[ovirt-users] AAA

Koen Vanoppen vanoppen.koen at gmail.com
Thu Jan 29 13:32:55 UTC 2015


Can't I use domain service? I'm getting a bit grrrrr... :-). We already
used LDAP login for ovirt before the AAA with the engine-manage-domains.
And this worked.
[root at ovirtmgmt01prod aaa]# engine-manage-domains validateDomain my.domain
is valid.
The configured user for domain my.domain is juniper-admin at BRUSSELS.AIRPORT

Manage Domains completed successfully


2015-01-29 14:18 GMT+01:00 Koen Vanoppen <vanoppen.koen at gmail.com>:

> OK... Now I have this one :-)
> WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service
> thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: Invalid DNS
> pseudo-URL(s):
>
> Changed the properties file to this:
>
> include = <ad.properties>
>
> #
> # Active directory domain name.
> #
> vars.domain = ldap.mydomain.com (this one resolves to and gives ping
> back, front end of the pool)
>
> #
> # Search user and its password.
> #
> vars.user = juniper-admin at mydomain.com
> vars.password = *****
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve
> and give a ping back)
>
> pool.default.serverset.type = srvrecord
> #pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> = ${global:vars.dns}
> pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
>
> Thanks for your effort!
>
>
> 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl at redhat.com>:
>
>>
>>
>> ----- Original Message -----
>> > From: "Koen Vanoppen" <vanoppen.koen at gmail.com>
>> > To: "Alon Bar-Lev" <alonbl at redhat.com>
>> > Cc: users at ovirt.org
>> > Sent: Thursday, January 29, 2015 2:41:52 PM
>> > Subject: Re: [ovirt-users] AAA
>> >
>> > Yes We have:
>> >
>> > [root at ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV  _gc._
>> > tcp.mydomain.com
>> >
>> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @
>> srvdc03.mydomain.com
>> > SRV _gc._tcp.mydomain.com
>> > ; (1 server found)
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
>> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> >
>> > ;; QUESTION SECTION:
>> > ;_gc._tcp.mydomain.com. IN      SRV
>>
>> this ^^^^^^^ means that you do not have srv record. are you sure you
>> replace mydomain.com with your actual active directory domain name?
>> have you tried to look into your dns manager for this information as well?
>>
>> >
>> > ;; AUTHORITY SECTION:
>> > mydomain.com.   3600    IN      SOA     srvdc03.mydomain.com.
>> > hostmaster.airport. 1398582 900 600 86400 3600
>> >
>> > ;; Query time: 12 msec
>> > ;; SERVER: 10.110.3.123#53(10.110.3.123)
>> > ;; WHEN: Thu Jan 29 13:40:41 2015
>> > ;; MSG SIZE  rcvd: 98
>> >
>> >
>> >
>> > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alonbl at redhat.com>:
>> >
>> > >
>> > >
>> > > ----- Original Message -----
>> > > > From: "Koen Vanoppen" <vanoppen.koen at gmail.com>
>> > > > To: "Alon Bar-Lev" <alonbl at redhat.com>, users at ovirt.org
>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM
>> > > > Subject: Re: [ovirt-users] AAA
>> > > >
>> > > > Big thanks for your help, but still the same:
>> > > >
>> > > > #
>> > > > # Active directory domain name.
>> > > > #
>> > > > vars.domain = mydomain.com
>> > > >
>> > > > #
>> > > > # Search user and its password.
>> > > > #
>> > > > vars.user = admin@${global:vars.domain}
>> > > > vars.password = *****
>> > > >
>> > > > #
>> > > > # Optional DNS servers, if enterprise
>> > > > # DNS server cannot resolve the domain srvrecord.
>> > > > #
>> > > > vars.dns = dns://srvdc03.${global:vars.domain}
>> > > > dns://srvdc04.${global:vars.domain}
>> > > >
>> > > > pool.default.serverset.type = srvrecord
>> > > > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>> > > > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > > > pool.default.auth.simple.password = ${global:vars.password}
>> > > >
>> > > > # Uncomment if using custom DNS
>> > > >
>> > >
>> pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
>> > > > ${global:vars.dns}
>> > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>> > > >
>> > > >
>> > > >
>> > > >  [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
>> initialize
>> > > > LDAP framework, deferring initialization. Error: No DNS SRV records
>> were
>> > > > found with record name '_gc._tcp.brussels.airport'.
>> > > >
