Can somebody help me setting up AAA for ovirt 3.5.1? I'm getting this now: 2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport' my 3 configs: *BRU_AIR-authn.properties* ovirt.engine.extension.name = BRU_AIR-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = BRU-AIR ovirt.engine.aaa.authn.authz.plugin = BRU_AIR-authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties *BRU_AIR-authz.properties* ovirt.engine.extension.name = BRU_AIR-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties *BRU_AIR.properties* include = <ad.properties> # # Active directory domain name. # vars.domain = mydomain.com # # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *********** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password In the GUI for adding user I get this: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming_NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport' Any ideas? I ran out... Kind regards, Koen
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> = BRU_AIR-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = BRU-AIR ovirt.engine.aaa.authn.authz.plugin = BRU_AIR-authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> = BRU_AIR-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming_NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
No, I don't. and I wouldn't know how he got to this name... Thanks for the reply! 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> = BRU_AIR-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = BRU-AIR ovirt.engine.aaa.authn.authz.plugin = BRU_AIR-authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> = BRU_AIR-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming_NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'. It just need to know where your global catalog is running, since it's needed for new provider. It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example: vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} please also uncomment/add these lines to make vars.dns effective. pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns} Thanks!
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Big thanks for your help, but still the same: # # Active directory domain name. # vars.domain = mydomain.com # # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns} [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'. And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him? 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain =
${global:vars.domain}
pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? 2. Can you please execute: $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com>
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain =
${global:vars.domain}
pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Yes We have: [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ tcp.mydomain.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_gc._tcp.mydomain.com. IN SRV ;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA srvdc03.mydomain.com. hostmaster.airport. 1398582 900 600 86400 3600 ;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? 2. Can you please execute: $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use
= srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
'pool.default.serverset.type pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1)
[ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
Cannot initialize LDAP framework, deferring initialization.
Error: An
error occurred while attempting to query DNS in order to
retrieve SRV
records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS
?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain =
${global:vars.domain}
pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password =
${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA
Yes We have:
[root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ tcp.mydomain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;_gc._tcp.mydomain.com. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA srvdc03.mydomain.com. hostmaster.airport. 1398582 900 600 86400 3600
;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98
2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? 2. Can you please execute: $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use
= srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
'pool.default.serverset.type pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
Thanks for the reply!
2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
Can somebody help me setting up AAA for ovirt 3.5.1?
I'm getting this now:
2015-01-29 11:35:36,889 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1)
[ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
Cannot initialize LDAP framework, deferring initialization.
Error: An
error occurred while attempting to query DNS in order to
retrieve SRV
records with name '_gc._tcp.brussels.airport': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.brussels.airport'
Do you have this '_gc._tcp.brussels.airport' SRV record in DNS
?
my 3 configs: _*BRU_AIR-authn.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authn ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR-authz.properties*_ ovirt.engine.extension.name <
http://ovirt.engine.extension.name>
<http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = BRU_AIR-authz ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR.__properties
_*BRU_AIR.properties*_ include = <ad.properties>
# # Active directory domain name. # vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com>
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***********
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://dc01.mydomain.com <
pool.default.serverset.type = srvrecord pool.default.serverset.__srvrecord.domain =
${global:vars.domain}
pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password =
${global:vars.password
In the GUI for adding user I get this:
An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc__tcp_brussels_airport': javax_naming___NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc__tcp_brussels_airport'
Any ideas? I ran out...
Kind regards,
Koen
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s): Changed the properties file to this: include = <ad.properties> # # Active directory domain name. # vars.domain = ldap.mydomain.com (this one resolves to and gives ping back, front end of the pool) # # Search user and its password. # vars.user = juniper-admin@mydomain.com vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back) pool.default.serverset.type = srvrecord #pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns} Thanks for your effort! 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA
Yes We have:
[root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ tcp.mydomain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @ srvdc03.mydomain.com SRV _gc._tcp.mydomain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;_gc._tcp.mydomain.com. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA srvdc03.mydomain.com. hostmaster.airport. 1398582 900 600 86400 3600
;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98
2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? 2. Can you please execute: $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using
DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Ondra Machacek" <omachace@redhat.com> To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use
'pool.default.serverset.type
= srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = the pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
> > Thanks for the reply! > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com > <mailto:omachace@redhat.com>>: > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > Can somebody help me setting up AAA for ovirt 3.5.1? > > I'm getting this now: > > 2015-01-29 11:35:36,889 WARN > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension]
(MSC
