)
> ;; WHEN: Thu Jan 29 13:40:41 2015
> ;; MSG SIZE rcvd: 98
>
>
>
> 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev
<alonbl(a)redhat.com <mailto:alonbl@redhat.com>
<mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>:
>
> >
> >
> > ----- Original Message -----
> > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com
<mailto:vanoppen.koen@gmail.com>
<mailto:vanoppen.koen@gmail.__com
<mailto:vanoppen.koen@gmail.com>>>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com
<mailto:alonbl@redhat.com>
<mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>,
users(a)ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org
<mailto:users@ovirt.org>>
> > > Sent: Thursday, January 29, 2015 2:19:32 PM
> > > Subject: Re: [ovirt-users] AAA
> > >
> > > Big thanks for your help, but still the same:
> > >
> > > #
> > > # Active directory domain name.
> > > #
> > > vars.domain =
mydomain.com <
http://mydomain.com>
<
http://mydomain.com>
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user = admin@${global:vars.domain}
> > > vars.password = *****
> > >
> > > #
> > > # Optional DNS servers, if enterprise
> > > # DNS server cannot resolve the domain srvrecord.
> > > #
> > > vars.dns = dns://srvdc03.${global:vars.__domain}
> > > dns://srvdc04.${global:vars.__domain}
> > >
> > > pool.default.serverset.type = srvrecord
> > > pool.default.serverset.__srvrecord.domain =
${global:vars.domain}
> > > pool.default.auth.simple.__bindDN = ${global:vars.user}
> > > pool.default.auth.simple.__password =
${global:vars.password}
> > >
> > > # Uncomment if using custom DNS
> > >
> >
pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url
=
> > > ${global:vars.dns}
> > > pool.default.socketfactory.__resolver.uRL =
${global:vars.dns}
> > >
> > >
> > >
> > >
[ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
Cannot initialize
> > > LDAP framework, deferring initialization. Error: No
DNS SRV
records were
> > > found with record name '_gc._tcp.brussels.airport'.
> > >
> > > And I can't put '_gc._tcp.mydomain.com
<
http://tcp.mydomain.com>
<
http://tcp.mydomain.com> in the dns... Isn't there another
> > > way it just resolves the dns servers I gave him?
> > >
> >
> > Microsoft Domain controller must have gc service entry
within
DNS to work
> > properly.
> > 1. Are you sure you have Microsoft DNS installed on
srvdc03.mydomain.com <
http://srvdc03.mydomain.com>
<
http://srvdc03.mydomain.com> ?
> > 2. Can you please execute:
> > $ dig @srvdc03.mydomain.com
<
http://srvdc03.mydomain.com> <
http://srvdc03.mydomain.com> SRV
_gc._tcp.mydomain.com <
http://tcp.mydomain.com>
<
http://tcp.mydomain.com>
> > 3. Can you please open the DNS manager within your
domain and
search for
> > srv records? Maybe you have DNS installed only on few
servers,
using the
> > DNS manager you can also see which.
> >
> > >
> > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev
<alonbl(a)redhat.com <mailto:alonbl@redhat.com>
<mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Ondra Machacek"
<omachace(a)redhat.com
<mailto:omachace@redhat.com>
<mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>
> > > > > To: "Koen Vanoppen"
<vanoppen.koen(a)gmail.com
<mailto:vanoppen.koen@gmail.com>
<mailto:vanoppen.koen@gmail.__com
<mailto:vanoppen.koen@gmail.com>>>, users(a)ovirt.org
<mailto:users@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
> > > > > Subject: Re: [ovirt-users] AAA
> > > > >
> > > > >
> > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
> > > > > > No, I don't. and I wouldn't know how
he got to
this name...
> > > > >
> > > > > Well, then you have to, if you want to use
> > 'pool.default.serverset.type
> > > > > = srvrecord'.
> > > > >
> > > > > It just need to know where your global catalog is
running, since it's
> > > > > needed for new provider.
> > > > >
> > > > > It searches for global catalog like this:
> > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
> > > > >
> > > > > So you need to have this SRV record in DNS, if
you want
to use
> > srvrecord
> > > > > serverset type. Or you don't have to if you
use
single
server type.
