[ovirt-users] AAA
Koen Vanoppen
vanoppen.koen at gmail.com
Thu Jan 29 13:54:56 UTC 2015
I just don't understand. Why did engine-manage-domains previously DID work,
no problems what so ever and now I have this...
2015-01-29 14:48 GMT+01:00 Ondra Machacek <omachace at redhat.com>:
> It's same situation as before, but now you are missing ldap SRV record.
>
> With same steps you used to add _gc SRV record add also _ldap SRV record.
> But it's strange that you don't already have them.
>
> On 01/29/2015 02:46 PM, Koen Vanoppen wrote:
>
>> I saw that when I pressed the send button. If I do that i again get the
>> following:
>>
>> 2015-01-29 14:28:35,891 WARN
>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
>> 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
>> initialize LDAP framework, deferring initialization. Error: An error
>> occurred while attempting to query DNS in order to retrieve SRV records
>> with name '_ldap._tcp.ldap.mydomain.com
>> <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException:
>> DNS name not found [response code 3]; remaining name
>> '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
>> 2015-01-29 14:28:35,924 WARN
>> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
>> 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
>> initialize LDAP framework, deferring initialization. Error: An error
>> occurred while attempting to query DNS in order to retrieve SRV records
>> with name '_ldap._tcp.ldap.mydomain.com
>> <http://tcp.ldap.mydomain.com>': javax.naming.NameNotFoundException:
>> DNS name not found [response code 3]; remaining name
>> '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com>'
>>
>> And yes I replayed mydomain with the correct one... :-)
>>
>> 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>>:
>>
>>
>>
>> On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
>>
>> OK... Now I have this one :-)
>> WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension]
>> (MSC service
>> thread 1-2) [ovirt-engine-extension-aaa-__
>> ldap.authn::BRU_AIR-authn]
>> Cannot initialize LDAP framework, deferring initialization. Error:
>> Invalid DNS pseudo-URL(s):
>>
>>
>> uncomment vars.dns
>>
>>
>> Changed the properties file to this:
>>
>> include = <ad.properties>
>>
>> #
>> # Active directory domain name.
>> #
>> vars.domain = ldap.mydomain.com <http://ldap.mydomain.com>
>> <http://ldap.mydomain.com> (this one
>> resolves to and gives ping back, front end of the pool)
>>
>> #
>> # Search user and its password.
>> #
>> vars.user = juniper-admin at mydomain.com
>> <mailto:juniper-admin at mydomain.com>
>> <mailto:juniper-admin at __mydomain.com
>> <mailto:juniper-admin at mydomain.com>>
>> vars.password = *****
>>
>> #
>> # Optional DNS servers, if enterprise
>> # DNS server cannot resolve the domain srvrecord.
>> #
>> #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these
>> resolve and give a ping back)
>>
>> pool.default.serverset.type = srvrecord
>> #pool.default.serverset.__single.server = ${global:vars.server}
>> pool.default.serverset.__srvrecord.domain = ${global:vars.domain}
>> pool.default.auth.simple.__bindDN = ${global:vars.user}
>> pool.default.auth.simple.__password = ${global:vars.password}
>>
>> # Uncomment if using custom DNS
>> pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>> =
>> ${global:vars.dns}
>> pool.default.socketfactory.__resolver.uRL = ${global:vars.dns}
>>
>>
>> Thanks for your effort!
>>
>>
>> 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alonbl at redhat.com
>> <mailto:alonbl at redhat.com>
>> <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>>
>>
>>
>> ----- Original Message -----
>> > From: "Koen Vanoppen" <vanoppen.koen at gmail.com
>> <mailto:vanoppen.koen at gmail.com>
>> <mailto:vanoppen.koen at gmail.__com <mailto:vanoppen.koen at gmail.com
>> >>>
>> > To: "Alon Bar-Lev" <alonbl at redhat.com
>> <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>> <mailto:alonbl at redhat.com>>>
>> > Cc:users at ovirt.org <mailto:Cc%3Ausers at ovirt.org>
>> <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>> > Sent: Thursday, January 29, 2015 2:41:52 PM
>> > Subject: Re: [ovirt-users] AAA
>> >
>> > Yes We have:
>> >
>> > [root at ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com
>> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV
>> _gc._
>> >tcp.mydomain.com <http://tcp.mydomain.com>
>> <http://tcp.mydomain.com>
>> >
>> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.__rc1.el6_5.1 <<>>
>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>>
>> <http://srvdc03.mydomain.com>
>> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com>
>> <http://tcp.mydomain.com>
>> > ; (1 server found)
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
>> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
>> ADDITIONAL: 0
>> >
>> > ;; QUESTION SECTION:
>> > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com>
>> <http://tcp.mydomain.com>. IN SRV
>>
>> this ^^^^^^^ means that you do not have srv record. are you
>> sure you
>> replace mydomain.com <http://mydomain.com>
>> <http://mydomain.com> with your actual active
>> directory domain name?
