[ovirt-users] AAA

Koen Vanoppen vanoppen.koen at gmail.com
Thu Jan 29 13:54:56 UTC 2015


I just don't understand. Why did engine-manage-domains previously DID work,
no problems what so ever and now I have this...

2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace at redhat.com>:

> It's same situation as before, but now you are missing ldap SRV record.
>
> With same steps you used to add _gc SRV record add also _ldap SRV record.
> But it's strange that you don't already have them.
>
> On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
>
>> I saw that when I pressed the send button. If I do that i again get the
>> following:
>>
>> 2015-01-29 14:28:35,891 WARN
>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
>> 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
>> initialize LDAP framework, deferring initialization. Error: An error
>> occurred while attempting to query DNS in order to retrieve SRV records
>> with name '_ldap._tcp.ldap.mydomain.com
>> <http://tcp.ldap.mydomain.com>':  javax.naming.NameNotFoundException:
>> DNS name not found [response code 3]; remaining name
>> '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
>> 2015-01-29 14:28:35,924 WARN
>> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
>> 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
>> initialize LDAP framework, deferring initialization. Error: An error
>> occurred while attempting to query DNS in order to retrieve SRV records
>> with name '_ldap._tcp.ldap.mydomain.com
>> <http://tcp.ldap.mydomain.com>':  javax.naming.NameNotFoundException:
>> DNS name not found [response code 3]; remaining name
>> '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
>>
>> And yes I replayed mydomain with the correct one... :-)
>>
>> 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>>:
>>
>>
>>
>>     On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
>>
>>         OK... Now I have this one :-)
>>         WARN  [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension]
>>         (MSC service
>>         thread 1-2) [ovirt-engine-extension-aaa-__
>> ldap.authn::BRU_AIR-authn]
>>         Cannot initialize LDAP framework, deferring initialization. Error:
>>         Invalid DNS pseudo-URL(s):
>>
>>
>>     uncomment vars.dns
>>
>>
>>         Changed the properties file to this:
>>
>>         include = <ad.properties>
>>
>>         #
>>         # Active directory domain name.
>>         #
>>         vars.domain = ldap.mydomain.com <http://ldap.mydomain.com>
>>         <http://ldap.mydomain.com> (this one
>>         resolves to and gives ping back, front end of the pool)
>>
>>         #
>>         # Search user and its password.
>>         #
>>         vars.user = juniper-admin at mydomain.com
>>         <mailto:juniper-admin at mydomain.com>
>>         <mailto:juniper-admin at __mydomain.com
>>         <mailto:juniper-admin at mydomain.com>>
>>         vars.password = *****
>>
>>         #
>>         # Optional DNS servers, if enterprise
>>         # DNS server cannot resolve the domain srvrecord.
>>         #
>>         #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these
>>         resolve and give a ping back)
>>
>>         pool.default.serverset.type = srvrecord
>>         #pool.default.serverset.__single.server = ${global:vars.server}
>>         pool.default.serverset.__srvrecord.domain = ${global:vars.domain}
>>         pool.default.auth.simple.__bindDN = ${global:vars.user}
>>         pool.default.auth.simple.__password = ${global:vars.password}
>>
>>         # Uncomment if using custom DNS
>>         pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>>         =
>>         ${global:vars.dns}
>>         pool.default.socketfactory.__resolver.uRL = ${global:vars.dns}
>>
>>
>>         Thanks for your effort!
