On 05/26/2016 05:28 PM, Alexis HAUSER wrote:
This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV
^_ldap
I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION
If I use : pool.default.serverset.srvrecord.service = ldaps In the logs I see this : "An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"
^_ldaps
The same happens with : dig @any_of_the_4_AD_server _ldap._tcp.my_forest_name.com SRV
^_ldap
So why dig can resolve it but not ovirt ?
you use '_ldaps._tcp' in ovirt not '_ldap._tcp' as in dig. And '_ldaps' is what's missing in your DNS.
If I understand correctly, you misunderstood meaning of 'vars.dns' variable. This variables says what DNS server(s) should be used to send DNS queries, instead of the default one from /etc/resolv.conf. So if you specify: vars.dns = dns://ad_server.mydomain.com then aaa-ldap do following: $ dig @ad_server.mydomain.com _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV if you remove 'vars.dns' varibale then aaa-ldap does following: $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV so default DNS servers are used.
Interesting, now I understand better...
In config files no. The correct approach is configure DNS properly. Because SRV record provides you port on which that service operates. So I would suggest you either create new SRV record named 'ldaps' with port 636(in your AD DNS), or use startTLS with port 389.
"ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ?
Unfortunatelly using '_ldaps._tcp' is not any standart. But that's what usually people do if they can't use startTLS.
With startTLS I didn't have any success (and I don't really get why) :
"2016-05-26 17:23:36,535 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-6) [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot initialize LDAP framework, deferring initialization. Error: 00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece"
"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"
This message doesn't say much. Can you please send full Java exception stack trace? Don't forget to also remove lines: pool.default.ssl.enable = true pool.default.serverset.srvrecord.service = ldaps