>> have you tried to look into your dns manager for this
>> information as
>> well?
>>
>> >
>> > ;; AUTHORITY SECTION:
>> > mydomain.com <http://mydomain.com>
>> <http://mydomain.com>. 3600 IN SOA
>> srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>> <http://srvdc03.mydomain.com>.
>> > hostmaster.airport. 1398582 900 600 86400 3600
>> >
>> > ;; Query time: 12 msec
>> > ;; SERVER: 10.110.3.123#53(10.110.3.123)
>> > ;; WHEN: Thu Jan 29 13:40:41 2015
>> > ;; MSG SIZE rcvd: 98
>> >
>> >
>> >
>> > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev
>> <alonbl at redhat.com <mailto:alonbl at redhat.com>
>> <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>> >
>> > >
>> > >
>> > > ----- Original Message -----
>> > > > From: "Koen Vanoppen" <vanoppen.koen at gmail.com
>> <mailto:vanoppen.koen at gmail.com>
>> <mailto:vanoppen.koen at gmail.__com
>> <mailto:vanoppen.koen at gmail.com>>>
>> > > > To: "Alon Bar-Lev" <alonbl at redhat.com
>> <mailto:alonbl at redhat.com>
>> <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>,
>> users at ovirt.org <mailto:users at ovirt.org> <mailto:users at ovirt.org
>> <mailto:users at ovirt.org>>
>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM
>> > > > Subject: Re: [ovirt-users] AAA
>> > > >
>> > > > Big thanks for your help, but still the same:
>> > > >
>> > > > #
>> > > > # Active directory domain name.
>> > > > #
>> > > > vars.domain = mydomain.com <http://mydomain.com>
>> <http://mydomain.com>
>> > > >
>> > > > #
>> > > > # Search user and its password.
>> > > > #
>> > > > vars.user = admin@${global:vars.domain}
>> > > > vars.password = *****
>> > > >
>> > > > #
>> > > > # Optional DNS servers, if enterprise
>> > > > # DNS server cannot resolve the domain srvrecord.
>> > > > #
>> > > > vars.dns = dns://srvdc03.${global:vars.__domain}
>> > > > dns://srvdc04.${global:vars.__domain}
>> > > >
>> > > > pool.default.serverset.type = srvrecord
>> > > > pool.default.serverset.__srvrecord.domain =
>> ${global:vars.domain}
>> > > > pool.default.auth.simple.__bindDN =
>> ${global:vars.user}
>> > > > pool.default.auth.simple.__password =
>> ${global:vars.password}
>> > > >
>> > > > # Uncomment if using custom DNS
>> > > >
>> > >
>>
>> pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>> =
>> > > > ${global:vars.dns}
>> > > > pool.default.socketfactory.__resolver.uRL =
>> ${global:vars.dns}
>> > > >
>> > > >
>> > > >
>> > > >
>> [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
>> Cannot initialize
>> > > > LDAP framework, deferring initialization. Error: No
>> DNS SRV
>> records were
>> > > > found with record name '_gc._tcp.brussels.airport'.
>> > > >
>> > > > And I can't put '_gc._tcp.mydomain.com
>> <http://tcp.mydomain.com>
>> <http://tcp.mydomain.com> in the dns... Isn't there another
>> > > > way it just resolves the dns servers I gave him?
>> > > >
>> > >
>> > > Microsoft Domain controller must have gc service entry
>> within
>> DNS to work
>> > > properly.
>> > > 1. Are you sure you have Microsoft DNS installed on
>> srvdc03.mydomain.com <http://srvdc03.mydomain.com>
>> <http://srvdc03.mydomain.com> ?
>> > > 2. Can you please execute:
>> > > $ dig @srvdc03.mydomain.com
>> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV
>> _gc._tcp.mydomain.com <http://tcp.mydomain.com>
>> <http://tcp.mydomain.com>
>> > > 3. Can you please open the DNS manager within your
>> domain and
>> search for
>> > > srv records? Maybe you have DNS installed only on few
>> servers,
>> using the
>> > > DNS manager you can also see which.