> service thread > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_gc._tcp.brussels.airport': > javax.naming.__NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc._tcp.brussels.airport' > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > my 3 configs: > _*BRU_AIR-authn.properties*_ > ovirt.engine.extension.name < http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> = > BRU_AIR-authn > ovirt.engine.extension.__bindings.method = jbossmodule > ovirt.engine.extension.__binding.jbossmodule.module = > org.ovirt.engine-extensions.__aaa.ldap > ovirt.engine.extension.__binding.jbossmodule.class = > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > ovirt.engine.extension.__provides = > org.ovirt.engine.api.__extensions.aaa.Authn > ovirt.engine.aaa.authn.__profile.name > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > _*BRU_AIR-authz.properties*_ > ovirt.engine.extension.name < http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> = > BRU_AIR-authz > ovirt.engine.extension.__bindings.method = jbossmodule > ovirt.engine.extension.__binding.jbossmodule.module = > org.ovirt.engine-extensions.__aaa.ldap > ovirt.engine.extension.__binding.jbossmodule.class = > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > ovirt.engine.extension.__provides = > org.ovirt.engine.api.__extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > _*BRU_AIR.properties*_ > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = mydomain.com <http://mydomain.com> > <http://mydomain.com> > > # > # Search user and its password. > # > vars.user = admin@${global:vars.domain} > vars.password = *********** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > vars.dns = dns://dc01.mydomain.com < http://dc01.mydomain.com> > <http://dc01.mydomain.com> > > pool.default.serverset.type = srvrecord > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.__bindDN = ${global:vars.user} > pool.default.auth.simple.__password = ${global:vars.password > > In the GUI for adding user I get this: > > An error occurred while attempting to query DNS in order to > retrieve SRV > records with name '_gc__tcp_brussels_airport': > javax_naming___NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc__tcp_brussels_airport' > > Any ideas? I ran out... > > Kind regards, > > Koen > > > _________________________________________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Can't I use domain service? I'm getting a bit grrrrr... :-). We already used LDAP login for ovirt before the AAA with the engine-manage-domains. And this worked. [root@ovirtmgmt01prod aaa]# engine-manage-domains validateDomain my.domain is valid. The configured user for domain my.domain is juniper-admin@BRUSSELS.AIRPORT Manage Domains completed successfully 2015-01-29 14:18 GMT+01:00 Koen Vanoppen <vanoppen.koen@gmail.com>:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA
Yes We have:
[root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ tcp.mydomain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @ srvdc03.mydomain.com SRV _gc._tcp.mydomain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;_gc._tcp.mydomain.com. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA srvdc03.mydomain.com. hostmaster.airport. 1398582 900 600 86400 3600
;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98
2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? 2. Can you please execute: $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using
DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com>:
----- Original Message ----- > From: "Ondra Machacek" <omachace@redhat.com> > To: "Koen Vanoppen" <vanoppen.koen@gmail.com>, users@ovirt.org > Sent: Thursday, January 29, 2015 1:49:00 PM > Subject: Re: [ovirt-users] AAA > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > No, I don't. and I wouldn't know how he got to this name... > > Well, then you have to, if you want to use
'pool.default.serverset.type
> = srvrecord'. > > It just need to know where your global catalog is running, since it's > needed for new provider. > > It searches for global catalog like this: > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > So you need to have this SRV record in DNS, if you want to use srvrecord > serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = the pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
> > > > > Thanks for the reply! > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek < omachace@redhat.com > > <mailto:omachace@redhat.com>>: > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > I'm getting this now: > > > > 2015-01-29 11:35:36,889 WARN > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > service thread > > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > Cannot > > initialize LDAP framework, deferring initialization. Error: An > > error > > occurred while attempting to query DNS in order to retrieve SRV > > records > > with name '_gc._tcp.brussels.airport': > > javax.naming.__NameNotFoundException: DNS name not found > > [response code > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > > > > my 3 configs: > > _*BRU_AIR-authn.properties*_ > > ovirt.engine.extension.name < http://ovirt.engine.extension.name> > > <http://ovirt.engine.__extension.name > > <http://ovirt.engine.extension.name>> = > > BRU_AIR-authn > > ovirt.engine.extension.__bindings.method = jbossmodule > > ovirt.engine.extension.__binding.jbossmodule.module = > > org.ovirt.engine-extensions.__aaa.ldap > > ovirt.engine.extension.__binding.jbossmodule.class = > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > ovirt.engine.extension.__provides = > > org.ovirt.engine.api.__extensions.aaa.Authn > > ovirt.engine.aaa.authn.__profile.name > > <http://ovirt.engine.aaa.authn.profile.name> > > <http://ovirt.engine.aaa.__authn.profile.name > > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > _*BRU_AIR-authz.properties*_ > > ovirt.engine.extension.name < http://ovirt.engine.extension.name> > > <http://ovirt.engine.__extension.name > > <http://ovirt.engine.extension.name>> = > > BRU_AIR-authz > > ovirt.engine.extension.__bindings.method = jbossmodule > > ovirt.engine.extension.__binding.jbossmodule.module = > > org.ovirt.engine-extensions.__aaa.ldap > > ovirt.engine.extension.__binding.jbossmodule.class = > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > ovirt.engine.extension.__provides = > > org.ovirt.engine.api.__extensions.aaa.Authz > > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > _*BRU_AIR.properties*_ > > include = <ad.properties> > > > > # > > # Active directory domain name. > > # > > vars.domain = mydomain.com <http://mydomain.com> > > <http://mydomain.com> > > > > # > > # Search user and its password. > > # > > vars.user = admin@${global:vars.domain} > > vars.password = *********** > > > > # > > # Optional DNS servers, if enterprise > > # DNS server cannot resolve the domain srvrecord. > > # > > vars.dns = dns://dc01.mydomain.com < http://dc01.mydomain.com> > > <http://dc01.mydomain.com> > > > > pool.default.serverset.type = srvrecord > > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > pool.default.auth.simple.__password = ${global:vars.password > > > > In the GUI for adding user I get this: > > > > An error occurred while attempting to query DNS in order to > > retrieve SRV > > records with name '_gc__tcp_brussels_airport': > > javax_naming___NameNotFoundException: DNS name not found > > [response code > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > Any ideas? I ran out... > > > > Kind regards, > > > > Koen > > > > > > _________________________________________________ > > Users mailing list > > Users@ovirt.org <mailto:Users@ovirt.org> > > http://lists.ovirt.org/__mailman/listinfo/users > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>>, users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.domain} > > > dns://srvdc04.${global:vars.domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com>>, users@ovirt.org <mailto:users@ovirt.org> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.domain} > > dns://dc2.${global:vars.domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>: > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.__NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> < > > > > http://ovirt.engine.extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://extension.name> > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.__provides = > > > > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profile.name <http://profile.name> > > > > > > <http://ovirt.engine.aaa.authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> < > > > > http://ovirt.engine.extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://extension.name> > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.__provides = > > > > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.__srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.__password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming___NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > _________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > > http://lists.ovirt.org/__mailman/listinfo/users > > > > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I saw that when I pressed the send button. If I do that i again get the following: 2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com' And yes I replayed mydomain with the correct one... :-) 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace@redhat.com>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com
vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail.com>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com < http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @ srvdc03.mydomain.com <http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>>, users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.domain} > > > dns://srvdc04.${global:vars.domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > > pool.default.serverset.srvrecord.jndi-properties. java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com>>, users@ovirt.org <mailto:users@ovirt.org> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.domain} > > dns://dc2.${global:vars.domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > > pool.default.serverset.srvrecord.jndi-properties. java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com
:
> > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.__NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> < > > > > http://ovirt.engine.extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://extension.name> > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.__provides = > > > > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profile.name <http://profile.name> > > > > > > <http://ovirt.engine.aaa.authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> < > > > > http://ovirt.engine.extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://extension.name>
> > > > > > <http://ovirt.engine.extension.name>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.__provides = > > > > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.__srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.__password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming___NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > ______________________________ ___________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > > http://lists.ovirt.org/__mailman/listinfo/users > > > > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
It's same situation as before, but now you are missing ldap SRV record. With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them. On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.__single.server = ${global:vars.server} pool.default.serverset.__srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.__resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com> <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.__domain} > > > dns://srvdc04.${global:vars.__domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > pool.default.auth.simple.__password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > >
pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.__resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.__domain} > > dns://dc2.${global:vars.__domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > >
pool.default.serverset.__srvrecord.jndi-properties.__java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.__resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>__:
> > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.____aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-____ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.____NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> < > > > > http://ovirt.engine.extension.__name <http://ovirt.engine.extension.name>> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.____bindings.method = jbossmodule > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.____aaa.ldap > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.____provides = > > > > > > org.ovirt.engine.api.____extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profi__le.name <http://profile.name> <http://profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.____plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> < > > > > http://ovirt.engine.extension.__name <http://ovirt.engine.extension.name>> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://extension.name>
> > > > > > <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.____bindings.method = jbossmodule > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.____aaa.ldap > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.____provides = > > > > > > org.ovirt.engine.api.____extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.____srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.____bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.____password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming_____NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > > http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> > > > > > > <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > > > > _________________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > >
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
I just don't understand. Why did engine-manage-domains previously DID work, no problems what so ever and now I have this... 2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace@redhat.com>:
It's same situation as before, but now you are missing ldap SRV record.
With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them.
On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-__ ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.__single.server = ${global:vars.server} pool.default.serverset.__srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.__srvrecord.jndi-properties.__ java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.__resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com
> To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com>
<http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com> <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.__domain} > > > dns://srvdc04.${global:vars.__domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > pool.default.auth.simple.__password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > >
pool.default.serverset.__srvrecord.jndi-properties.__ java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.__resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.__domain} > > dns://dc2.${global:vars.__domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > >
pool.default.serverset.__srvrecord.jndi-properties.__ java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.__resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>__:
> > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.____aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-__ __ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.____NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> < > > > > http://ovirt.engine.extension.__name <http://ovirt.engine.extension.name>> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.____bindings.method = jbossmodule > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__ __aaa.ldap > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.____provides = > > > > > > org.ovirt.engine.api.____extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profi__le.name <http://profile.name> <http://profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.____plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> < > > > > http://ovirt.engine.extension.__name <http://ovirt.engine.extension.name>> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://extension.name>
> > > > > > <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.____bindings.method = jbossmodule > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__ __aaa.ldap > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.____provides = > > > > > > org.ovirt.engine.api.____extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
> > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.____srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.____bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.____password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming_____NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > > http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> > > > > > > <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > > > > _________________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > >
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
On 01/29/2015 02:54 PM, Koen Vanoppen wrote:
I just don't understand. Why did engine-manage-domains previously DID work, no problems what so ever and now I have this...
