Re: [ovirt-users] Can't perform search after setting up an Active Directory
Oh, I see it, we was blind all the time. The problem is in AD2 and
AD3.
AD1 and AD4 are fine.
So yes the problem is on AD side but only for AD2 and AD3, that's why it
worked for
aaa-ldap-setup :)
So actually this command shouldn't work for you:
LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H
ldap://AD2.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w
'mypaswd' -b 'CN=users,DC=something,DC=com'
but this should:
LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H
ldap://AD4.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w
'mypaswd' -b 'CN=users,DC=something,DC=com'
Nice catch ! I made tests on the 4 servers, with ldapsearch :
OK : ldaps://AD1:636
Not working : ldaps://AD2:636
Not working : ldaps://AD3:636
OK : ldaps://AD4:636
So, half of AD don't like ldaps...
Without using ldaps, it was working for the 3 first of them, but not AD3...(the search
user was disabled on this one, I asked for it to be enabled, now ldapsearch works on this
one, but only with ldap, not ldaps), so now :
ldapsearch works using ldap:AD1,2,3,4, even when using LDAPTLS_PROTOCOL_MIN=3.2
In the SRV records when using dig _ldap._tcp.mydomain.com, there are 5 AD...One of them
has been disabled but not removed from the SRV records. (but when using dig @AD1,2,3,4
_ldap_tcp.mydomain, I can see this 5th AD has been removed)
Now the thing is : I don't have access to SRV records, I don't have access to AD
configuration.
For a strange reason it now works with "insecure", but not
pool.default.ssl.enable or StartTLS.