> > > >
> > > > active directory will not work without access to
global
catalog.
> > > > please set one or more of the domain controllers
as dns
server, for
> > > > example:
> > > >
> > > > vars.dns = dns://dc1.${global:vars.__domain}
> > dns://dc2.${global:vars.__domain}
> > > >
> > > > please also uncomment/add these lines to make vars.dns
effective.
> > > >
> > > >
> >
pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url
> > > > = ${global:vars.dns}
> > > > pool.default.socketfactory.__resolver.uRL =
${global:vars.dns}
> > > >
> > > > Thanks!
> > > >
> > > > >
> > > > > >
> > > > > > Thanks for the reply!
> > > > > >
> > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
<omachace(a)redhat.com <mailto:omachace@redhat.com>
<mailto:omachace@redhat.com <mailto:omachace@redhat.com>>
> > > > > > <mailto:omachace@redhat.com
<mailto:omachace@redhat.com> <mailto:omachace@redhat.com
<mailto:omachace@redhat.com>>>>__:
> > > > > >
> > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen
wrote:
> > > > > >
> > > > > > Can somebody help me setting up AAA
for ovirt
3.5.1?
> > > > > >
> > > > > > I'm getting this now:
> > > > > >
> > > > > > 2015-01-29 11:35:36,889 WARN
> > > > > >
[org.ovirt.engineextensions.____aaa.ldap.AuthzExtension] (MSC
> > > > > > service thread
> > > > > > 1-1)
> > [ovirt-engine-extension-aaa-____ldap.authz::BRU_AIR-authz]
> > > > > > Cannot
> > > > > > initialize LDAP framework, deferring
initialization.
> > Error: An
> > > > > > error
> > > > > > occurred while attempting to query
DNS
in order to
> > retrieve SRV
> > > > > > records
> > > > > > with name
'_gc._tcp.brussels.airport':
> > > > > >
javax.naming.____NameNotFoundException: DNS name
not found
> > > > > > [response code
> > > > > > 3]; remaining name
'_gc._tcp.brussels.airport'
> > > > > >
> > > > > >
> > > > > > Do you have this
'_gc._tcp.brussels.airport' SRV
record in DNS
> > ?
> > > > > >
> > > > > >
> > > > > > my 3 configs:
> > > > > > _*BRU_AIR-authn.properties*_
> > > > > > ovirt.engine.extension.name
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.__extension.name
<
http://ovirt.engine.extension.name>> <
> > > >
http://ovirt.engine.extension.__name
<
http://ovirt.engine.extension.name>>
> > > > > >
<
http://ovirt.engine.__extensi__on.name <
http://extension.name>
<
http://extension.name>
> > > > > >
<
http://ovirt.engine.__extension.name
<
http://ovirt.engine.extension.name>>> =
> > > > > > BRU_AIR-authn
> > > > > >
ovirt.engine.extension.____bindings.method =
jbossmodule
> > > > > >
ovirt.engine.extension.____binding.jbossmodule.module =
> > > > > >
org.ovirt.engine-extensions.____aaa.ldap
> > > > > >
ovirt.engine.extension.____binding.jbossmodule.class =
> > > > > >
org.ovirt.engineextensions.____aaa.ldap.AuthnExtension
> > > > > > ovirt.engine.extension.____provides
=
> > > > > >
org.ovirt.engine.api.____extensions.aaa.Authn
> > > > > >
ovirt.engine.aaa.authn.__profi__le.name <
http://profile.name>
<
http://profile.name>
> > > > > >
<
http://ovirt.engine.aaa.__authn.profile.name
<
http://ovirt.engine.aaa.authn.profile.name>>
> > > > > >
<
http://ovirt.engine.aaa.__aut__hn.profile.name
<
http://authn.profile.name>
<
http://authn.profile.name>
> > > > > >
<
http://ovirt.engine.aaa.__authn.profile.name
<
http://ovirt.engine.aaa.authn.profile.name>>> =
BRU-AIR
> > > > > >
ovirt.engine.aaa.authn.authz.____plugin =
BRU_AIR-authz
> > > > > > config.profile.file.1 =
> > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
> > > > > >
> > > > > > _*BRU_AIR-authz.properties*_