Because manage-domains didn't use global catalog. And probabaly the reason you don't have _ldap SRV record is that you didn't have them never and you just used '--ldapServers' parameter, that's why manage-domains worked with your domain. Now you are using DNS, not static configuration of ldap servers.
2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
It's same situation as before, but now you are missing ldap SRV record.
With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them.
On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.____aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-____ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> <http://ldap.mydomain.com> <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>> <mailto:juniper-admin@ <mailto:juniper-admin@>__mydoma__in.com <http://mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>>> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.____single.server = ${global:vars.server} pool.default.serverset.____srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.____bindDN = ${global:vars.user} pool.default.auth.simple.____password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.____resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>> > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:Cc%3Ausers@ovirt.org <mailto:Cc%253Ausers@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.____rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>
<http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.____domain} > > > dns://srvdc04.${global:vars.____domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.____srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.____bindDN = ${global:vars.user} > > > pool.default.auth.simple.____password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > >
pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-____ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.____domain} > > dns://dc2.${global:vars.____domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > >
pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>__>__:
> > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > >
[org.ovirt.engineextensions.______aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-______ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > >
ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > >
ovirt.engine.extension.______binding.jbossmodule.class = > > > > > >
org.ovirt.engineextensions.______aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profi____le.name <http://profi__le.name> <http://profile.name> <http://profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>> > > > > > > <http://ovirt.engine.aaa.__aut____hn.profile.name <http://aut__hn.profile.name> <http://authn.profile.name> <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.______plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name>
> > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > >
ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > >
ovirt.engine.extension.______binding.jbossmodule.class = > > > > > >
org.ovirt.engineextensions.______aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties
> > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com> <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.______srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.______bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.______password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming_______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > _____________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> > > > > > > http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> > > > > > > <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > >
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
FOUND IT!!!!!! include = <ad.properties> # # Active directory domain name. # #vars.domain = ldap.mydomain.com vars.server = ldap.mydomain.com # # Search user and its password. # vars.user = juniper-admin@mydomain.com vars.password = ************** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.mydomain.com dns://srvdc04.mydomain.com #pool.default.serverset.type = srvrecord pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns BIG THANKS MAN!!!!! 2015-01-29 15:00 GMT+01:00 Ondra Machacek <omachace@redhat.com>:
On 01/29/2015 02:54 PM, Koen Vanoppen wrote:
I just don't understand. Why did engine-manage-domains previously DID work, no problems what so ever and now I have this...
Because manage-domains didn't use global catalog. And probabaly the reason you don't have _ldap SRV record is that you didn't have them never and you just used '--ldapServers' parameter, that's why manage-domains worked with your domain.
Now you are using DNS, not static configuration of ldap servers.
2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>>:
It's same situation as before, but now you are missing ldap SRV record.
With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them.
On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>:
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.____aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-____ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> <http://ldap.mydomain.com> <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto:juniper-admin@mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>> <mailto:juniper-admin@ <mailto:juniper-admin@>__mydoma__in.com <http://mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-admin@mydomain.com>>> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.____single.server = ${global:vars.server} pool.default.serverset.____srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.____bindDN = ${global:vars.user} pool.default.auth.simple.____password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.____srvrecord.jndi-properties.____ java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.____resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>:
----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>> > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:Cc%3Ausers@ovirt.org <mailto:Cc%253Ausers@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.____rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>
<http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com>. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
> > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.____domain} > > > dns://srvdc04.${global:vars.____domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.____srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.____bindDN = ${global:vars.user} > > > pool.default.auth.simple.____password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > >
pool.default.serverset.____srvrecord.jndi-properties.____ java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-__ __ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com
<mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>> > > > > > To: "Koen Vanoppen" <vanoppen.koen@gmail.com <mailto:vanoppen.koen@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.____domain} > > dns://dc2.${global:vars.____domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > >
pool.default.serverset.____srvrecord.jndi-properties.____ java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com <mailto:omachace@redhat.com> <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>>__>__:
> > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > >
[org.ovirt.engineextensions.______aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-______ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > >
ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > >
ovirt.engine.extension.______binding.jbossmodule.class = > > > > > >
org.ovirt.engineextensions.______aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profi____le.name <http://profi__le.name> <http://profile.name> <http://profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>> > > > > > > <http://ovirt.engine.aaa.__aut____hn.profile.name <http://aut__hn.profile.name> <http://authn.profile.name> <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.______plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name>
> > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > >
ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > >
ovirt.engine.extension.______binding.jbossmodule.class = > > > > > >
org.ovirt.engineextensions.______aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties
> > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com> <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.______srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.______bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.______password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming_______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > _____________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> > > > > > > http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> > > > > > > <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > >
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: users@ovirt.org Sent: Thursday, January 29, 2015 4:11:40 PM Subject: Re: [ovirt-users] AAA
FOUND IT!!!!!!
