On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > Can somebody help me setting up AAA for ovirt 3.5.1? > > I'm getting this now: > > 2015-01-29 11:35:36,889 WARN > [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread > 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to query DNS in order to retrieve SRV records > with name '_gc._tcp.brussels.airport': > javax.naming.NameNotFoundException: DNS name not found [response code > 3]; remaining name '_gc._tcp.brussels.airport' > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > my 3 configs: > _*BRU_AIR-authn.properties*_ > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = > BRU_AIR-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name> = BRU-AIR > ovirt.engine.aaa.authn.authz.plugin = BRU_AIR-authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties > > _*BRU_AIR-authz.properties*_ > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = > BRU_AIR-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.properties > > _*BRU_AIR.properties*_ > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = mydomain.com <http://mydomain.com> > > # > # Search user and its password. > # > vars.user = admin@${global:vars.domain} > vars.password = *********** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> > > pool.default.serverset.type = srvrecord > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password > > In the GUI for adding user I get this: > > An error occurred while attempting to query DNS in order to retrieve SRV > records with name '_gc__tcp_brussels_airport': > javax_naming_NameNotFoundException: DNS name not found [response code > 3]; remaining name '_gc__tcp_brussels_airport' > > Any ideas? I ran out... > > Kind regards, > > Koen > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >

From: "Ondra Machacek" <omachace(a)redhat.com&gt; To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt;, users(a)ovirt.org Sent: Thursday, January 29, 2015 1:49:00 PM Subject: Re: [ovirt-users] AAA On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > No, I don't. and I wouldn't know how he got to this name... Well, then you have to, if you want to use 'pool.default.serverset.type = srvrecord'. It just need to know where your global catalog is running, since it's needed for new provider. It searches for global catalog like this: dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} So you need to have this SRV record in DNS, if you want to use srvrecord serverset type. Or you don't have to if you use single server type.

> > Thanks for the reply! > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com>>: > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > Can somebody help me setting up AAA for ovirt 3.5.1? > > I'm getting this now: > > 2015-01-29 11:35:36,889 WARN > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > service thread > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_gc._tcp.brussels.airport': > javax.naming.__NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc._tcp.brussels.airport' > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > my 3 configs: > _*BRU_AIR-authn.properties*_ > ovirt.engine.extension.name <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> = > BRU_AIR-authn > ovirt.engine.extension.__bindings.method = jbossmodule > ovirt.engine.extension.__binding.jbossmodule.module = > org.ovirt.engine-extensions.__aaa.ldap > ovirt.engine.extension.__binding.jbossmodule.class = > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > ovirt.engine.extension.__provides = > org.ovirt.engine.api.__extensions.aaa.Authn > ovirt.engine.aaa.authn.__profile.name > <http://ovirt.engine.aaa.authn.profile.name> > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > _*BRU_AIR-authz.properties*_ > ovirt.engine.extension.name <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> = > BRU_AIR-authz > ovirt.engine.extension.__bindings.method = jbossmodule > ovirt.engine.extension.__binding.jbossmodule.module = > org.ovirt.engine-extensions.__aaa.ldap > ovirt.engine.extension.__binding.jbossmodule.class = > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > ovirt.engine.extension.__provides = > org.ovirt.engine.api.__extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties > > _*BRU_AIR.properties*_ > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = mydomain.com <http://mydomain.com> > <http://mydomain.com> > > # > # Search user and its password. > # > vars.user = admin@${global:vars.domain} > vars.password = *********** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> > <http://dc01.mydomain.com> > > pool.default.serverset.type = srvrecord > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.__bindDN = ${global:vars.user} > pool.default.auth.simple.__password = ${global:vars.password > > In the GUI for adding user I get this: > > An error occurred while attempting to query DNS in order to > retrieve SRV > records with name '_gc__tcp_brussels_airport': > javax_naming___NameNotFoundException: DNS name not found > [response code > 3]; remaining name '_gc__tcp_brussels_airport' > > Any ideas? I ran out... > > Kind regards, > > Koen > > > _________________________________________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, users(a)ovirt.org Sent: Thursday, January 29, 2015 2:19:32 PM Subject: Re: [ovirt-users] AAA Big thanks for your help, but still the same: # # Active directory domain name. # vars.domain = mydomain.com # # Search user and its password. # vars.user = admin@${global:vars.domain} vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # vars.dns = dns://srvdc03.${global:vars.domain} dns://srvdc04.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns} [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: No DNS SRV records were found with record name '_gc._tcp.brussels.airport'. And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another way it just resolves the dns servers I gave him?

2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > ----- Original Message ----- > > From: "Ondra Machacek" <omachace(a)redhat.com&gt; > > To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt;, users(a)ovirt.org > > Sent: Thursday, January 29, 2015 1:49:00 PM > > Subject: Re: [ovirt-users] AAA > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > No, I don't. and I wouldn't know how he got to this name... > > > > Well, then you have to, if you want to use 'pool.default.serverset.type > > = srvrecord'. > > > > It just need to know where your global catalog is running, since it's > > needed for new provider. > > > > It searches for global catalog like this: > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > So you need to have this SRV record in DNS, if you want to use srvrecord > > serverset type. Or you don't have to if you use single server type. > > active directory will not work without access to global catalog. > please set one or more of the domain controllers as dns server, for > example: > > vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} > > please also uncomment/add these lines to make vars.dns effective. > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url > = ${global:vars.dns} > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > Thanks! > > > > > > > > > Thanks for the reply! > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > > > <mailto:omachace@redhat.com>>: > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > I'm getting this now: > > > > > > 2015-01-29 11:35:36,889 WARN > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > service thread > > > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > Cannot > > > initialize LDAP framework, deferring initialization. Error: An > > > error > > > occurred while attempting to query DNS in order to retrieve SRV > > > records > > > with name '_gc._tcp.brussels.airport': > > > javax.naming.__NameNotFoundException: DNS name not found > > > [response code > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ? > > > > > > > > > my 3 configs: > > > _*BRU_AIR-authn.properties*_ > > > ovirt.engine.extension.name < > http://ovirt.engine.extension.name> > > > <http://ovirt.engine.__extension.name > > > <http://ovirt.engine.extension.name>> = > > > BRU_AIR-authn > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > org.ovirt.engine-extensions.__aaa.ldap > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > ovirt.engine.extension.__provides = > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > ovirt.engine.aaa.authn.__profile.name > > > <http://ovirt.engine.aaa.authn.profile.name> > > > <http://ovirt.engine.aaa.__authn.profile.name > > > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > > config.profile.file.1 = > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > _*BRU_AIR-authz.properties*_ > > > ovirt.engine.extension.name < > http://ovirt.engine.extension.name> > > > <http://ovirt.engine.__extension.name > > > <http://ovirt.engine.extension.name>> = > > > BRU_AIR-authz > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > org.ovirt.engine-extensions.__aaa.ldap > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > ovirt.engine.extension.__provides = > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > config.profile.file.1 = > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > _*BRU_AIR.properties*_ > > > include = <ad.properties> > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> > > > <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = *********** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> > > > <http://dc01.mydomain.com> > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.__srvrecord.domain = > ${global:vars.domain} > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > pool.default.auth.simple.__password = ${global:vars.password > > > > > > In the GUI for adding user I get this: > > > > > > An error occurred while attempting to query DNS in order to > > > retrieve SRV > > > records with name '_gc__tcp_brussels_airport': > > > javax_naming___NameNotFoundException: DNS name not found > > > [response code > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > Any ideas? I ran out... > > > > > > Kind regards, > > > > > > Koen > > > > > > > > > _________________________________________________ > > > Users mailing list > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > > > http://lists.ovirt.org/__mailman/listinfo/users > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > _______________________________________________ > > Users mailing list > > Users(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > >

