Re: [ovirt-users] ldap servers configuration can be misleading with AD
Le 19 avr. 2016 à 17:35, Ondra Machacek <omachace(a)redhat.com> a
écrit :
On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
> I tried to plug ovirt using my company AD.
>
> But I have a problem, the DNS srv records are not well managed and I can't use
them so I changed pool.default.serverset.type from srvrecord to failover.
With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not well
managed'?
The command
dig +short _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates timeout. I
don't know if it's firewall or forgotten DC that generate that. There is no way I
can use srvrecord.
This domain is totally out of my reach, I have to take it as is.
Can you please send engine log or if you are on 3.6, then use this command to test and
provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa search
--entity-name=userX --extension-name=ad-authz
I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
With pool.default.serverset.type = failover and
pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool bla
real 1m29.264s
user 0m6.837s
sys 0m0.291s
and a 278KB log file.
And with my setup (pool.default.serverset.type and
pool.default.dc-resolve.default.serverset.type set to failover,
pool.default.connection-options.connectTimeoutMillis = 500), I got
real 0m5.084s
user 0m6.343s
sys 0m0.164s
and a 199KB log file.
With pool.default.dc-resolve.enable = false, the results is the same than with failover
for every one.
Btw: Do you use mutli domain AD setup? Or only single domain?
I think it's a single domain, but I'm not a Microsoft expert at all.