On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
I tried to plug ovirt using my company AD.
But I have a problem, the DNS srv records are not well managed and I can't use them so I changed pool.default.serverset.type from srvrecord to failover.
With AD you should use srvrecord, unless you have somehow miscofigured AD. Can you please elaborate more what does it mean 'DNS srv records are not well managed'? Can you please send engine log or if you are on 3.6, then use this command to test and provide log: $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa search --entity-name=userX --extension-name=ad-authz Btw: Do you use mutli domain AD setup? Or only single domain?
But it was not enough, it was still using those invalid records. It was used by pool.default.dc-resolve.default.serverset.type too. I found that after digging in the source. I wonder why it should be specified twice. Why pool.default.dc-resolve.default.serverset and pool.default.serverset are different ?
You can disable 'dc-resolve' by 'pool.default.dc-resolve.enable = false', but first you should find issue.
I also need to specify search.ad-resolve-upn.search-request.baseDN because it didn't found it any more. I wonder if it's related.
My aaa property file:
include = <ad.properties>
vars.domain = MYDOME vars.user = A_DN vars.password = the_password vars.forest = my_forest
pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = failover pool.default.serverset.failover.1.server = server1 pool.default.serverset.failover.2.server = server2 pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = trust.jks pool.default.ssl.truststore.password = pool.default.ssl.startTLSProtocol = TLSv1.2
pool.default.connection-options.connectTimeoutMillis = 500 pool.default.dc-resolve.enable = true pool.default.dc-resolve.default.serverset.type = failover pool.default.dc-resolve.serverset.failover.1.server = server1 pool.default.dc-resolve.serverset.failover.2.server = server2
search.ad-resolve-upn.search-request.baseDN = BASE_DN
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users