> > > > > > ovirt.engine.extension.name
<
http://ovirt.engine.extension.name>
<
http://ovirt.engine.__extension.name
<
http://ovirt.engine.extension.name>> <
> > > >
http://ovirt.engine.extension.__name
<
http://ovirt.engine.extension.name>>
> > > > > >
<
http://ovirt.engine.__extensi__on.name <
http://extension.name>
<
http://extension.name>
> > > > > >
<
http://ovirt.engine.__extension.name
<
http://ovirt.engine.extension.name>>> =
> > > > > > BRU_AIR-authz
> > > > > >
ovirt.engine.extension.____bindings.method =
jbossmodule
> > > > > >
ovirt.engine.extension.____binding.jbossmodule.module =
> > > > > >
org.ovirt.engine-extensions.____aaa.ldap
> > > > > >
ovirt.engine.extension.____binding.jbossmodule.class =
> > > > > >
org.ovirt.engineextensions.____aaa.ldap.AuthzExtension
> > > > > > ovirt.engine.extension.____provides
=
> > > > > >
org.ovirt.engine.api.____extensions.aaa.Authz
> > > > > > config.profile.file.1 =
> > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
> > > > > >
> > > > > > _*BRU_AIR.properties*_
> > > > > > include = <ad.properties>
> > > > > >
> > > > > > #
> > > > > > # Active directory domain name.
> > > > > > #
> > > > > > vars.domain =
mydomain.com
<
http://mydomain.com>
<
http://mydomain.com> <
http://mydomain.com>
> > > > > > <
http://mydomain.com>
> > > > > >
> > > > > > #
> > > > > > # Search user and its password.
> > > > > > #
> > > > > > vars.user =
admin@${global:vars.domain}
> > > > > > vars.password = ***********
> > > > > >
> > > > > > #
> > > > > > # Optional DNS servers, if
enterprise
> > > > > > # DNS server cannot resolve the
domain
srvrecord.
> > > > > > #
> > > > > > vars.dns =
dns://dc01.mydomain.com
<
http://dc01.mydomain.com>
<
http://dc01.mydomain.com> <
> >
http://dc01.mydomain.com>
> > > > > > <
http://dc01.mydomain.com>
> > > > > >
> > > > > > pool.default.serverset.type =
srvrecord
> > > > > >
pool.default.serverset.____srvrecord.domain =
> > > > ${global:vars.domain}
> > > > > > pool.default.auth.simple.____bindDN
=
${global:vars.user}
> > > > > > pool.default.auth.simple.____password
=
> > ${global:vars.password
> > > > > >
> > > > > > In the GUI for adding user I get
this:
> > > > > >
> > > > > > An error occurred while attempting
to
query DNS
in order to
> > > > > > retrieve SRV
> > > > > > records with name
'_gc__tcp_brussels_airport':
> > > > > >
javax_naming_____NameNotFoundException: DNS name
not found
> > > > > > [response code
> > > > > > 3]; remaining name
'_gc__tcp_brussels_airport'
> > > > > >
> > > > > > Any ideas? I ran out...
> > > > > >
> > > > > > Kind regards,
> > > > > >
> > > > > > Koen
> > > > > >
> > > > > >
> > > > > >
___________________________________________________
> > > > > > Users mailing list
> > > > > > Users(a)ovirt.org
<mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
> > > > > >
http://lists.ovirt.org/____mailman/listinfo/users
<
http://lists.ovirt.org/__mailman/listinfo/users>
> > > > > >
<
http://lists.ovirt.org/__mailman/listinfo/users
<
http://lists.ovirt.org/mailman/listinfo/users>>
> > > > > >
> > > > > >
> > > > > _________________________________________________
> > > > > Users mailing list
> > > > > Users(a)ovirt.org <mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
> > > > >
http://lists.ovirt.org/__mailman/listinfo/users
<
http://lists.ovirt.org/mailman/listinfo/users>
> > > > >
> > > >
> > >
> >
>
_________________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/__mailman/listinfo/users
<
http://lists.ovirt.org/mailman/listinfo/users>