>> > > > And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there
>> another
>> > > > way it just resolves the dns servers I gave him?
>> > > >
>> > >
>> > > Microsoft Domain controller must have gc service entry within DNS to
>> work
>> > > properly.
>> > > 1. Are you sure you have Microsoft DNS installed on
>> srvdc03.mydomain.com ?
>> > > 2. Can you please execute:
>> > > $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com
>> > > 3. Can you please open the DNS manager within your domain and search
>> for
>> > > srv records? Maybe you have DNS installed only on few servers, using
>> the
>> > > DNS manager you can also see which.
>> > >
>> > > >
>> > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alonbl at redhat.com>:
>> > > >
>> > > > >
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Ondra Machacek" <omachace at redhat.com>
>> > > > > > To: "Koen Vanoppen" <vanoppen.koen at gmail.com>, users at ovirt.org
>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
>> > > > > > Subject: Re: [ovirt-users] AAA
>> > > > > >
>> > > > > >
>> > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
>> > > > > > > No, I don't. and I wouldn't know how he got to this name...
>> > > > > >
>> > > > > > Well, then you have to, if you want to use
>> > > 'pool.default.serverset.type
>> > > > > > = srvrecord'.
>> > > > > >
>> > > > > > It just need to know where your global catalog is running,
>> since it's
>> > > > > > needed for new provider.
>> > > > > >
>> > > > > > It searches for global catalog like this:
>> > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
>> > > > > >
>> > > > > > So you need to have this SRV record in DNS, if you want to use
>> > > srvrecord
>> > > > > > serverset type. Or you don't have to if you use single server
>> type.
>> > > > >
>> > > > > active directory will not work without access to global catalog.
>> > > > > please set one or more of the domain controllers as dns server,
>> for
>> > > > > example:
>> > > > >
>> > > > > vars.dns = dns://dc1.${global:vars.domain}
>> > > dns://dc2.${global:vars.domain}
>> > > > >
>> > > > > please also uncomment/add these lines to make vars.dns effective.
>> > > > >
>> > > > >
>> > >
>> pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>> > > > > = ${global:vars.dns}
>> > > > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>> > > > >
>> > > > > Thanks!
>> > > > >
>> > > > > >
>> > > > > > >
>> > > > > > > Thanks for the reply!
>> > > > > > >
>> > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <
>> omachace at redhat.com
>> > > > > > > <mailto:omachace at redhat.com>>:
>> > > > > > >
>> > > > > > >     On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
>> > > > > > >
>> > > > > > >         Can somebody help me setting up AAA for ovirt 3.5.1?
>> > > > > > >
>> > > > > > >         I'm getting this now:
>> > > > > > >
>> > > > > > >         2015-01-29 11:35:36,889 WARN
>> > > > > > >
>>  [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC
>> > > > > > >         service thread
>> > > > > > >         1-1)
>> > > [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
>> > > > > > >         Cannot
>> > > > > > >         initialize LDAP framework, deferring initialization.
>> > > Error: An
>> > > > > > >         error
>> > > > > > >         occurred while attempting to query DNS in order to
>> > > retrieve SRV
>> > > > > > >         records
>> > > > > > >         with name '_gc._tcp.brussels.airport':
>> > > > > > >         javax.naming.__NameNotFoundException: DNS name not
>> found
>> > > > > > >         [response code
>> > > > > > >         3]; remaining name '_gc._tcp.brussels.airport'
>> > > > > > >
>> > > > > > >
>> > > > > > >     Do you have this '_gc._tcp.brussels.airport' SRV record
>> in DNS
>> > > ?
>> > > > > > >
>> > > > > > >
>> > > > > > >         my 3 configs:
>> > > > > > >         _*BRU_AIR-authn.properties*_
>> > > > > > >         ovirt.engine.extension.name <
>> > > > > http://ovirt.engine.extension.name>
>> > > > > > >         <http://ovirt.engine.__extension.name
>> > > > > > >         <http://ovirt.engine.extension.name>> =
>> > > > > > >         BRU_AIR-authn
>> > > > > > >         ovirt.engine.extension.__bindings.method = jbossmodule
>> > > > > > >         ovirt.engine.extension.__binding.jbossmodule.module =
>> > > > > > >         org.ovirt.engine-extensions.__aaa.ldap