include = <ad.properties>
# # Active directory domain name. # #vars.domain = ldap.mydomain.com vars.server = ldap.mydomain.com
# # Search user and its password. # vars.user = juniper-admin@mydomain.com vars.password = **************
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns:// srvdc03.mydomain.com dns:// srvdc04.mydomain.com
#pool.default.serverset.type = srvrecord
as I wrote several times, not using srvrecord for active directory will result in non working configuration. we need to find the root cause of your problem.
pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns
BIG THANKS MAN!!!!!
2015-01-29 15:00 GMT+01:00 Ondra Machacek < omachace@redhat.com > :
On 01/29/2015 02:54 PM, Koen Vanoppen wrote:
I just don't understand. Why did engine-manage-domains previously DID work, no problems what so ever and now I have this...
Because manage-domains didn't use global catalog. And probabaly the reason you don't have _ldap SRV record is that you didn't have them never and you just used '--ldapServers' parameter, that's why manage-domains worked with your domain.
Now you are using DNS, not static configuration of ldap servers.
2015-01-29 14:48 GMT+01:00 Ondra Machacek < omachace@redhat.com <mailto: omachace@redhat.com >>:
It's same situation as before, but now you are missing ldap SRV record.
With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them.
On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com < http://tcp.ldap.mydomain.com > < http://tcp.ldap.mydomain.com > __': javax.naming.__ NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com < http://tcp.ldap.mydomain.com > < http://tcp.ldap.mydomain.com > __' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.__ aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com < http://tcp.ldap.mydomain.com > < http://tcp.ldap.mydomain.com > __': javax.naming.__ NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com < http://tcp.ldap.mydomain.com > < http://tcp.ldap.mydomain.com > __'
And yes I replayed mydomain with the correct one... :-)
2015-01-29 14:40 GMT+01:00 Ondra Machacek < omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >>> :
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions.__ __aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-__ __ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com < http://ldap.mydomain.com > < http://ldap.mydomain.com > < http://ldap.mydomain.com > (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto: juniper-admin@ mydomain.com > <mailto: juniper-admin@ __ mydoma in.com <mailto: juniper-admin@ mydomain.com >> <mailto: juniper-admin@ <mailto: juniper-admin@ >__ mydom a__in.com < http://mydomain.com > <mailto: juniper-admin@ __ mydoma in.com <mailto: juniper-admin@ mydomain.com >>> vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset.____ single.server = ${global:vars.server} pool.default.serverset.____ srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.____ bindDN = ${global:vars.user} pool.default.auth.simple.____ password = ${global:vars.password}
# Uncomment if using custom DNS
pool.default.serverset.____ srvrecord.jndi-properties.____ java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.___ _resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >> <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >>>>:
----- Original Message -----
From: "Koen Vanoppen" < vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail. com > <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >> <mailto: vanoppen.koen@gmail . <mailto: vanoppen.koen@gmail .>_ ___com <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >>>> To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >> <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >>>> Cc:users@ovirt.org <mailto: Cc%3Ausers@ovirt.org > <mailto: Cc%3Ausers@ovirt.org <mailto: Cc%253Ausers@ovirt.org >> <mailto: users@ovirt.org <mailto: users@ovirt.org > <mailto: users@ovirt.org <mailto: users@ovirt.org >>> Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA
Yes We have:
[root@ovirtmgmt01prod ~]# dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > < http://tcp.mydomain.com > < http://tcp.mydomain.com >
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.___ _rc1.el6_5.1 <<>> @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com >
< http://srvdc03.mydomain.com >
SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > < http://tcp.mydomain.com > < http://tcp.mydomain.com > ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;_gc._ tcp.mydomain.com < http://tcp.mydomain.com > < http://tcp.mydomain.com > < http://tcp.mydomain.com >. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com < http://mydomain.com > < http://mydomain.com > < http://mydomain.com > with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
;; AUTHORITY SECTION: mydomain.com < http://mydomain.com >
< http://mydomain.com > < http://mydomain.com >. 3600 IN SOA srvdc03.mydomain.com < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com >.