>>
>>
>>         2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl at redhat.com
>>         <mailto:alonbl at redhat.com>
>>         <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>>
>>
>>
>>              ----- Original Message -----
>>              > From: "Koen Vanoppen" <vanoppen.koen at gmail.com
>>         <mailto:vanoppen.koen at gmail.com>
>>         <mailto:vanoppen.koen at gmail.__com <mailto:vanoppen.koen at gmail.com
>> >>>
>>              > To: "Alon Bar-Lev" <alonbl at redhat.com
>>         <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>>         <mailto:alonbl at redhat.com>>>
>>              > Cc:users at ovirt.org <mailto:Cc%3Ausers at ovirt.org>
>>         <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>>              > Sent: Thursday, January 29, 2015 2:41:52 PM
>>              > Subject: Re: [ovirt-users] AAA
>>              >
>>              > Yes We have:
>>              >
>>              > [root at ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com
>>         <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV
>>         _gc._
>>              >tcp.mydomain.com <http://tcp.mydomain.com>
>>         <http://tcp.mydomain.com>
>>              >
>>              > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1 <<>>
>>         @srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>>
>>         <http://srvdc03.mydomain.com>
>>              > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com>
>>         <http://tcp.mydomain.com>
>>              > ; (1 server found)
>>              > ;; global options: +cmd
>>              > ;; Got answer:
>>              > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
>>              > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
>>         ADDITIONAL: 0
>>              >
>>              > ;; QUESTION SECTION:
>>              > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com>
>>         <http://tcp.mydomain.com>. IN      SRV
>>
>>              this ^^^^^^^ means that you do not have srv record. are you
>>         sure you
>>              replace mydomain.com <http://mydomain.com>
>>         <http://mydomain.com> with your actual active
>>              directory domain name?
>>              have you tried to look into your dns manager for this
>>         information as
>>              well?
>>
>>               >
>>               > ;; AUTHORITY SECTION:
>>               > mydomain.com <http://mydomain.com>
>>         <http://mydomain.com>.   3600    IN      SOA
>>         srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>>         <http://srvdc03.mydomain.com>.
>>               > hostmaster.airport. 1398582 900 600 86400 3600
>>               >
>>               > ;; Query time: 12 msec
>>               > ;; SERVER: 10.110.3.123#53(10.110.3.123)
>>               > ;; WHEN: Thu Jan 29 13:40:41 2015
>>               > ;; MSG SIZE  rcvd: 98
>>               >
>>               >
>>               >
>>               > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev
>>         <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>              <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>>               >
>>               > >
>>               > >
>>               > > ----- Original Message -----
>>               > > > From: "Koen Vanoppen" <vanoppen.koen at gmail.com
>>         <mailto:vanoppen.koen at gmail.com>
>>              <mailto:vanoppen.koen at gmail.__com
>>         <mailto:vanoppen.koen at gmail.com>>>
>>               > > > To: "Alon Bar-Lev" <alonbl at redhat.com
>>         <mailto:alonbl at redhat.com>
>>              <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>,
>>         users at ovirt.org <mailto:users at ovirt.org> <mailto:users at ovirt.org
>>         <mailto:users at ovirt.org>>
>>               > > > Sent: Thursday, January 29, 2015 2:19:32 PM
>>               > > > Subject: Re: [ovirt-users] AAA
>>               > > >
>>               > > > Big thanks for your help, but still the same:
>>               > > >
>>               > > > #
>>               > > > # Active directory domain name.
>>               > > > #
>>               > > > vars.domain = mydomain.com <http://mydomain.com>
>>         <http://mydomain.com>
>>               > > >
>>               > > > #
>>               > > > # Search user and its password.
>>               > > > #
>>               > > > vars.user = admin@${global:vars.domain}
>>               > > > vars.password = *****
>>               > > >
>>               > > > #
>>               > > > # Optional DNS servers, if enterprise
>>               > > > # DNS server cannot resolve the domain srvrecord.
>>               > > > #
>>               > > > vars.dns = dns://srvdc03.${global:vars.__domain}
>>               > > > dns://srvdc04.${global:vars.__domain}
>>               > > >
>>               > > > pool.default.serverset.type = srvrecord
>>               > > > pool.default.serverset.__srvrecord.domain =
>>         ${global:vars.domain}
>>               > > > pool.default.auth.simple.__bindDN =
>> ${global:vars.user}
>>               > > > pool.default.auth.simple.__password =
>>         ${global:vars.password}
>>               > > >
>>               > > > # Uncomment if using custom DNS
>>               > > >
>>               > >
>>
>>         pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>>              =
>>               > > > ${global:vars.dns}
>>               > > > pool.default.socketfactory.__resolver.uRL =
>>         ${global:vars.dns}
>>               > > >
>>               > > >
>>               > > >
>>               > > >
>>         [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
>>              Cannot initialize
>>               > > > LDAP framework, deferring initialization. Error: No
>>         DNS SRV
>>              records were
>>               > > > found with record name '_gc._tcp.brussels.airport'.