>> > > > > > >         ovirt.engine.extension.__binding.jbossmodule.class =
>> > > > > > >         org.ovirt.engineextensions.__aaa.ldap.AuthnExtension
>> > > > > > >         ovirt.engine.extension.__provides =
>> > > > > > >         org.ovirt.engine.api.__extensions.aaa.Authn
>> > > > > > >         ovirt.engine.aaa.authn.__profile.name
>> > > > > > >         <http://ovirt.engine.aaa.authn.profile.name>
>> > > > > > >         <http://ovirt.engine.aaa.__authn.profile.name
>> > > > > > >         <http://ovirt.engine.aaa.authn.profile.name>> =
>> BRU-AIR
>> > > > > > >         ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz
>> > > > > > >         config.profile.file.1 =
>> > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties
>> > > > > > >
>> > > > > > >         _*BRU_AIR-authz.properties*_
>> > > > > > >         ovirt.engine.extension.name <
>> > > > > http://ovirt.engine.extension.name>
>> > > > > > >         <http://ovirt.engine.__extension.name
>> > > > > > >         <http://ovirt.engine.extension.name>> =
>> > > > > > >         BRU_AIR-authz
>> > > > > > >         ovirt.engine.extension.__bindings.method = jbossmodule
>> > > > > > >         ovirt.engine.extension.__binding.jbossmodule.module =
>> > > > > > >         org.ovirt.engine-extensions.__aaa.ldap
>> > > > > > >         ovirt.engine.extension.__binding.jbossmodule.class =
>> > > > > > >         org.ovirt.engineextensions.__aaa.ldap.AuthzExtension
>> > > > > > >         ovirt.engine.extension.__provides =
>> > > > > > >         org.ovirt.engine.api.__extensions.aaa.Authz
>> > > > > > >         config.profile.file.1 =
>> > > > > /etc/ovirt-engine/aaa/BRU_AIR.__properties
>> > > > > > >
>> > > > > > >         _*BRU_AIR.properties*_
>> > > > > > >         include = <ad.properties>
>> > > > > > >
>> > > > > > >         #
>> > > > > > >         # Active directory domain name.
>> > > > > > >         #
>> > > > > > >         vars.domain = mydomain.com <http://mydomain.com>
>> > > > > > >         <http://mydomain.com>
>> > > > > > >
>> > > > > > >         #
>> > > > > > >         # Search user and its password.
>> > > > > > >         #
>> > > > > > >         vars.user = admin@${global:vars.domain}
>> > > > > > >         vars.password = ***********
>> > > > > > >
>> > > > > > >         #
>> > > > > > >         # Optional DNS servers, if enterprise
>> > > > > > >         # DNS server cannot resolve the domain srvrecord.
>> > > > > > >         #
>> > > > > > >         vars.dns = dns://dc01.mydomain.com <
>> > > http://dc01.mydomain.com>
>> > > > > > >         <http://dc01.mydomain.com>
>> > > > > > >
>> > > > > > >         pool.default.serverset.type = srvrecord
>> > > > > > >         pool.default.serverset.__srvrecord.domain =
>> > > > > ${global:vars.domain}
>> > > > > > >         pool.default.auth.simple.__bindDN =
>> ${global:vars.user}
>> > > > > > >         pool.default.auth.simple.__password =
>> > > ${global:vars.password
>> > > > > > >
>> > > > > > >         In the GUI for adding user I get this:
>> > > > > > >
>> > > > > > >         An error occurred while attempting to query DNS in
>> order to
>> > > > > > >         retrieve SRV
>> > > > > > >         records with name '_gc__tcp_brussels_airport':
>> > > > > > >         javax_naming___NameNotFoundException: DNS name not
>> found
>> > > > > > >         [response code
>> > > > > > >         3]; remaining name '_gc__tcp_brussels_airport'
>> > > > > > >
>> > > > > > >         Any ideas? I ran out...
>> > > > > > >
>> > > > > > >         Kind regards,
>> > > > > > >
>> > > > > > >         Koen
>> > > > > > >
>> > > > > > >
>> > > > > > >         _________________________________________________
>> > > > > > >         Users mailing list
>> > > > > > >         Users at ovirt.org <mailto:Users at ovirt.org>
>> > > > > > >         http://lists.ovirt.org/__mailman/listinfo/users
>> > > > > > >         <http://lists.ovirt.org/mailman/listinfo/users>
>> > > > > > >
>> > > > > > >
>> > > > > > _______________________________________________
>> > > > > > Users mailing list
>> > > > > > Users at ovirt.org
>> > > > > > http://lists.ovirt.org/mailman/listinfo/users
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150129/cde5aedf/attachment-0001.html>


More information about the Users mailing list