hostmaster.airport. 1398582 900 600 86400 3600
;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98
2015-01-29 13:33 GMT+01:00 Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >> <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >>>>:
----- Original Message -----
From: "Koen Vanoppen"
< vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail. com > <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >> <mailto: vanoppen.koen@gmail . <mailto: vanoppen.koen@gmail .>_ ___com <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >>>>
To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >> <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >>>>, users@ovirt.org <mailto: users@ovirt.org > <mailto: users@ovirt.org <mailto: users@ovirt.org >> <mailto: users@ovirt.org <mailto: users@ovirt.org > <mailto: users@ovirt.org <mailto: users@ovirt.org >>> Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com < http://mydomain.com > < http://mydomain.com > < http://mydomain.com >
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.__ __domain} dns://srvdc04.${global:vars.__ __domain}
pool.default.serverset.type = srvrecord pool.default.serverset.____ srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.____ bindDN = ${global:vars.user} pool.default.auth.simple.____ password = ${global:vars.password}
# Uncomment if using custom DNS
${global:vars.dns} pool.default.socketfactory.___ _resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa-__ __ldap.authz::BRU_AIR-authz] Cannot initialize
LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._ tcp.mydomain.com < http://tcp.mydomain.com > < http://tcp.mydomain.com > < http://tcp.mydomain.com > in the dns... Isn't
pool.default.serverset.____ srvrecord.jndi-properties.____ java.naming.provider.url = there another
way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > ? 2. Can you please execute: $ dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > < http://tcp.mydomain.com > < http://tcp.mydomain.com > 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev
< alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >> <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com > <mailto: alonbl@redhat.com <mailto: alonbl@redhat.com >>>>:
----- Original Message -----
From: "Ondra Machacek"
< omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >> <mailto: omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >>> >
To: "Koen Vanoppen" < vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail. com > <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >> <mailto: vanoppen.koen@gmail . <mailto: vanoppen.koen@gmail .>_ ___com <mailto: vanoppen.koen@gmail. __ com <mailto: vanoppen.koen@gmail. com >>>>, users@ovirt.org <mailto: users@ovirt.org > <mailto: users@ovirt.org <mailto: users@ovirt.org >> <mailto: users@ovirt.org <mailto: users@ovirt.org >
Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > No, I don't. and I wouldn't know how he got to
<mailto: users@ovirt.org <mailto: users@ovirt.org >>> this name...
Well, then you have to, if you want to use
'pool.default.serverset.type
= srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.____ domain} dns://dc2.${global:vars.____ domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.____ srvrecord.jndi-properties.____ java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory.___ _resolver.uRL = ${global:vars.dns}
Thanks!
> > Thanks for the reply! > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
< omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >> <mailto: omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >>>
> <mailto: omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >> <mailto: omachace@redhat.com <mailto: omachace@redhat.com > <mailto: omachace@redhat.com <mailto: omachace@redhat.com >>> >__>__:
> > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > Can somebody help me setting up AAA for ovirt 3.5.1? > > I'm getting this now: > > 2015-01-29 11:35:36,889 WARN >
[org.ovirt.engineextensions.__ ____aaa.ldap.AuthzExtension] (MSC
> service thread > 1-1)
[ovirt-engine-extension-aaa-__ ____ldap.authz::BRU_AIR-authz]
> Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_gc._tcp.brussels.airport': > javax.naming.______ NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc._tcp.brussels.airport' > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > my 3 configs: > _*BRU_AIR-authn.properties*_ > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >> < http://ovirt.engine. __ extensi __on.name < http://extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>> < http://ovirt.engine.extension. ____name < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>> > < http://ovirt.engine. __ extensi ____on.name < http://extensi__on.name > < http://extension.name > < http://extension.name > > < http://ovirt.engine. __ extensi __on.name < http://extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>>> = > BRU_AIR-authn > ovirt.engine.extension.______ bindings.method = jbossmodule >
ovirt.engine.extension.______ binding.jbossmodule.module =
> org.ovirt.engine-extensions.__ ____aaa.ldap >
ovirt.engine.extension.______ binding.jbossmodule.class =
>
org.ovirt.engineextensions.___ ___aaa.ldap.AuthnExtension
> ovirt.engine.extension.______ provides = > org.ovirt.engine.api.______ extensions.aaa.Authn > ovirt.engine.aaa.authn.__ profi ____le.name < http://profi__le.name > < http://profile.name > < http://profile.name > > < http://ovirt.engine.aaa. __ aut __hn.profile.name < http://authn.profile.name > < http://ovirt.engine.aaa. __ aut hn.profile.name < http://ovirt.engine.aaa. authn.profile.name >>> > < http://ovirt.engine.aaa. __ aut ____hn.profile.name < http://aut__hn.profile.name > < http://authn.profile.name > < http://authn.profile.name > > < http://ovirt.engine.aaa. __ aut __hn.profile.name < http://authn.profile.name > < http://ovirt.engine.aaa. __ aut hn.profile.name < http://ovirt.engine.aaa. authn.profile.name >>>> = BRU-AIR > ovirt.engine.aaa.authn.authz._ _____plugin = BRU_AIR-authz > config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR. ______properties
> > _*BRU_AIR-authz.properties*_ > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >> < http://ovirt.engine. __ extensi __on.name < http://extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>> < http://ovirt.engine.extension. ____name < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>> > < http://ovirt.engine. __ extensi ____on.name < http://extensi__on.name > < http://extension.name > < http://extension.name >
