Hi Kim,
it will be using the engine hosts DNS configuration to find the service
record, is it in stud.noroff.no or one of the other domains?
you can check with "dig
_ldap._tcp.example.com SRV"
DNS and Active directory domains aren't the same thing.
there are examples of different A.D. configurations are in
/usr/share/ovirt-engine-extension-aaa-ldap/examples
you can also use the tool ovirt-engine-extension-aaa-ldap-setup
Some of the useful things to find out for you organization is
The forest name A.D default domain, GC global catalogue.
as well as the UPN account the users probably have a sAMAccountName.
Regards,
Paul S.
________________________________
From: kim.kargaard(a)noroff.no <kim.kargaard(a)noroff.no>
Sent: 26 August 2020 13:01
To: users(a)ovirt.org <users(a)ovirt.org>
Subject: [ovirt-users] LDAP/AD issue
Caution External Mail: Do not click any links or open any attachments unless you trust the
sender and know that the content is safe.
Hi all,
We have had our ovirt instance connected to our internal AD for users to log into the VM
portal for the last year, linked to studentdomene.noroff.no. This has been working without
any problems. We had it set up and the DNS server had a forward record to the DC's.
All good.
Then, of course, the institution decided to introduce student emails and they decided to
add the domain stud.noroff.no for student emails and made this the primary domain in the
AD. The problem is that when this is changed, students can no longer log into the engine.
I have of course changed the ldap settings and added a forward record on the DNS to the
new domain. However, it seems that the domain is studentdomene.noroff.no, but with an
added UPN suffix with stud.noroff.no
When students try to log in, with the config changes, they get this error in the browser:
server_error: An error occurred while attempting to query DNS in order to retrieve SRV
records with name '_ldap._tcp.stud.noroff.no': NameNotFoundException(DNS name not
found [response code 3]), ldapSDKVersion=4.0.7,
revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58
Any ideas on how to solve this issue?
My config looks like this:
sudo cat /etc/ovirt-engine/aaa/Students.properties
[sudo] password for noroffadmin:
include = <ad.properties>
vars.domain = studentdomene.noroff.no
vars.user = CN=ovirt auth,CN=Users,DC=stud,DC=noroff,DC=no
vars.password = PASSWORD
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
my forward on the DNS server looks like this:
sudo cat /etc/named/named.conf.local
[sudo] password for noroffadmin:
zone "platform.noroff.no"{
type master;
file "/etc/named/zones/db.platform.noroff.no"; # zone file path
};
zone "stud.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 172.16.111.20; };
};
zone "studentdomene.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 172.16.111.20; };
};
zone "122.16.172.in-addr.arpa" {
type master;
file "/etc/named/zones/db.122.16.172"; # 172.16.122.0/24 subnet
};
Any pointers would be greatly appreciated :)
Kim
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
oVirt Code of Conduct:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
List Archives:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/