[ovirt-devel] oVirt AAA LDAP

Tang Jackson tangjack at square-enix.com
Wed Dec 17 02:37:15 UTC 2014 

Hello Alon,

Thanks I've figured it out yesterday, it was due to the global catalog pointer being wrong as you said.



-----Original Message-----
From: Alon Bar-Lev [mailto:alonbl at redhat.com] 
Sent: Wednesday, December 17, 2014 8:23 AM
To: Tang Jackson
Cc: devel at ovirt.org
Subject: Re: [ovirt-devel] oVirt AAA LDAP



----- Original Message -----
> From: "Tang Jackson" <tangjack at square-enix.com>
> To: devel at ovirt.org
> Sent: Monday, December 15, 2014 11:55:22 AM
> Subject: [ovirt-devel] oVirt AAA LDAP
> 
> 
> 
> Hello Alon,
> 
> 
> 
> I am having some trouble using the new aaa released in version 3.5 of oVirt.
> 
> 
> 
> include = <ad.properties>
> 
> 
> 
> #
> 
> # Active directory domain name.
> 
> #
> 
> vars.domain = jp.co.xxxxx.com
> 
> 
> 
> #
> 
> # Search user and its password.
> 
> #
> 
> #vars.user = CN=username,OU=UserAccounts,DC=jp,DC=co,DC=xxx,DC=com
> 
> vars.user = xxx

user should be username@${global:vars.domain}

> 
> vars.password = xxxxxx
> 
> 
> 
> #
> 
> # Optional DNS servers, if enterprise
> 
> # DNS server cannot resolve the domain srvrecord.
> 
> #
> 
> vars.dns = dns://xxx.jp.co.xxxx.com

this must point to active directory dns implementation, all srv records should be available, you can choose one or more domain controllers or remove this if your default dns is referring the microsoft dns.

<snip>

> 2014-12-15 13:39:28,265 ERROR
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service 
> thread
> 1-6) [ovirt-engine-extension-aaa-ldap.authz::sqex-authz] Cannot 
> initialize LDAP framework, deferring initialization. Error: An error 
> occurred while attempting to query DNS in order to retrieve SRV 
> records with name
> '_gc._tcp.jp.co.square-enix.com': javax.naming.NameNotFoundException: 
> DNS name not found [response code 3]; remaining name 
> '_gc._tcp.jp.co.square-enix.com'

this states that the jp.co.square-enix.com is either:
1. not active directory domain name, missing component or similar, or spelled incorrectly.
2. the ldap you refer to is missing active directory srv records.

Alon

More information about the Devel mailing list