> < http://ovirt.engine. __ extensi __on.name < http://extension.name > < http://ovirt.engine. __ extensi on.name < http://ovirt.engine. extension.name >>>> = > BRU_AIR-authz > ovirt.engine.extension.______ bindings.method = jbossmodule >
ovirt.engine.extension.______ binding.jbossmodule.module =
> org.ovirt.engine-extensions.__ ____aaa.ldap >
ovirt.engine.extension.______ binding.jbossmodule.class =
>
org.ovirt.engineextensions.___ ___aaa.ldap.AuthzExtension
> ovirt.engine.extension.______ provides = > org.ovirt.engine.api.______ extensions.aaa.Authz > config.profile.file.1 =
/etc/ovirt-engine/aaa/BRU_AIR. ______properties
> > _*BRU_AIR.properties*_ > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = mydomain.com < http://mydomain.com > < http://mydomain.com > < http://mydomain.com > < http://mydomain.com > > < http://mydomain.com > > > # > # Search user and its password. > # > vars.user = admin@${global:vars.domain} > vars.password = *********** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > vars.dns = dns:// dc01.mydomain.com < http://dc01.mydomain.com > < http://dc01.mydomain.com > < http://dc01.mydomain.com > < http://dc01.mydomain.com > > < http://dc01.mydomain.com > > > pool.default.serverset.type = srvrecord > pool.default.serverset.______ srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple._____ _bindDN = ${global:vars.user} > pool.default.auth.simple._____ _password = ${global:vars.password > > In the GUI for adding user I get this: > > An error occurred while attempting to query DNS in order to > retrieve SRV > records with name '_gc__tcp_brussels_airport': > javax_naming_______ NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc__tcp_brussels_airport' > > Any ideas? I ran out... > > Kind regards, > > Koen > > >
> Users mailing list > Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> > http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>> > >
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>
http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>
______________________________ _____________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Koen Vanoppen" <vanoppen.koen@gmail.com> To: "Ondra Machacek" <omachace@redhat.com>, users@ovirt.org Sent: Thursday, January 29, 2015 3:46:09 PM Subject: Re: [ovirt-users] AAA
I saw that when I pressed the send button. If I do that i again get the following:
2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com ' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com '
And yes I replayed mydomain with the correct one... :-)
Hi Koen, I keep asking you... please provide the following so we can help: 1. your real domain name that you are using, I guess mydomain.com is not the correct one and also ldap.mydomain.com is not the active directory domain name, please determine what is the active directory domain name, you can do this via the domains and site manager. 2. the command and full output of dig using: $ dig @srvdc03.<domain> SRV _ldap._tcp.<domain> $ dig @srvdc03.<domain> SRV _gc._tcp.<domain> these srv records MUST exist within active directory DNS, otherwise the active directory itself will not work, your task is to find what <domain> is in your environment and what server runs valid DNS. 3. open the dns manager within active directory, expand the _tcp branch, and attach screen shoot of what you see. Thanks, Alon.
2015-01-29 14:40 GMT+01:00 Ondra Machacek < omachace@redhat.com > :
On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
OK... Now I have this one :-) WARN [org.ovirt.engineextensions. aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa- ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s):
uncomment vars.dns
Changed the properties file to this:
include = <ad.properties>
# # Active directory domain name. # vars.domain = ldap.mydomain.com < http://ldap.mydomain.com > (this one resolves to and gives ping back, front end of the pool)
# # Search user and its password. # vars.user = juniper-admin@mydomain.com <mailto: juniper-admin@ mydomain.com > vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back)
pool.default.serverset.type = srvrecord #pool.default.serverset. single.server = ${global:vars.server} pool.default.serverset. srvrecord.domain = ${global:vars.domain} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
# Uncomment if using custom DNS pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
Thanks for your effort!
2015-01-29 13:50 GMT+01:00 Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com >>:
----- Original Message -----
From: "Koen Vanoppen" < vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail. com >> To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com >> Cc:users@ovirt.org <mailto: users@ovirt.org > Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA
Yes We have:
[root@ovirtmgmt01prod ~]# dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com >
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23. rc1.el6_5.1 <<>> @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;_gc._ tcp.mydomain.com < http://tcp.mydomain.com >. IN SRV
this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com < http://mydomain.com > with your actual active directory domain name? have you tried to look into your dns manager for this information as well?
;; AUTHORITY SECTION: mydomain.com < http://mydomain.com >. 3600 IN SOA
hostmaster.airport. 1398582 900 600 86400 3600
;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98
2015-01-29 13:33 GMT+01:00 Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com >>:
----- Original Message -----
From: "Koen Vanoppen" < vanoppen.koen@gmail.com
<mailto: vanoppen.koen@gmail. com >>
To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com >>, users@ovirt.org <mailto: users@ovirt.org > Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA
Big thanks for your help, but still the same:
# # Active directory domain name. # vars.domain = mydomain.com < http://mydomain.com >
# # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = *****
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars. domain} dns://srvdc04.${global:vars. domain}
pool.default.serverset.type = srvrecord pool.default.serverset. srvrecord.domain = ${global:vars.domain} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
# Uncomment if using custom DNS
${global:vars.dns} pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
[ovirt-engine-extension-aaa- ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'.
