On 05/26/2016 05:28 PM, Alexis HAUSER wrote:
This is really weird : If I manually run : dig
_ldap._tcp.my_forst_name.com SRV
^_ldap
I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL
SECTION
If I use : pool.default.serverset.srvrecord.service = ldaps
In the logs I see this : "An error occurred while attempting to query DNS in order
to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"
^_ldaps
The same happens with : dig @any_of_the_4_AD_server
_ldap._tcp.my_forest_name.com SRV
^_ldap
So why dig can resolve it but not ovirt ?
you use '_ldaps._tcp' in ovirt not '_ldap._tcp' as in dig.
And '_ldaps' is what's missing in your DNS.
> If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
> This variables says what DNS server(s) should be used to send DNS
> queries, instead of the
> default one from /etc/resolv.conf.
> So if you specify:
> vars.dns =
dns://ad_server.mydomain.com
> then aaa-ldap do following:
> $ dig @ad_server.mydomain.com
> _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
> if you remove 'vars.dns' varibale then aaa-ldap does following:
> $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
> so default DNS servers are used.
Interesting, now I understand better...
> In config files no. The correct approach is configure DNS properly.
> Because SRV record
> provides you port on which that service operates. So I would suggest you
> either create new SRV record named 'ldaps' with port 636(in your AD
> DNS), or use startTLS with port 389.
"ldaps" is also a kind of conventional "microsoft SRV record" like
_ldaps_tcp ?
Unfortunatelly using '_ldaps._tcp' is not any standart. But that's what
usually people do if they can't use startTLS.
With startTLS I didn't have any success (and I don't really get why) :
"2016-05-26 17:23:36,535 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension]
(ajp-/127.0.0.1:8702-6) [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot
initialize LDAP framework, deferring initialization. Error: 00000000: LdapErr:
DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece"
"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=00000000:
LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece,
Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"
This message doesn't say much. Can you please send full Java exception
stack trace?
Don't forget to also remove lines:
pool.default.ssl.enable = true
pool.default.serverset.srvrecord.service = ldaps