From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Thursday, January 29, 2015 2:41:52 PM Subject: Re: [ovirt-users] AAA Yes We have: [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ tcp.mydomain.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_gc._tcp.mydomain.com. IN SRV

;; AUTHORITY SECTION: mydomain.com. 3600 IN SOA srvdc03.mydomain.com. hostmaster.airport. 1398582 900 600 86400 3600 ;; Query time: 12 msec ;; SERVER: 10.110.3.123#53(10.110.3.123) ;; WHEN: Thu Jan 29 13:40:41 2015 ;; MSG SIZE rcvd: 98 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > ----- Original Message ----- > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, users(a)ovirt.org > > Sent: Thursday, January 29, 2015 2:19:32 PM > > Subject: Re: [ovirt-users] AAA > > > > Big thanks for your help, but still the same: > > > > # > > # Active directory domain name. > > # > > vars.domain = mydomain.com > > > > # > > # Search user and its password. > > # > > vars.user = admin@${global:vars.domain} > > vars.password = ***** > > > > # > > # Optional DNS servers, if enterprise > > # DNS server cannot resolve the domain srvrecord. > > # > > vars.dns = dns://srvdc03.${global:vars.domain} > > dns://srvdc04.${global:vars.domain} > > > > pool.default.serverset.type = srvrecord > > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > > pool.default.auth.simple.bindDN = ${global:vars.user} > > pool.default.auth.simple.password = ${global:vars.password} > > > > # Uncomment if using custom DNS > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = > > ${global:vars.dns} > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > found with record name '_gc._tcp.brussels.airport'. > > > > And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another > > way it just resolves the dns servers I gave him? > > > > Microsoft Domain controller must have gc service entry within DNS to work > properly. > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ? > 2. Can you please execute: > $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com > 3. Can you please open the DNS manager within your domain and search for > srv records? Maybe you have DNS installed only on few servers, using the > DNS manager you can also see which. > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Ondra Machacek" <omachace(a)redhat.com&gt; > > > > To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt;, users(a)ovirt.org > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > Well, then you have to, if you want to use > 'pool.default.serverset.type > > > > = srvrecord'. > > > > > > > > It just need to know where your global catalog is running, since it's > > > > needed for new provider. > > > > > > > > It searches for global catalog like this: > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > So you need to have this SRV record in DNS, if you want to use > srvrecord > > > > serverset type. Or you don't have to if you use single server type. > > > > > > active directory will not work without access to global catalog. > > > please set one or more of the domain controllers as dns server, for > > > example: > > > > > > vars.dns = dns://dc1.${global:vars.domain} > dns://dc2.${global:vars.domain} > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url > > > = ${global:vars.dns} > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > Thanks! > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > > > > > <mailto:omachace@redhat.com>>: > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > I'm getting this now: > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > > > service thread > > > > > 1-1) > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > > > Cannot > > > > > initialize LDAP framework, deferring initialization. > Error: An > > > > > error > > > > > occurred while attempting to query DNS in order to > retrieve SRV > > > > > records > > > > > with name '_gc._tcp.brussels.airport': > > > > > javax.naming.__NameNotFoundException: DNS name not found > > > > > [response code > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > ? > > > > > > > > > > > > > > > my 3 configs: > > > > > _*BRU_AIR-authn.properties*_ > > > > > ovirt.engine.extension.name < > > > http://ovirt.engine.extension.name> > > > > > <http://ovirt.engine.__extension.name > > > > > <http://ovirt.engine.extension.name>> = > > > > > BRU_AIR-authn > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > > > ovirt.engine.extension.__provides = > > > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > > > ovirt.engine.aaa.authn.__profile.name > > > > > <http://ovirt.engine.aaa.authn.profile.name> > > > > > <http://ovirt.engine.aaa.__authn.profile.name > > > > > <http://ovirt.engine.aaa.authn.profile.name>> = BRU-AIR > > > > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > > > > config.profile.file.1 = > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > ovirt.engine.extension.name < > > > http://ovirt.engine.extension.name> > > > > > <http://ovirt.engine.__extension.name > > > > > <http://ovirt.engine.extension.name>> = > > > > > BRU_AIR-authz > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > > > ovirt.engine.extension.__provides = > > > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > > > config.profile.file.1 = > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > include = <ad.properties> > > > > > > > > > > # > > > > > # Active directory domain name. > > > > > # > > > > > vars.domain = mydomain.com <http://mydomain.com> > > > > > <http://mydomain.com> > > > > > > > > > > # > > > > > # Search user and its password. > > > > > # > > > > > vars.user = admin@${global:vars.domain} > > > > > vars.password = *********** > > > > > > > > > > # > > > > > # Optional DNS servers, if enterprise > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > # > > > > > vars.dns = dns://dc01.mydomain.com < > http://dc01.mydomain.com> > > > > > <http://dc01.mydomain.com> > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > pool.default.serverset.__srvrecord.domain = > > > ${global:vars.domain} > > > > > pool.default.auth.simple.__bindDN = ${global:vars.user} > > > > > pool.default.auth.simple.__password = > ${global:vars.password > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > retrieve SRV > > > > > records with name '_gc__tcp_brussels_airport': > > > > > javax_naming___NameNotFoundException: DNS name not found > > > > > [response code > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > Kind regards, > > > > > > > > > > Koen > > > > > > > > > > > > > > > _________________________________________________ > > > > > Users mailing list > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > > > > > http://lists.ovirt.org/__mailman/listinfo/users > > > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > Users(a)ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > >

OK... Now I have this one :-) WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s): Changed the properties file to this: include = <ad.properties> # # Active directory domain name. # vars.domain = ldap.mydomain.com (this one resolves to and gives ping back, front end of the pool) # # Search user and its password. # vars.user = juniper-admin(a)mydomain.com vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back) pool.default.serverset.type = srvrecord #pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.resolver.uRL = ${global:vars.dns} Thanks for your effort! 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > ----- Original Message ----- > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > Cc: users(a)ovirt.org > > Sent: Thursday, January 29, 2015 2:41:52 PM > > Subject: Re: [ovirt-users] AAA > > > > Yes We have: > > > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._ > > tcp.mydomain.com > > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @ > srvdc03.mydomain.com > > SRV _gc._tcp.mydomain.com > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;_gc._tcp.mydomain.com. IN SRV > > this ^^^^^^^ means that you do not have srv record. are you sure you > replace mydomain.com with your actual active directory domain name? > have you tried to look into your dns manager for this information as well? > > > > > ;; AUTHORITY SECTION: > > mydomain.com. 3600 IN SOA srvdc03.mydomain.com. > > hostmaster.airport. 