And I can't put '_gc._ tcp.mydomain.com < http://tcp.mydomain.com > in the dns... Isn't there another way it just resolves the dns servers I gave him?
Microsoft Domain controller must have gc service entry within DNS to work properly. 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com < http://srvdc03.mydomain.com > ? 2. Can you please execute: $ dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > 3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.
2015-01-29 13:02 GMT+01:00 Alon Bar-Lev < alonbl@redhat.com
<mailto: alonbl@redhat.com >>:
----- Original Message -----
From: "Ondra Machacek" < omachace@redhat.com
<mailto: omachace@redhat.com >>
To: "Koen Vanoppen" < vanoppen.koen@gmail.com <mailto: vanoppen.koen@gmail. com >>, users@ovirt.org <mailto: users@ovirt.org > Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA
On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > No, I don't. and I wouldn't know how he got to this name...
Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'.
It just need to know where your global catalog is running, since it's needed for new provider.
It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog. please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars. domain} dns://dc2.${global:vars. domain}
please also uncomment/add these lines to make vars.dns effective.
srvdc03.mydomain.com < http://srvdc03.mydomain.com >. pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url = pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url
= ${global:vars.dns} pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
Thanks!
> > Thanks for the reply! > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
< omachace@redhat.com <mailto: omachace@redhat.com >
> <mailto: omachace@redhat.com <mailto: omachace@redhat.com >>> :
> > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > Can somebody help me setting up AAA for ovirt 3.5.1? > > I'm getting this now: > > 2015-01-29 11:35:36,889 WARN > [org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension] (MSC > service thread > 1-1) [ovirt-engine-extension-aaa-__ ldap.authz::BRU_AIR-authz] > Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_gc._tcp.brussels.airport': > javax.naming.__ NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc._tcp.brussels.airport' > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > my 3 configs: > _*BRU_AIR-authn.properties*_ > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < http://ovirt.engine.extension. name > > < http://ovirt.engine. __ extensi on.name < http://extension.name > > < http://ovirt.engine. extension.name >> = > BRU_AIR-authn > ovirt.engine.extension.__ bindings.method = jbossmodule > ovirt.engine.extension.__ binding.jbossmodule.module = > org.ovirt.engine-extensions.__ aaa.ldap > ovirt.engine.extension.__ binding.jbossmodule.class = > org.ovirt.engineextensions.__ aaa.ldap.AuthnExtension > ovirt.engine.extension.__ provides = > org.ovirt.engine.api.__ extensions.aaa.Authn > ovirt.engine.aaa.authn.__ profi le.name < http://profile.name > > < http://ovirt.engine.aaa. authn.profile.name > > < http://ovirt.engine.aaa. __ aut hn.profile.name < http://authn.profile.name > > < http://ovirt.engine.aaa. authn.profile.name >> = BRU-AIR > ovirt.engine.aaa.authn.authz._ _plugin = BRU_AIR-authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR. __properties > > _*BRU_AIR-authz.properties*_ > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < http://ovirt.engine.extension. name > > < http://ovirt.engine. __ extensi on.name < http://extension.name >
> < http://ovirt.engine. extension.name >> = > BRU_AIR-authz > ovirt.engine.extension.__ bindings.method = jbossmodule > ovirt.engine.extension.__ binding.jbossmodule.module = > org.ovirt.engine-extensions.__ aaa.ldap > ovirt.engine.extension.__ binding.jbossmodule.class = > org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension > ovirt.engine.extension.__ provides = > org.ovirt.engine.api.__ extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR. __properties > > _*BRU_AIR.properties*_ > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = mydomain.com < http://mydomain.com > < http://mydomain.com > > < http://mydomain.com > > > # > # Search user and its password. > # > vars.user = admin@${global:vars.domain} > vars.password = *********** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > vars.dns = dns:// dc01.mydomain.com < http://dc01.mydomain.com > < http://dc01.mydomain.com > > < http://dc01.mydomain.com > > > pool.default.serverset.type = srvrecord > pool.default.serverset.__ srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.__ bindDN = ${global:vars.user} > pool.default.auth.simple.__ password = ${global:vars.password > > In the GUI for adding user I get this: > > An error occurred while attempting to query DNS in order to > retrieve SRV > records with name '_gc__tcp_brussels_airport': > javax_naming___ NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc__tcp_brussels_airport' > > Any ideas? I ran out... > > Kind regards, > > Koen > > > ______________________________ ___________________ > Users mailing list > Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> > http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users > > > ______________________________ _________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > http://lists.ovirt.org/ mailman/listinfo/users
______________________________ _________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/ mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Alon Bar-Lev -
Koen Vanoppen -
Ondra Machacek