>>               > > >
>>               > > > And I can't put '_gc._tcp.mydomain.com
>>         <http://tcp.mydomain.com>
>>              <http://tcp.mydomain.com> in the dns... Isn't there another
>>               > > > way it just resolves the dns servers I gave him?
>>               > > >
>>               > >
>>               > > Microsoft Domain controller must have gc service entry
>>         within
>>              DNS to work
>>               > > properly.
>>               > > 1. Are you sure you have Microsoft DNS installed on
>>         srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>>         <http://srvdc03.mydomain.com> ?
>>               > > 2. Can you please execute:
>>               > > $ dig @srvdc03.mydomain.com
>>         <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV
>>              _gc._tcp.mydomain.com <http://tcp.mydomain.com>
>>         <http://tcp.mydomain.com>
>>               > > 3. Can you please open the DNS manager within your
>>         domain and
>>              search for
>>               > > srv records? Maybe you have DNS installed only on few
>>         servers,
>>              using the
>>               > > DNS manager you can also see which.
>>               > >
>>               > > >
>>               > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev
>>         <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>              <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>>               > > >
>>               > > > >
>>               > > > >
>>               > > > > ----- Original Message -----
>>               > > > > > From: "Ondra Machacek" <omachace at redhat.com
>>         <mailto:omachace at redhat.com>
>>              <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>
>>               > > > > > To: "Koen Vanoppen" <vanoppen.koen at gmail.com
>>         <mailto:vanoppen.koen at gmail.com>
>>              <mailto:vanoppen.koen at gmail.__com
>>         <mailto:vanoppen.koen at gmail.com>>>, users at ovirt.org
>>         <mailto:users at ovirt.org>
>>              <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>>               > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
>>               > > > > > Subject: Re: [ovirt-users] AAA
>>               > > > > >
>>               > > > > >
>>               > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
>>               > > > > > > No, I don't. and I wouldn't know how he got to
>>         this name...
>>               > > > > >
>>               > > > > > Well, then you have to, if you want to use
>>               > > 'pool.default.serverset.type
>>               > > > > > = srvrecord'.
>>               > > > > >
>>               > > > > > It just need to know where your global catalog is
>>              running, since it's
>>               > > > > > needed for new provider.
>>               > > > > >
>>               > > > > > It searches for global catalog like this:
>>               > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
>>               > > > > >
>>               > > > > > So you need to have this SRV record in DNS, if
>>         you want
>>              to use
>>               > > srvrecord
>>               > > > > > serverset type. Or you don't have to if you use
>>         single
>>              server type.
>>               > > > >
>>               > > > > active directory will not work without access to
>>         global
>>              catalog.
>>               > > > > please set one or more of the domain controllers
>>         as dns
>>              server, for
>>               > > > > example:
>>               > > > >
>>               > > > > vars.dns = dns://dc1.${global:vars.__domain}
>>               > > dns://dc2.${global:vars.__domain}
>>               > > > >
>>               > > > > please also uncomment/add these lines to make
>> vars.dns
>>              effective.
>>               > > > >
>>               > > > >
>>               > >
>>
>>         pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>>               > > > > = ${global:vars.dns}
>>               > > > > pool.default.socketfactory.__resolver.uRL =
>>         ${global:vars.dns}
>>               > > > >
>>               > > > > Thanks!
>>               > > > >
>>               > > > > >
>>               > > > > > >
>>               > > > > > > Thanks for the reply!
>>               > > > > > >
>>               > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
>>              <omachace at redhat.com <mailto:omachace at redhat.com>
>>         <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>>               > > > > > > <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>>         <mailto:omachace at redhat.com>>>>__:
>>
>>               > > > > > >
>>               > > > > > >     On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
>>               > > > > > >
>>               > > > > > >         Can somebody help me setting up AAA
>>         for ovirt
>>              3.5.1?