1398582 900 600 86400 3600 > > > > ;; Query time: 12 msec > > ;; SERVER: 10.110.3.123#53(10.110.3.123) > > ;; WHEN: Thu Jan 29 13:40:41 2015 > > ;; MSG SIZE rcvd: 98 > > > > > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, users(a)ovirt.org > > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > Big thanks for your help, but still the same: > > > > > > > > # > > > > # Active directory domain name. > > > > # > > > > vars.domain = mydomain.com > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = admin@${global:vars.domain} > > > > vars.password = ***** > > > > > > > > # > > > > # Optional DNS servers, if enterprise > > > > # DNS server cannot resolve the domain srvrecord. > > > > # > > > > vars.dns = dns://srvdc03.${global:vars.domain} > > > > dns://srvdc04.${global:vars.domain} > > > > > > > > pool.default.serverset.type = srvrecord > > > > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Uncomment if using custom DNS > > > > > > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = > > > > ${global:vars.dns} > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > > > > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot > initialize > > > > LDAP framework, deferring initialization. Error: No DNS SRV records > were > > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > > > And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there > another > > > > way it just resolves the dns servers I gave him? > > > > > > > > > > Microsoft Domain controller must have gc service entry within DNS to > work > > > properly. > > > 1. Are you sure you have Microsoft DNS installed on > srvdc03.mydomain.com ? > > > 2. Can you please execute: > > > $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com > > > 3. Can you please open the DNS manager within your domain and search > for > > > srv records? Maybe you have DNS installed only on few servers, using > the > > > DNS manager you can also see which. > > > > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com&gt;: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ondra Machacek" <omachace(a)redhat.com&gt; > > > > > > To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt;, users(a)ovirt.org > > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > > > Well, then you have to, if you want to use > > > 'pool.default.serverset.type > > > > > > = srvrecord'. > > > > > > > > > > > > It just need to know where your global catalog is running, > since it's > > > > > > needed for new provider. > > > > > > > > > > > > It searches for global catalog like this: > > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > > srvrecord > > > > > > serverset type. Or you don't have to if you use single server > type. > > > > > > > > > > active directory will not work without access to global catalog. > > > > > please set one or more of the domain controllers as dns server, > for > > > > > example: > > > > > > > > > > vars.dns = dns://dc1.${global:vars.domain} > > > dns://dc2.${global:vars.domain} > > > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > > > > > > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url > > > > > = ${global:vars.dns} > > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek < > omachace(a)redhat.com > > > > > > > <mailto:omachace@redhat.com>>: > > > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > > > > > service thread > > > > > > > 1-1) > > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > > > > > Cannot > > > > > > > initialize LDAP framework, deferring initialization. > > > Error: An > > > > > > > error > > > > > > > occurred while attempting to query DNS in order to > > > retrieve SRV > > > > > > > records > > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > > javax.naming.__NameNotFoundException: DNS name not > found > > > > > > > [response code > > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record > in DNS > > > ? > > > > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > > ovirt.engine.extension.name < > > > > > http://ovirt.engine.extension.name> > > > > > > > <http://ovirt.engine.__extension.name > > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > > BRU_AIR-authn > > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > > > > > ovirt.engine.extension.__provides = > > > > > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > > > > > ovirt.engine.aaa.authn.__profile.name > > > > > > > <http://ovirt.engine.aaa.authn.profile.name> > > > > > > > <http://ovirt.engine.aaa.__authn.profile.name > > > > > > > <http://ovirt.engine.aaa.authn.profile.name>> = > BRU-AIR > > > > > > > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > > ovirt.engine.extension.name < > > > > > http://ovirt.engine.extension.name> > > > > > > > <http://ovirt.engine.__extension.name > > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > > BRU_AIR-authz > > > > > > > ovirt.engine.extension.__bindings.method = jbossmodule > > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > > > > > ovirt.engine.extension.__provides = > > > > > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > > include = <ad.properties> > > > > > > > > > > > > > > # > > > > > > > # Active directory domain name. > > > > > > > # > > > > > > > vars.domain = mydomain.com <http://mydomain.com> > > > > > > > <http://mydomain.com> > > > > > > > > > > > > > > # > > > > > > > # Search user and its password. > > > > > > > # > > > > > > > vars.user = admin@${global:vars.domain} > > > > > > > vars.password = *********** > > > > > > > > > > > > > > # > > > > > > > # Optional DNS servers, if enterprise > > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > > # > > > > > > > vars.dns = dns://dc01.mydomain.com < > > > http://dc01.mydomain.com> > > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > > pool.default.serverset.__srvrecord.domain = > > > > > ${global:vars.domain} > > > > > > > pool.default.auth.simple.__bindDN = > ${global:vars.user} > > > > > > > pool.default.auth.simple.__password = > > > ${global:vars.password > > > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > > > An error occurred while attempting to query DNS in > order to > > > > > > > retrieve SRV > > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > > javax_naming___NameNotFoundException: DNS name not > found > > > > > > > [response code > > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > > > > _________________________________________________ > > > > > > > Users mailing list > > > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > > > > > > > http://lists.ovirt.org/__mailman/listinfo/users > > > > > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > >

On 01/29/2015 02:18 PM, Koen Vanoppen wrote: > OK... Now I have this one :-) > WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service > thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] > Cannot initialize LDAP framework, deferring initialization. Error: > Invalid DNS pseudo-URL(s): > uncomment vars.dns > Changed the properties file to this: > > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> (this one > resolves to and gives ping back, front end of the pool) > > # > # Search user and its password. > # > vars.user = juniper-admin(a)mydomain.com <mailto:juniper-admin@mydomain.com > > > vars.password = ***** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these > resolve and give a ping back) > > pool.default.serverset.type = srvrecord > #pool.default.serverset.single.server = ${global:vars.server} > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > # Uncomment if using custom DNS > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url > = > ${global:vars.dns} > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > Thanks for your effort! > > > 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com > <mailto:alonbl@redhat.com>>: > > > > ----- Original Message ----- > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com <mailto: > vanoppen.koen(a)gmail.com&gt;&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com <mailto:alonbl@redhat.com>> > > Cc:users@ovirt.org <mailto:users@ovirt.org> > > Sent: Thursday, January 29, 2015 2:41:52 PM > > Subject: Re: [ovirt-users] AAA > > > > Yes We have: > > > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com < > http://srvdc03.mydomain.com> SRV _gc._ > >tcp.mydomain.com <http://tcp.mydomain.com> > > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @ > srvdc03.mydomain.com <http://srvdc03.mydomain.com> > > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com>;. IN SRV > > this ^^^^^^^ means that you do not have srv record. are you sure you > replace mydomain.com <http://mydomain.com> with your actual active > directory domain name? > have you tried to look into your dns manager for this information as > well? > > > > > ;; AUTHORITY SECTION: > > mydomain.com <http://mydomain.com>;. 3600 IN SOA > srvdc03.mydomain.com <http://srvdc03.mydomain.com>;. > > hostmaster.airport. 1398582 900 600 86400 3600 > > > > ;; Query time: 12 msec > > ;; SERVER: 10.110.3.123#53(10.110.3.123) > > ;; WHEN: Thu Jan 29 13:40:41 2015 > > ;; MSG SIZE rcvd: 98 > > > > > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com > <mailto:alonbl@redhat.com>>: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com>> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com > <mailto:alonbl@redhat.com>>, users(a)ovirt.org <mailto:users@ovirt.org> > > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > Big thanks for your help, but still the same: > > > > > > > > # > > > > # Active directory domain name. > > > > # > > > > vars.domain = mydomain.com <http://mydomain.com> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = admin@${global:vars.domain} > > > > vars.password = ***** > > > > > > > > # > > > > # Optional DNS servers, if enterprise > > > > # DNS server cannot resolve the domain srvrecord. > > > > # > > > > vars.dns = dns://srvdc03.