>> > >
>> > > >
>> > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev
>> <alonbl at redhat.com <mailto:alonbl at redhat.com>
>> <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>:
>> > > >
>> > > > >
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Ondra Machacek" <omachace at redhat.com
>> <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>
>> > > > > > To: "Koen Vanoppen" <vanoppen.koen at gmail.com
>> <mailto:vanoppen.koen at gmail.com>
>> <mailto:vanoppen.koen at gmail.__com
>> <mailto:vanoppen.koen at gmail.com>>>, users at ovirt.org
>> <mailto:users at ovirt.org>
>> <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
>> > > > > > Subject: Re: [ovirt-users] AAA
>> > > > > >
>> > > > > >
>> > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
>> > > > > > > No, I don't. and I wouldn't know how he got to
>> this name...
>> > > > > >
>> > > > > > Well, then you have to, if you want to use
>> > > 'pool.default.serverset.type
>> > > > > > = srvrecord'.
>> > > > > >
>> > > > > > It just need to know where your global catalog is
>> running, since it's
>> > > > > > needed for new provider.
>> > > > > >
>> > > > > > It searches for global catalog like this:
>> > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
>> > > > > >
>> > > > > > So you need to have this SRV record in DNS, if
>> you want
>> to use
>> > > srvrecord
>> > > > > > serverset type. Or you don't have to if you use
>> single
>> server type.
>> > > > >
>> > > > > active directory will not work without access to
>> global
>> catalog.
>> > > > > please set one or more of the domain controllers
>> as dns
>> server, for
>> > > > > example:
>> > > > >
>> > > > > vars.dns = dns://dc1.${global:vars.__domain}
>> > > dns://dc2.${global:vars.__domain}
>> > > > >
>> > > > > please also uncomment/add these lines to make
>> vars.dns
>> effective.
>> > > > >
>> > > > >
>> > >
>>
>> pool.default.serverset.__srvrecord.jndi-properties.__
>> java.naming.provider.url
>> > > > > = ${global:vars.dns}
>> > > > > pool.default.socketfactory.__resolver.uRL =
>> ${global:vars.dns}
>> > > > >
>> > > > > Thanks!
>> > > > >
>> > > > > >
>> > > > > > >
>> > > > > > > Thanks for the reply!
>> > > > > > >
>> > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
>> <omachace at redhat.com <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>> > > > > > > <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com>>>>__:
>>
>> > > > > > >
>> > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
>> > > > > > >
>> > > > > > > Can somebody help me setting up AAA
>> for ovirt
>> 3.5.1?
>> > > > > > >
>> > > > > > > I'm getting this now:
>> > > > > > >
>> > > > > > > 2015-01-29 11:35:36,889 WARN
>> > > > > > >
>> [org.ovirt.engineextensions.____aaa.ldap.AuthzExtension]
>> (MSC
>> > > > > > > service thread
>> > > > > > > 1-1)
>> > > [ovirt-engine-extension-aaa-__
>> __ldap.authz::BRU_AIR-authz]
>> > > > > > > Cannot
>> > > > > > > initialize LDAP framework, deferring
>> initialization.
>> > > Error: An
>> > > > > > > error
>> > > > > > > occurred while attempting to query DNS
>> in order to
>> > > retrieve SRV
>> > > > > > > records
>> > > > > > > with name '_gc._tcp.brussels.airport':
>> > > > > > >
>> javax.naming.____NameNotFoundException: DNS name
>> not found
>> > > > > > > [response code
>> > > > > > > 3]; remaining name
>> '_gc._tcp.brussels.airport'
>> > > > > > >
>> > > > > > >
>> > > > > > > Do you have this
>> '_gc._tcp.brussels.airport' SRV
>> record in DNS
>> > > ?