>>               > > > > > >
>>               > > > > > >         I'm getting this now:
>>               > > > > > >
>>               > > > > > >         2015-01-29 11:35:36,889 WARN
>>               > > > > > >
>>                [org.ovirt.engineextensions.____aaa.ldap.AuthzExtension]
>> (MSC
>>               > > > > > >         service thread
>>               > > > > > >         1-1)
>>               > > [ovirt-engine-extension-aaa-__
>> __ldap.authz::BRU_AIR-authz]
>>               > > > > > >         Cannot
>>               > > > > > >         initialize LDAP framework, deferring
>>              initialization.
>>               > > Error: An
>>               > > > > > >         error
>>               > > > > > >         occurred while attempting to query DNS
>>         in order to
>>               > > retrieve SRV
>>               > > > > > >         records
>>               > > > > > >         with name '_gc._tcp.brussels.airport':
>>               > > > > > >
>>           javax.naming.____NameNotFoundException: DNS name
>>              not found
>>               > > > > > >         [response code
>>               > > > > > >         3]; remaining name
>>         '_gc._tcp.brussels.airport'
>>               > > > > > >
>>               > > > > > >
>>               > > > > > >     Do you have this
>>         '_gc._tcp.brussels.airport' SRV
>>              record in DNS
>>               > > ?
>>               > > > > > >
>>               > > > > > >
>>               > > > > > >         my 3 configs:
>>               > > > > > >         _*BRU_AIR-authn.properties*_
>>               > > > > > > ovirt.engine.extension.name
>>         <http://ovirt.engine.extension.name>
>>              <http://ovirt.engine.__extension.name
>>         <http://ovirt.engine.extension.name>> <
>>               > > > > http://ovirt.engine.extension.__name
>>         <http://ovirt.engine.extension.name>>
>>               > > > > > >
>>           <http://ovirt.engine.__extensi__on.name <http://extension.name>
>>              <http://extension.name>
>>               > > > > > >         <http://ovirt.engine.__extension.name
>>         <http://ovirt.engine.extension.name>>> =
>>               > > > > > >         BRU_AIR-authn
>>               > > > > > >
>>           ovirt.engine.extension.____bindings.method =
>>              jbossmodule
>>               > > > > > >
>>                ovirt.engine.extension.____binding.jbossmodule.module =
>>               > > > > > >         org.ovirt.engine-extensions.__
>> __aaa.ldap
>>               > > > > > >
>>                ovirt.engine.extension.____binding.jbossmodule.class =
>>               > > > > > >
>>                org.ovirt.engineextensions.____aaa.ldap.AuthnExtension
>>               > > > > > >         ovirt.engine.extension.____provides =
>>               > > > > > >
>>           org.ovirt.engine.api.____extensions.aaa.Authn
>>               > > > > > >
>>           ovirt.engine.aaa.authn.__profi__le.name <http://profile.name>
>>              <http://profile.name>
>>               > > > > > >
>>           <http://ovirt.engine.aaa.__authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>>
>>               > > > > > >
>>           <http://ovirt.engine.aaa.__aut__hn.profile.name
>>         <http://authn.profile.name>
>>              <http://authn.profile.name>
>>               > > > > > >
>>           <http://ovirt.engine.aaa.__authn.profile.name
>>         <http://ovirt.engine.aaa.authn.profile.name>>> =
>>              BRU-AIR
>>               > > > > > >         ovirt.engine.aaa.authn.authz.____plugin
>> =
>>              BRU_AIR-authz
>>               > > > > > >         config.profile.file.1 =
>>               > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
>>               > > > > > >
>>               > > > > > >         _*BRU_AIR-authz.properties*_
>>               > > > > > > ovirt.engine.extension.name
>>         <http://ovirt.engine.extension.name>
>>              <http://ovirt.engine.__extension.name
>>         <http://ovirt.engine.extension.name>> <
>>               > > > > http://ovirt.engine.extension.__name
>>         <http://ovirt.engine.extension.name>>
>>               > > > > > >
>>           <http://ovirt.engine.__extensi__on.name <http://extension.name>
>>              <http://extension.name>
>>
>>               > > > > > >         <http://ovirt.engine.__extension.name
>>         <http://ovirt.engine.extension.name>>> =
>>               > > > > > >         BRU_AIR-authz
>>               > > > > > >
>>           ovirt.engine.extension.____bindings.method =
>>              jbossmodule
>>               > > > > > >
>>                ovirt.engine.extension.____binding.jbossmodule.module =
>>               > > > > > >         org.ovirt.engine-extensions.__
>> __aaa.ldap
>>               > > > > > >
>>                ovirt.engine.extension.____binding.jbossmodule.class =
>>               > > > > > >
>>                org.ovirt.engineextensions.____aaa.ldap.AuthzExtension
>>               > > > > > >         ovirt.engine.extension.____provides =
>>               > > > > > >
>>           org.ovirt.engine.api.____extensions.aaa.Authz
>>               > > > > > >         config.profile.file.1 =
>>               > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
>>
>>               > > > > > >
>>               > > > > > >         _*BRU_AIR.properties*_
>>               > > > > > >         include = <ad.properties>
>>               > > > > > >
>>               > > > > > >         #
>>               > > > > > >         # Active directory domain name.