${global:vars.domain} > > > > dns://srvdc04.${global:vars.domain} > > > > > > > > pool.default.serverset.type = srvrecord > > > > pool.default.serverset.srvrecord.domain = > ${global:vars.domain} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Uncomment if using custom DNS > > > > > > > > pool.default.serverset.srvrecord.jndi-properties. > java.naming.provider.url > = > > > > ${global:vars.dns} > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > > > > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] > Cannot initialize > > > > LDAP framework, deferring initialization. Error: No DNS SRV > records were > > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > > > And I can't put '_gc._tcp.mydomain.com > <http://tcp.mydomain.com> in the dns... Isn't there another > > > > way it just resolves the dns servers I gave him? > > > > > > > > > > Microsoft Domain controller must have gc service entry within > DNS to work > > > properly. > > > 1. Are you sure you have Microsoft DNS installed on > srvdc03.mydomain.com <http://srvdc03.mydomain.com> ? > > > 2. Can you please execute: > > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> SRV > _gc._tcp.mydomain.com <http://tcp.mydomain.com> > > > 3. Can you please open the DNS manager within your domain and > search for > > > srv records? Maybe you have DNS installed only on few servers, > using the > > > DNS manager you can also see which. > > > > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com > <mailto:alonbl@redhat.com>>: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ondra Machacek" <omachace(a)redhat.com > <mailto:omachace@redhat.com>> > > > > > > To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com>>, users(a)ovirt.org > <mailto:users@ovirt.org> > > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > > No, I don't. and I wouldn't know how he got to this > name... > > > > > > > > > > > > Well, then you have to, if you want to use > > > 'pool.default.serverset.type > > > > > > = srvrecord'. > > > > > > > > > > > > It just need to know where your global catalog is > running, since it's > > > > > > needed for new provider. > > > > > > > > > > > > It searches for global catalog like this: > > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > > > So you need to have this SRV record in DNS, if you want > to use > > > srvrecord > > > > > > serverset type. Or you don't have to if you use single > server type. > > > > > > > > > > active directory will not work without access to global > catalog. > > > > > please set one or more of the domain controllers as dns > server, for > > > > > example: > > > > > > > > > > vars.dns = dns://dc1.${global:vars.domain} > > > dns://dc2.${global:vars.domain} > > > > > > > > > > please also uncomment/add these lines to make vars.dns > effective. > > > > > > > > > > > > > > pool.default.serverset.srvrecord.jndi-properties. > java.naming.provider.url > > > > > = ${global:vars.dns} > > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns} > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek > <omachace(a)redhat.com <mailto:omachace@redhat.com> > > > > > > > <mailto:omachace@redhat.com <mailto:omachace@redhat.com > >>>: > > > > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt > 3.5.1? > > > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > > > > > > > service thread > > > > > > > 1-1) > > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > > > > > > > Cannot > > > > > > > initialize LDAP framework, deferring > initialization. > > > Error: An > > > > > > > error > > > > > > > occurred while attempting to query DNS in order > to > > > retrieve SRV > > > > > > > records > > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > > javax.naming.__NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV > record in DNS > > > ? > > > > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> < > > > > > http://ovirt.engine.extension.name> > > > > > > > <http://ovirt.engine.__extension.name > <http://extension.name> > > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > > BRU_AIR-authn > > > > > > > ovirt.engine.extension.__bindings.method = > jbossmodule > > > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension > > > > > > > ovirt.engine.extension.__provides = > > > > > > > org.ovirt.engine.api.__extensions.aaa.Authn > > > > > > > ovirt.engine.aaa.authn.__profile.name > <http://profile.name> > > > > > > > <http://ovirt.engine.aaa.authn.profile.name> > > > > > > > <http://ovirt.engine.aaa.__authn.profile.name > <http://authn.profile.name> > > > > > > > <http://ovirt.engine.aaa.authn.profile.name>> = > BRU-AIR > > > > > > > ovirt.engine.aaa.authn.authz.__plugin = > BRU_AIR-authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> < > > > > > http://ovirt.engine.extension.name> > > > > > > > <http://ovirt.engine.__extension.name > <http://extension.name> > > > > > > > > <http://ovirt.engine.extension.name>> = > > > > > > > BRU_AIR-authz > > > > > > > ovirt.engine.extension.__bindings.method = > jbossmodule > > > > > > > > ovirt.engine.extension.__binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__aaa.ldap > > > > > > > > ovirt.engine.extension.__binding.jbossmodule.class = > > > > > > > > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension > > > > > > > ovirt.engine.extension.__provides = > > > > > > > org.ovirt.engine.api.__extensions.aaa.Authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties > > > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > > include = <ad.properties> > > > > > > > > > > > > > > # > > > > > > > # Active directory domain name. > > > > > > > # > > > > > > > vars.domain = mydomain.com > <http://mydomain.com> <http://mydomain.com> > > > > > > > <http://mydomain.com> > > > > > > > > > > > > > > # > > > > > > > # Search user and its password. > > > > > > > # > > > > > > > vars.user = admin@${global:vars.domain} > > > > > > > vars.password = *********** > > > > > > > > > > > > > > # > > > > > > > # Optional DNS servers, if enterprise > > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > > # > > > > > > > vars.dns = dns://dc01.mydomain.com > <http://dc01.mydomain.com> < > > > http://dc01.mydomain.com> > > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > > pool.default.serverset.__srvrecord.domain = > > > > > ${global:vars.domain} > > > > > > > pool.default.auth.simple.__bindDN = > ${global:vars.user} > > > > > > > pool.default.auth.simple.__password = > > > ${global:vars.password > > > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > > > An error occurred while attempting to query DNS > in order to > > > > > > > retrieve SRV > > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > > javax_naming___NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > > > > ______________________________ > ___________________ > > > > > > > Users mailing list > > > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > > > http://lists.ovirt.org/__mailman/listinfo/users > > > > > > > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >

It's same situation as before, but now you are missing ldap SRV record. With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them. On 01/29/2015 02:46 PM, Koen Vanoppen wrote: > I saw that when I pressed the send button. If I do that i again get the > following: > > 2015-01-29 14:28:35,891 WARN > [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread > 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to query DNS in order to retrieve SRV records > with name '_ldap._tcp.ldap.mydomain.com > <http://tcp.ldap.mydomain.com>';: javax.naming.NameNotFoundException: > DNS name not found [response code 3]; remaining name > '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>' > 2015-01-29 14:28:35,924 WARN > [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread > 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to query DNS in order to retrieve SRV records > with name '_ldap._tcp.ldap.mydomain.com > <http://tcp.ldap.mydomain.com>';: javax.naming.NameNotFoundException: > DNS name not found [response code 3]; remaining name > '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>' > > And yes I replayed mydomain with the correct one... :-) > > 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com>>: > > > > On 01/29/2015 02:18 PM, Koen Vanoppen wrote: > > OK... Now I have this one :-) > WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] > (MSC service > thread 1-2) [ovirt-engine-extension-aaa-__ > ldap.authn::BRU_AIR-authn] > Cannot initialize LDAP framework, deferring initialization. Error: > Invalid DNS pseudo-URL(s): > > > uncomment vars.dns > > > Changed the properties file to this: > > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> > <http://ldap.mydomain.com> (this one > resolves to and gives ping back, front end of the pool) > > # > # Search user and its password. > # > vars.user = juniper-admin(a)mydomain.com > <mailto:juniper-admin@mydomain.com> > <mailto:juniper-admin@__mydomain.com > <mailto:juniper-admin@mydomain.com>> > vars.password = ***** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these > resolve and give a ping back) > > pool.default.serverset.type = srvrecord > #pool.default.serverset.