[ovirt-devel] oVirt AAA LDAP

Tang Jackson tangjack at square-enix.com
Mon Dec 15 09:55:22 UTC 2014 

Hello Alon,

I am having some trouble using the new aaa released in version 3.5 of oVirt.

include = <ad.properties>

#
# Active directory domain name.
#
vars.domain = jp.co.xxxxx.com

#
# Search user and its password.
#
#vars.user = CN=username,OU=UserAccounts,DC=jp,DC=co,DC=xxx,DC=com
vars.user = xxx
vars.password = xxxxxx

#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
vars.dns = dns://xxx.jp.co.xxxx.com

pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit

ovirt.engine.extension.name = sqex-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = sqex
ovirt.engine.aaa.authn.authz.plugin = sqex-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/sqex.properties

ovirt.engine.extension.name = sqex-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/sqex.properties


The error in the engine log is as follows:

2014-12-15 13:39:12,828 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-4) Loaded file "/etc/ovirt-engine/engine.conf.d/50-ovirt-engine-extension-aaa-ldap.conf".
2014-12-15 13:39:12,855 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-4) Value of property "ENGINE_JAVA_MODULEPATH" is "/usr/share/ovirt-engine/modules:/usr/share/ovirt-engine-extension-aaa-ldap/modules".
2014-12-15 13:39:14,053 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-6) [ovirt-engine-extension-aaa-ldap.authz::sqex-authz] Creating LDAP pool 'authz'
2014-12-15 13:39:27,259 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-6) [ovirt-engine-extension-aaa-ldap.authz::sqex-authz] Creating LDAP pool 'gc'
2014-12-15 13:39:28,265 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-6) [ovirt-engine-extension-aaa-ldap.authz::sqex-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_gc._tcp.jp.co.square-enix.com':  javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_gc._tcp.jp.co.square-enix.com'
2014-12-15 13:39:28,271 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-6) [ovirt-engine-extension-aaa-ldap.authn::sqex-authn] Creating LDAP pool 'authz'
2014-12-15 13:39:36,316 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-6) [ovirt-engine-extension-aaa-ldap.authn::sqex-authn] Creating LDAP pool 'authn'
2014-12-15 13:39:39,384 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-6) Instance name: 'sqex-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.0', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/sqex-authz.properties', Initialized: 'true'
2014-12-15 13:39:39,388 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-6) Instance name: 'sqex-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.0', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/sqex-authn.properties', Initialized: 'true'

The ovirt server can find the dns in cli.

Regards,

J Tang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20141215/30aef515/attachment-0001.html>

More information about the Devel mailing list