>>               > > > > > >         #
>>               > > > > > >         vars.domain = mydomain.com
>>         <http://mydomain.com>
>>              <http://mydomain.com> <http://mydomain.com>
>>               > > > > > >         <http://mydomain.com>
>>               > > > > > >
>>               > > > > > >         #
>>               > > > > > >         # Search user and its password.
>>               > > > > > >         #
>>               > > > > > >         vars.user = admin@${global:vars.domain}
>>               > > > > > >         vars.password = ***********
>>               > > > > > >
>>               > > > > > >         #
>>               > > > > > >         # Optional DNS servers, if enterprise
>>               > > > > > >         # DNS server cannot resolve the domain
>>         srvrecord.
>>               > > > > > >         #
>>               > > > > > >         vars.dns = dns://dc01.mydomain.com
>>         <http://dc01.mydomain.com>
>>              <http://dc01.mydomain.com> <
>>               > > http://dc01.mydomain.com>
>>               > > > > > >         <http://dc01.mydomain.com>
>>               > > > > > >
>>               > > > > > >         pool.default.serverset.type = srvrecord
>>               > > > > > >
>>           pool.default.serverset.____srvrecord.domain =
>>               > > > > ${global:vars.domain}
>>               > > > > > >         pool.default.auth.simple.____bindDN =
>>              ${global:vars.user}
>>               > > > > > >         pool.default.auth.simple.____password =
>>               > > ${global:vars.password
>>               > > > > > >
>>               > > > > > >         In the GUI for adding user I get this:
>>               > > > > > >
>>               > > > > > >         An error occurred while attempting to
>>         query DNS
>>              in order to
>>               > > > > > >         retrieve SRV
>>               > > > > > >         records with name
>>         '_gc__tcp_brussels_airport':
>>               > > > > > >
>>           javax_naming_____NameNotFoundException: DNS name
>>              not found
>>               > > > > > >         [response code
>>               > > > > > >         3]; remaining name
>>         '_gc__tcp_brussels_airport'
>>               > > > > > >
>>               > > > > > >         Any ideas? I ran out...
>>               > > > > > >
>>               > > > > > >         Kind regards,
>>               > > > > > >
>>               > > > > > >         Koen
>>               > > > > > >
>>               > > > > > >
>>               > > > > > >
>>           ___________________________________________________
>>               > > > > > >         Users mailing list
>>               > > > > > > Users at ovirt.org <mailto:Users at ovirt.org>
>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>              <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>>               > > > > > >
>>         http://lists.ovirt.org/____mailman/listinfo/users
>>         <http://lists.ovirt.org/__mailman/listinfo/users>
>>               > > > > > >
>>           <http://lists.ovirt.org/__mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>>
>>               > > > > > >
>>               > > > > > >
>>               > > > > > _________________________________________________
>>               > > > > > Users mailing list
>>               > > > > > Users at ovirt.org <mailto:Users at ovirt.org>
>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>               > > > > > http://lists.ovirt.org/__mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>               > > > > >
>>               > > > >
>>               > > >
>>               > >
>>               >
>>
>>
>>
>>
>>         _________________________________________________
>>         Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org>
>>         http://lists.ovirt.org/__mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150129/96cada30/attachment-0001.html>


More information about the Users mailing list