__single.server = ${global:vars.server} > pool.default.serverset.__srvrecord.domain = ${global:vars.domain} > pool.default.auth.simple.__bindDN = ${global:vars.user} > pool.default.auth.simple.__password = ${global:vars.password} > > # Uncomment if using custom DNS > pool.default.serverset.__srvrecord.jndi-properties.__ > java.naming.provider.url > = > ${global:vars.dns} > pool.default.socketfactory.__resolver.uRL = ${global:vars.dns} > > > Thanks for your effort! > > > 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl(a)redhat.com > <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > ----- Original Message ----- > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.koen@gmail.com > >>> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com > <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com>>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > Sent: Thursday, January 29, 2015 2:41:52 PM > > Subject: Re: [ovirt-users] AAA > > > > Yes We have: > > > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com > <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV > _gc._ > >tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1 <<>> > @srvdc03.mydomain.com <http://srvdc03.mydomain.com> > > <http://srvdc03.mydomain.com> > > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com>;. IN SRV > > this ^^^^^^^ means that you do not have srv record. are you > sure you > replace mydomain.com <http://mydomain.com> > <http://mydomain.com> with your actual active > directory domain name? > have you tried to look into your dns manager for this > information as > well? > > > > > ;; AUTHORITY SECTION: > > mydomain.com <http://mydomain.com> > <http://mydomain.com>;. 3600 IN SOA > srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com>;. > > hostmaster.airport. 1398582 900 600 86400 3600 > > > > ;; Query time: 12 msec > > ;; SERVER: 10.110.3.123#53(10.110.3.123) > > ;; WHEN: Thu Jan 29 13:40:41 2015 > > ;; MSG SIZE rcvd: 98 > > > > > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev > <alonbl(a)redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>>> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com > <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>, > users(a)ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org > <mailto:users@ovirt.org>> > > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > Big thanks for your help, but still the same: > > > > > > > > # > > > > # Active directory domain name. > > > > # > > > > vars.domain = mydomain.com <http://mydomain.com> > <http://mydomain.com> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = admin@${global:vars.domain} > > > > vars.password = ***** > > > > > > > > # > > > > # Optional DNS servers, if enterprise > > > > # DNS server cannot resolve the domain srvrecord. > > > > # > > > > vars.dns = dns://srvdc03.${global:vars.__domain} > > > > dns://srvdc04.${global:vars.__domain} > > > > > > > > pool.default.serverset.type = srvrecord > > > > pool.default.serverset.__srvrecord.domain = > ${global:vars.domain} > > > > pool.default.auth.simple.__bindDN = > ${global:vars.user} > > > > pool.default.auth.simple.__password = > ${global:vars.password} > > > > > > > > # Uncomment if using custom DNS > > > > > > > > > pool.default.serverset.__srvrecord.jndi-properties.__ > java.naming.provider.url > = > > > > ${global:vars.dns} > > > > pool.default.socketfactory.__resolver.uRL = > ${global:vars.dns} > > > > > > > > > > > > > > > > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > Cannot initialize > > > > LDAP framework, deferring initialization. Error: No > DNS SRV > records were > > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > > > And I can't put '_gc._tcp.mydomain.com > <http://tcp.mydomain.com> > <http://tcp.mydomain.com> in the dns... Isn't there another > > > > way it just resolves the dns servers I gave him? > > > > > > > > > > Microsoft Domain controller must have gc service entry > within > DNS to work > > > properly. > > > 1. Are you sure you have Microsoft DNS installed on > srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> ? > > > 2. Can you please execute: > > > $ dig @srvdc03.mydomain.com > <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV > _gc._tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > > 3. Can you please open the DNS manager within your > domain and > search for > > > srv records? Maybe you have DNS installed only on few > servers, > using the > > > DNS manager you can also see which. > > > > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev > <alonbl(a)redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ondra Machacek" <omachace(a)redhat.com > <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>> > > > > > > To: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>>>, users(a)ovirt.org > <mailto:users@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > > No, I don't. and I wouldn't know how he got to > this name... > > > > > > > > > > > > Well, then you have to, if you want to use > > > 'pool.default.serverset.type > > > > > > = srvrecord'. > > > > > > > > > > > > It just need to know where your global catalog is > running, since it's > > > > > > needed for new provider. > > > > > > > > > > > > It searches for global catalog like this: > > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > > > So you need to have this SRV record in DNS, if > you want > to use > > > srvrecord > > > > > > serverset type. Or you don't have to if you use > single > server type. > > > > > > > > > > active directory will not work without access to > global > catalog. > > > > > please set one or more of the domain controllers > as dns > server, for > > > > > example: > > > > > > > > > > vars.dns = dns://dc1.${global:vars.__domain} > > > dns://dc2.${global:vars.__domain} > > > > > > > > > > please also uncomment/add these lines to make > vars.dns > effective. > > > > > > > > > > > > > > > pool.default.serverset.__srvrecord.jndi-properties.__ > java.naming.provider.url > > > > > = ${global:vars.dns} > > > > > pool.default.socketfactory.__resolver.uRL = > ${global:vars.dns} > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek > <omachace(a)redhat.com <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> > > > > > > > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com> <mailto:omachace@redhat.com > <mailto:omachace@redhat.com>>>>__: > > > > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > > > Can somebody help me setting up AAA > for ovirt > 3.5.1? > > > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > > > [org.ovirt.engineextensions.____aaa.ldap.AuthzExtension] > (MSC > > > > > > > service thread > > > > > > > 1-1) > > > [ovirt-engine-extension-aaa-__ > __ldap.authz::BRU_AIR-authz] > > > > > > > Cannot > > > > > > > initialize LDAP framework, deferring > initialization. > > > Error: An > > > > > > > error > > > > > > > occurred while attempting to query DNS > in order to > > > retrieve SRV > > > > > > > records > > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > > > javax.naming.____NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name > '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > > > > Do you have this > '_gc._tcp.brussels.airport' SRV > record in DNS > > > ? > > > > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> < > > > > > http://ovirt.engine.extension.__name > <http://ovirt.engine.extension.name>> > > > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> > <http://extension.name> > > > > > > > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> = > > > > > > > BRU_AIR-authn > > > > > > > > ovirt.engine.extension.____bindings.method = > jbossmodule > > > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__ > __aaa.ldap > > > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthnExtension > > > > > > > ovirt.engine.extension.____provides = > > > > > > > > org.ovirt.engine.api.____extensions.aaa.Authn > > > > > > > > ovirt.engine.aaa.authn.__profi__le.name <http://profile.name> > <http://profile.name> > > > > > > > > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>> > > > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name > <http://authn.profile.name> > <http://authn.profile.name> > > > > > > > > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>>> = > BRU-AIR > > > > > > > ovirt.engine.aaa.authn.authz.____plugin > = > BRU_AIR-authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties > > > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> < > > > > > http://ovirt.engine.extension.__name > <http://ovirt.engine.extension.name>> > > > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> > <http://extension.name> > > > > > > > > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> = > > > > > > > BRU_AIR-authz > > > > > > > > ovirt.engine.extension.____bindings.method = > jbossmodule > > > > > > > > ovirt.engine.extension.____binding.jbossmodule.module = > > > > > > > org.ovirt.engine-extensions.__ > __aaa.ldap > > > > > > > > ovirt.engine.extension.____binding.jbossmodule.class = > > > > > > > > org.ovirt.engineextensions.____aaa.ldap.AuthzExtension > > > > > > > ovirt.engine.extension.____provides = > > > > > > > > org.ovirt.engine.api.____extensions.aaa.Authz > > > > > > > config.profile.file.1 = > > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties > > > > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > > include = <ad.properties> > > > > > > > > > > > > > > # > > > > > > > # Active directory domain name. > > > > > > > # > > > > > > > vars.domain = mydomain.com > <http://mydomain.com> > <http://mydomain.com> <http://mydomain.com> > > > > > > > <http://mydomain.com> > > > > > > > > > > > > > > # > > > > > > > # Search user and its password. > > > > > > > # > > > > > > > vars.user = admin@${global:vars.domain} > > > > > > > vars.password = *********** > > > > > > > > > > > > > > # > > > > > > > # Optional DNS servers, if enterprise > > > > > > > # DNS server cannot resolve the domain > srvrecord. > > > > > > > # > > > > > > > vars.dns = dns://dc01.mydomain.com > <http://dc01.mydomain.com> > <http://dc01.mydomain.com> < > > > http://dc01.mydomain.com> > > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > > > pool.default.serverset.____srvrecord.domain = > > > > > ${global:vars.domain} > > > > > > > pool.default.auth.simple.____bindDN = > ${global:vars.user} > > > > > > > pool.default.auth.simple.____password = > > > ${global:vars.password > > > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > > > An error occurred while attempting to > query DNS > in order to > > > > > > > retrieve SRV > > > > > > > records with name > '_gc__tcp_brussels_airport': > > > > > > > > javax_naming_____NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name > '_gc__tcp_brussels_airport' > > > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > > > Users mailing list > > > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > > > > http://lists.ovirt.org/____mailman/listinfo/users > <http://lists.ovirt.org/__mailman/listinfo/users> > > > > > > > > <http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > > > > > > > _________________________________________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > > > > > > http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > > >

On 01/29/2015 02:54 PM, Koen Vanoppen wrote: > I just don't understand. Why did engine-manage-domains previously DID > work, no problems what so ever and now I have this... > Because manage-domains didn't use global catalog. And probabaly the reason you don't have _ldap SRV record is that you didn't have them never and you just used '--ldapServers' parameter, that's why manage-domains worked with your domain. Now you are using DNS, not static configuration of ldap servers. > 2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com>>: > > It's same situation as before, but now you are missing ldap SRV > record. > > With same steps you used to add _gc SRV record add also _ldap SRV > record. But it's strange that you don't already have them. > > On 01/29/2015 02:46 PM, Koen Vanoppen wrote: > > I saw that when I pressed the send button. If I do that i again > get the > following: > > 2015-01-29 14:28:35,891 WARN > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC > service thread > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] > Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_ldap._tcp.ldap.mydomain.com > <http://tcp.ldap.mydomain.com> > <http://tcp.ldap.mydomain.com>__';: > javax.naming.__NameNotFoundException: > DNS name not found [response code 3]; remaining name > '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> > <http://tcp.ldap.mydomain.com>__' > 2015-01-29 14:28:35,924 WARN > [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC > service thread > 1-1) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn] > Cannot > initialize LDAP framework, deferring initialization. Error: An > error > occurred while attempting to query DNS in order to retrieve SRV > records > with name '_ldap._tcp.ldap.mydomain.com > <http://tcp.ldap.mydomain.com> > <http://tcp.ldap.mydomain.com>__';: > javax.naming.__NameNotFoundException: > DNS name not found [response code 3]; remaining name > '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> > <http://tcp.ldap.mydomain.com>__' > > And yes I replayed mydomain with the correct one... :-) > > 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace(a)redhat.com > <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>>>: > > > > On 01/29/2015 02:18 PM, Koen Vanoppen wrote: > > OK... Now I have this one :-) > WARN > [org.ovirt.engineextensions.____aaa.ldap.AuthnExtension] > (MSC service > thread 1-2) > [ovirt-engine-extension-aaa-____ldap.authn::BRU_AIR-authn] > Cannot initialize LDAP framework, deferring > initialization. Error: > Invalid DNS pseudo-URL(s): > > > uncomment vars.dns > > > Changed the properties file to this: > > include = <ad.properties> > > # > # Active directory domain name. > # > vars.domain = ldap.mydomain.com > <http://ldap.mydomain.com> <http://ldap.mydomain.com> > <http://ldap.mydomain.com> (this one > resolves to and gives ping back, front end of the pool) > > # > # Search user and its password. > # > vars.user = juniper-admin(a)mydomain.com > <mailto:juniper-admin@mydomain.com> > <mailto:juniper-admin@__mydomain.com > <mailto:juniper-admin@mydomain.com>> > <mailto:juniper-admin@ > <mailto:juniper-admin@>__mydoma__in.com <http://mydomain.com> > <mailto:juniper-admin@__mydomain.com > <mailto:juniper-admin@mydomain.com>>> > vars.password = ***** > > # > # Optional DNS servers, if enterprise > # DNS server cannot resolve the domain srvrecord. > # > #vars.dns = dns://srvdc03.my.domain > dns://srvdc04.my.domain (these > resolve and give a ping back) > > pool.default.serverset.type = srvrecord > #pool.default.serverset.____single.server = > ${global:vars.server} > pool.default.serverset.____srvrecord.domain = > ${global:vars.domain} > pool.default.auth.simple.____bindDN = > ${global:vars.user} > pool.default.auth.simple.____password = > ${global:vars.password} > > # Uncomment if using custom DNS > > pool.default.serverset.____srvrecord.jndi-properties.____ > java.naming.provider.url > = > ${global:vars.dns} > pool.default.socketfactory.____resolver.uRL = > ${global:vars.dns} > > > Thanks for your effort! > > > 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev > <alonbl(a)redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>>: > > > > ----- Original Message ----- > > From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com > <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>> > <mailto:vanoppen.koen@gmail. > <mailto:vanoppen.koen@gmail.>____com > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>>>> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com > <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> > <mailto:Cc%3Ausers@ovirt.org <mailto:Cc%253Ausers@ovirt.org>> > <mailto:users@ovirt.org <mailto:users@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > Sent: Thursday, January 29, 2015 2:41:52 PM > > Subject: Re: [ovirt-users] AAA > > > > Yes We have: > > > > [root@ovirtmgmt01prod ~]# dig > @srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> SRV > _gc._ > >tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > > > ; <<>> DiG > 9.8.2rc1-RedHat-9.8.2-0.23.____rc1.el6_5.1 <<>> > @srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> > > <http://srvdc03.mydomain.com> > > SRV _gc._tcp.mydomain.com > <http://tcp.mydomain.com> <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, > id: 33340 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, > AUTHORITY: 1, > ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > <http://tcp.mydomain.com>;. IN SRV > > this ^^^^^^^ means that you do not have srv > record. are you > sure you > replace mydomain.com <http://mydomain.com> > <http://mydomain.com> > <http://mydomain.com> with your actual active > directory domain name? > have you tried to look into your dns manager for > this > information as > well? > > > > > ;; AUTHORITY SECTION: > > mydomain.com <http://mydomain.com> > <http://mydomain.com> > <http://mydomain.com>;. 3600 IN SOA > srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com>;. > > hostmaster.airport. 1398582 900 600 86400 3600 > > > > ;; Query time: 12 msec > > ;; SERVER: 10.110.3.123#53(10.110.3.123) > > ;; WHEN: Thu Jan 29 13:40:41 2015 > > ;; MSG SIZE rcvd: 98 > > > > > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev > <alonbl(a)redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> > <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com>>>>: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Koen Vanoppen" > <vanoppen.koen(a)gmail.com <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>> > <mailto:vanoppen.koen@gmail. > <mailto:vanoppen.koen@gmail.>____com > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>>>> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com > <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> > <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com>>>>, > users(a)ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org > <mailto:users@ovirt.org>> <mailto:users@ovirt.org > <mailto:users@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > Big thanks for your help, but still the same: > > > > > > > > # > > > > # Active directory domain name. > > > > # > > > > vars.domain = mydomain.com > <http://mydomain.com> <http://mydomain.com> > <http://mydomain.com> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = admin@${global:vars.domain} > > > > vars.password = ***** > > > > > > > > # > > > > # Optional DNS servers, if enterprise > > > > # DNS server cannot resolve the domain > srvrecord. > > > > # > > > > vars.dns = > dns://srvdc03.${global:vars.____domain} > > > > dns://srvdc04.${global:vars.____domain} > > > > > > > > pool.default.serverset.type = srvrecord > > > > pool.default.serverset.____srvrecord.domain > = > ${global:vars.domain} > > > > pool.default.auth.simple.____bindDN = > ${global:vars.user} > > > > pool.default.auth.simple.____password = > ${global:vars.password} > > > > > > > > # Uncomment if using custom DNS > > > > > > > > > > pool.default.serverset.____srvrecord.jndi-properties.____ > java.naming.provider.url > = > > > > ${global:vars.dns} > > > > pool.default.socketfactory.____resolver.uRL > = > ${global:vars.dns} > > > > > > > > > > > > > > > > > [ovirt-engine-extension-aaa-__ > __ldap.authz::BRU_AIR-authz] > Cannot initialize > > > > LDAP framework, deferring initialization. > Error: No > DNS SRV > records were > > > > found with record name > '_gc._tcp.brussels.airport'. > > > > > > > > And I can't put '_gc._tcp.mydomain.com > <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > <http://tcp.mydomain.com> in the dns... Isn't > there another > > > > way it just resolves the dns servers I gave > him? > > > > > > > > > > Microsoft Domain controller must have gc > service entry > within > DNS to work > > > properly. > > > 1. Are you sure you have Microsoft DNS > installed on > srvdc03.mydomain.com <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> ? > > > 2. Can you please execute: > > > $ dig @srvdc03.mydomain.com > <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> > <http://srvdc03.mydomain.com> SRV > _gc._tcp.mydomain.com <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > <http://tcp.mydomain.com> > > > 3. Can you please open the DNS manager within > your > domain and > search for > > > srv records? Maybe you have DNS installed > only on few > servers, > using the > > > DNS manager you can also see which. > > > > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev > <alonbl(a)redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>> > <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com > <mailto:alonbl@redhat.com>>>>: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ondra Machacek" > <omachace(a)redhat.com <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com > >> > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com> <mailto:omachace@redhat.com > <mailto:omachace@redhat.com>>>> > > > > > > To: "Koen Vanoppen" > <vanoppen.koen(a)gmail.com <mailto:vanoppen.koen@gmail.com> > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>> > <mailto:vanoppen.koen@gmail. > <mailto:vanoppen.koen@gmail.>____com > <mailto:vanoppen.koen@gmail.__com > <mailto:vanoppen.koen@gmail.com>>>>, users(a)ovirt.org > <mailto:users@ovirt.org> > <mailto:users@ovirt.org <mailto:users@ovirt.org>> > <mailto:users@ovirt.org <mailto:users@ovirt.org> > > <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > > > > Sent: Thursday, January 29, 2015 1:49:00 > PM > > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen > wrote: > > > > > > > No, I don't. and I wouldn't know how > he got to > this name... > > > > > > > > > > > > Well, then you have to, if you want to > use > > > 'pool.default.serverset.type > > > > > > = srvrecord'. > > > > > > > > > > > > It just need to know where your global > catalog is > running, since it's > > > > > > needed for new provider. > > > > > > > > > > > > It searches for global catalog like this: > > > > > > dig @${vars.dns} -t SRV > _gc._tcp.${vars.domain} > > > > > > > > > > > > So you need to have this SRV record in > DNS, if > you want > to use > > > srvrecord > > > > > > serverset type. Or you don't have to if > you use > single > server type. > > > > > > > > > > active directory will not work without > access to > global > catalog. > > > > > please set one or more of the domain > controllers > as dns > server, for > > > > > example: > > > > > > > > > > vars.dns = > dns://dc1.${global:vars.____domain} > > > dns://dc2.${global:vars.____domain} > > > > > > > > > > please also uncomment/add these lines to > make vars.dns > effective. > > > > > > > > > > > > > > > > pool.default.serverset.____srvrecord.jndi-properties.____ > java.naming.provider.url > > > > > = ${global:vars.dns} > > > > > pool.default.socketfactory.____resolver.uRL > = > ${global:vars.dns} > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra > Machacek > <omachace(a)redhat.com <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com <mailto:omachace@redhat.com>> > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com> <mailto:omachace@redhat.com > <mailto:omachace@redhat.com>>> > > > > > > > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com>> <mailto:omachace@redhat.com > <mailto:omachace@redhat.com> > <mailto:omachace@redhat.com > <mailto:omachace@redhat.com>>>>__>__: > > > > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen > Vanoppen wrote: > > > > > > > > > > > > > > Can somebody help me setting > up AAA > for ovirt > 3.5.1? > > > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > > > > [org.ovirt.engineextensions.______aaa.ldap.AuthzExtension] (MSC > > > > > > > service thread > > > > > > > 1-1) > > > > [ovirt-engine-extension-aaa-______ldap.authz::BRU_AIR-authz] > > > > > > > Cannot > > > > > > > initialize LDAP framework, > deferring > initialization. > > > Error: An > > > > > > > error > > > > > > > occurred while attempting to > query DNS > in order to > > > retrieve SRV > > > > > > > records > > > > > > > with name > '_gc._tcp.brussels.airport': > > > > > > > > javax.naming.______NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name > '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > > > > Do you have this > '_gc._tcp.brussels.airport' SRV > record in DNS > > > ? > > > > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> > <http://ovirt.engine.__extensi__on.name > <http://extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> < > > > > > http://ovirt.engine.extension.____name > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> > > > > > > > > <http://ovirt.engine.__extensi____on.name > <http://extensi__on.name> <http://extension.name> > <http://extension.name> > > > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>>> = > > > > > > > BRU_AIR-authn > > > > > > > > ovirt.engine.extension.______bindings.method = > jbossmodule > > > > > > > > > ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > > > > > ovirt.engine.extension.______binding.jbossmodule.class = > > > > > > > > > org.ovirt.engineextensions.______aaa.ldap.AuthnExtension > > > > > > > > ovirt.engine.extension.______provides = > > > > > > > > org.ovirt.engine.api.______extensions.aaa.Authn > > > > > > > > ovirt.engine.aaa.authn.__profi____le.name > <http://profi__le.name> <http://profile.name> > <http://profile.name> > > > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name > <http://authn.profile.name> > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>>> > > > > > > > > <http://ovirt.engine.aaa.__aut____hn.profile.name > <http://aut__hn.profile.name> > <http://authn.profile.name> > <http://authn.profile.name> > > > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name > <http://authn.profile.name> > <http://ovirt.engine.aaa.__authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name>>>> = > BRU-AIR > > > > > > > > ovirt.engine.aaa.authn.authz.______plugin = > BRU_AIR-authz > > > > > > > config.profile.file.1 = > > > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > > ovirt.engine.extension.name > <http://ovirt.engine.extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>> > <http://ovirt.engine.__extensi__on.name > <http://extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> < > > > > > http://ovirt.engine.extension.____name > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>> > > > > > > > > <http://ovirt.engine.__extensi____on.name > <http://extensi__on.name> <http://extension.name> > <http://extension.name> > > > > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> > <http://ovirt.engine.__extension.name > <http://ovirt.engine.extension.name>>>> = > > > > > > > BRU_AIR-authz > > > > > > > > ovirt.engine.extension.______bindings.method = > jbossmodule > > > > > > > > > ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > > > > > ovirt.engine.extension.______binding.jbossmodule.class = > > > > > > > > > org.ovirt.engineextensions.______aaa.ldap.AuthzExtension > > > > > > > > ovirt.engine.extension.______provides = > > > > > > > > org.ovirt.engine.api.______extensions.aaa.Authz > > > > > > > config.profile.file.1 = > > > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > > include = <ad.properties> > > > > > > > > > > > > > > # > > > > > > > # Active directory domain name. > > > > > > > # > > > > > > > vars.domain = mydomain.com > <http://mydomain.com> > <http://mydomain.com> > <http://mydomain.com> <http://mydomain.com> > > > > > > > <http://mydomain.com> > > > > > > > > > > > > > > # > > > > > > > # Search user and its password. > > > > > > > # > > > > > > > vars.user = > admin@${global:vars.domain} > > > > > > > vars.password = *********** > > > > > > > > > > > > > > # > > > > > > > # Optional DNS servers, if > enterprise > > > > > > > # DNS server cannot resolve > the domain > srvrecord. > > > > > > > # > > > > > > > vars.dns = > dns://dc01.mydomain.com <http://dc01.mydomain.com> > <http://dc01.mydomain.com> > <http://dc01.mydomain.com> < > > > http://dc01.mydomain.com> > > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > > > pool.default.serverset.type = > srvrecord > > > > > > > > pool.default.serverset.______srvrecord.domain = > > > > > ${global:vars.domain} > > > > > > > > pool.default.auth.simple.______bindDN = > ${global:vars.user} > > > > > > > > pool.default.auth.simple.______password = > > > ${global:vars.password > > > > > > > > > > > > > > In the GUI for adding user I > get this: > > > > > > > > > > > > > > An error occurred while > attempting to > query DNS > in order to > > > > > > > retrieve SRV > > > > > > > records with name > '_gc__tcp_brussels_airport': > > > > > > > > javax_naming_______NameNotFoundException: DNS name > not found > > > > > > > [response code > > > > > > > 3]; remaining name > '_gc__tcp_brussels_airport' > > > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > > > > > _____________________________________________________ > > > > > > > Users mailing list > > > > > > > Users(a)ovirt.org > <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> > > > > > > > > http://lists.ovirt.org/______mailman/listinfo/users > <http://lists.ovirt.org/____mailman/listinfo/users> > <http://lists.ovirt.org/____mailman/listinfo/users > <http://lists.ovirt.org/__mailman/listinfo/users>> > > > > > > > > <http://lists.ovirt.org/____mailman/listinfo/users > <http://lists.ovirt.org/__mailman/listinfo/users> > <http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users>>> > > > > > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org > <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > > > http://lists.ovirt.org/____mailman/listinfo/users > <http://lists.ovirt.org/__mailman/listinfo/users> > <http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > http://lists.ovirt.org/____mailman/listinfo/users > <http://lists.ovirt.org/__mailman/listinfo/users> > <http://lists.ovirt.org/__mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users>> > > > >

From: "Koen Vanoppen" <vanoppen.koen(a)gmail.com&gt; To: "Ondra Machacek" <omachace(a)redhat.com&gt;, users(a)ovirt.org Sent: Thursday, January 29, 2015 3:46:09 PM Subject: Re: [ovirt-users] AAA I saw that when I pressed the send button. If I do that i again get the following: 2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com ' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._ tcp.ldap.mydomain.com ' And yes I replayed mydomain with the correct one... :-)

2015-01-29 14:40 GMT+01:00 Ondra Machacek < omachace(a)redhat.com > : On 01/29/2015 02:18 PM, Koen Vanoppen wrote: OK... Now I have this one :-) WARN [org.ovirt.engineextensions. aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa- ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s): uncomment vars.dns Changed the properties file to this: include = <ad.properties> # # Active directory domain name. # vars.domain = ldap.mydomain.com < http://ldap.mydomain.com > (this one resolves to and gives ping back, front end of the pool) # # Search user and its password. # vars.user = juniper-admin(a)mydomain.com <mailto: juniper-admin@ mydomain.com > vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back) pool.default.serverset.type = srvrecord #pool.default.serverset. single.server = ${global:vars.server} pool.default.serverset. srvrecord.domain = ${global:vars.domain} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory. resolver.uRL = ${global:vars.dns} Thanks for your effort! 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev < alonbl(a)redhat.com <mailto: alonbl(a)redhat.com >>: ----- Original Message ----- > From: "Koen Vanoppen" < vanoppen.koen(a)gmail.com <mailto: > vanoppen.koen@gmail. com >> > To: "Alon Bar-Lev" < alonbl(a)redhat.com <mailto: alonbl(a)redhat.com >> > Cc:users@ovirt.org <mailto: users(a)ovirt.org > > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @ srvdc03.mydomain.com < > http://srvdc03.mydomain.com > SRV _gc._ > tcp.mydomain.com < http://tcp.mydomain.com > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23. rc1.el6_5.1 <<>> @ > srvdc03.mydomain.com < http://srvdc03.mydomain.com > > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._ tcp.mydomain.com < http://tcp.mydomain.com >. IN SRV this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com < http://mydomain.com > with your actual active directory domain name? have you tried to look into your dns manager for this information as well? > > ;; AUTHORITY SECTION: > mydomain.com < http://mydomain.com >. 3600 IN SOA srvdc03.mydomain.com < http://srvdc03.mydomain.com >. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev < alonbl(a)redhat.com <mailto: alonbl(a)redhat.com >>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" < vanoppen.koen(a)gmail.com <mailto: vanoppen.koen@gmail. com >> > > > To: "Alon Bar-Lev" < alonbl(a)redhat.com <mailto: alonbl(a)redhat.com >>, users(a)ovirt.org <mailto: users(a)ovirt.org > > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com < http://mydomain.com > > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars. domain} > > > dns://srvdc04.${global:vars. domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset. srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple. bindDN = ${global:vars.user} > > > pool.default.auth.simple. password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > > pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory. resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa- ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._ tcp.mydomain.com < http://tcp.mydomain.com > in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com < http://srvdc03.mydomain.com > ? > > 2. Can you please execute: > > $ dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com > > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev < alonbl(a)redhat.com <mailto: alonbl(a)redhat.com >>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" < omachace(a)redhat.com <mailto: omachace(a)redhat.com >> > > > > > To: "Koen Vanoppen" < vanoppen.koen(a)gmail.com <mailto: vanoppen.koen@gmail. com >>, users(a)ovirt.org <mailto: users(a)ovirt.org > > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars. domain} > > dns://dc2.${global:vars. domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > > pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory. resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek < omachace(a)redhat.com <mailto: omachace(a)redhat.com > > > > > > > <mailto: omachace(a)redhat.com <mailto: omachace(a)redhat.com >>> : > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-__ ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.__ NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < > > > > http://ovirt.engine.extension. name > > > > > > > < http://ovirt.engine. __ extensi on.name < http://extension.name > > > > > > > < http://ovirt.engine. extension.name >> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.__ bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__ binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__ aaa.ldap > > > > > > ovirt.engine.extension.__ binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__ aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.__ provides = > > > > > > org.ovirt.engine.api.__ extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__ profi le.name < http://profile.name > > > > > > > < http://ovirt.engine.aaa. authn.profile.name > > > > > > > < http://ovirt.engine.aaa. __ aut hn.profile.name < http://authn.profile.name > > > > > > > < http://ovirt.engine.aaa. authn.profile.name >> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz._ _plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR. __properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name < http://ovirt.engine. extension.name > < > > > > http://ovirt.engine.extension. name > > > > > > > < http://ovirt.engine. __ extensi on.name < http://extension.name > > > > > > > < http://ovirt.engine. extension.name >> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.__ bindings.method = jbossmodule > > > > > > ovirt.engine.extension.__ binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.__ aaa.ldap > > > > > > ovirt.engine.extension.__ binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.__ provides = > > > > > > org.ovirt.engine.api.__ extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR. __properties > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com < http://mydomain.com > < http://mydomain.com > > > > > > > < http://mydomain.com > > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns:// dc01.mydomain.com < http://dc01.mydomain.com > < > > http://dc01.mydomain.com > > > > > > > < http://dc01.mydomain.com > > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.__ srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.__ bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.__ password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming___ NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > ______________________________ ___________________ > > > > > > Users mailing list > > > > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > > > > > > http://lists.ovirt.org/__ mailman/listinfo/users > > > > > > < http://lists.ovirt.org/ mailman/listinfo/users > > > > > > > > > > > > > > > > > > ______________________________ _________________ > > > > > Users mailing list > > > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org > > > > > > http://lists.ovirt.org/ mailman/listinfo/users > > > > > > > > > > > > > > > ______________________________ _________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/ mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users