>> > > > > > >
>> > > > > > >
>> > > > > > > my 3 configs:
>> > > > > > > _*BRU_AIR-authn.properties*_
>> > > > > > > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.__extension.name
>> <http://ovirt.engine.extension.name>> <
>> > > > > http://ovirt.engine.extension.__name
>> <http://ovirt.engine.extension.name>>
>> > > > > > >
>> <http://ovirt.engine.__extensi__on.name <http://extension.name>
>> <http://extension.name>
>> > > > > > > <http://ovirt.engine.__extension.name
>> <http://ovirt.engine.extension.name>>> =
>> > > > > > > BRU_AIR-authn
>> > > > > > >
>> ovirt.engine.extension.____bindings.method =
>> jbossmodule
>> > > > > > >
>> ovirt.engine.extension.____binding.jbossmodule.module =
>> > > > > > > org.ovirt.engine-extensions.__
>> __aaa.ldap
>> > > > > > >
>> ovirt.engine.extension.____binding.jbossmodule.class =
>> > > > > > >
>> org.ovirt.engineextensions.____aaa.ldap.AuthnExtension
>> > > > > > > ovirt.engine.extension.____provides =
>> > > > > > >
>> org.ovirt.engine.api.____extensions.aaa.Authn
>> > > > > > >
>> ovirt.engine.aaa.authn.__profi__le.name <http://profile.name>
>> <http://profile.name>
>> > > > > > >
>> <http://ovirt.engine.aaa.__authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>>
>> > > > > > >
>> <http://ovirt.engine.aaa.__aut__hn.profile.name
>> <http://authn.profile.name>
>> <http://authn.profile.name>
>> > > > > > >
>> <http://ovirt.engine.aaa.__authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>>> =
>> BRU-AIR
>> > > > > > > ovirt.engine.aaa.authn.authz.____plugin
>> =
>> BRU_AIR-authz
>> > > > > > > config.profile.file.1 =
>> > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
>> > > > > > >
>> > > > > > > _*BRU_AIR-authz.properties*_
>> > > > > > > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.__extension.name
>> <http://ovirt.engine.extension.name>> <
>> > > > > http://ovirt.engine.extension.__name
>> <http://ovirt.engine.extension.name>>
>> > > > > > >
>> <http://ovirt.engine.__extensi__on.name <http://extension.name>
>> <http://extension.name>
>>
>> > > > > > > <http://ovirt.engine.__extension.name
>> <http://ovirt.engine.extension.name>>> =
>> > > > > > > BRU_AIR-authz
>> > > > > > >
>> ovirt.engine.extension.____bindings.method =
>> jbossmodule
>> > > > > > >
>> ovirt.engine.extension.____binding.jbossmodule.module =
>> > > > > > > org.ovirt.engine-extensions.__
>> __aaa.ldap
>> > > > > > >
>> ovirt.engine.extension.____binding.jbossmodule.class =
>> > > > > > >
>> org.ovirt.engineextensions.____aaa.ldap.AuthzExtension
>> > > > > > > ovirt.engine.extension.____provides =
>> > > > > > >
>> org.ovirt.engine.api.____extensions.aaa.Authz
>> > > > > > > config.profile.file.1 =
>> > > > > /etc/ovirt-engine/aaa/BRU_AIR.____properties
>>
>> > > > > > >
>> > > > > > > _*BRU_AIR.properties*_
>> > > > > > > include = <ad.properties>
>> > > > > > >
>> > > > > > > #
>> > > > > > > # Active directory domain name.
>> > > > > > > #
>> > > > > > > vars.domain = mydomain.com
>> <http://mydomain.com>
>> <http://mydomain.com> <http://mydomain.com>
>> > > > > > > <http://mydomain.com>
>> > > > > > >
>> > > > > > > #
>> > > > > > > # Search user and its password.
>> > > > > > > #
>> > > > > > > vars.user = admin@${global:vars.domain}
>> > > > > > > vars.password = ***********
>> > > > > > >
>> > > > > > > #
>> > > > > > > # Optional DNS servers, if enterprise
>> > > > > > > # DNS server cannot resolve the domain
>> srvrecord.
>> > > > > > > #
>> > > > > > > vars.dns = dns://dc01.mydomain.com
>> <http://dc01.mydomain.com>
>> <http://dc01.mydomain.com> <
>> > > http://dc01.mydomain.com>
>> > > > > > > <http://dc01.mydomain.com>
>> > > > > > >
>> > > > > > > pool.default.serverset.type = srvrecord
>> > > > > > >
>> pool.default.serverset.____srvrecord.domain =
>> > > > > ${global:vars.domain}
>> > > > > > > pool.default.auth.simple.____bindDN =
>> ${global:vars.user}
>> > > > > > > pool.default.auth.simple.____password =
>> > > ${global:vars.password
>> > > > > > >
>> > > > > > > In the GUI for adding user I get this:
>> > > > > > >
>> > > > > > > An error occurred while attempting to
>> query DNS
>> in order to
>> > > > > > > retrieve SRV
>> > > > > > > records with name
>> '_gc__tcp_brussels_airport':
>> > > > > > >
>> javax_naming_____NameNotFoundException: DNS name
>> not found
>> > > > > > > [response code
>> > > > > > > 3]; remaining name
>> '_gc__tcp_brussels_airport'
>> > > > > > >
>> > > > > > > Any ideas? I ran out...
>> > > > > > >
>> > > > > > > Kind regards,
>> > > > > > >
>> > > > > > > Koen
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> ___________________________________________________
>> > > > > > > Users mailing list
>> > > > > > > Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> > > > > > >
>> http://lists.ovirt.org/____mailman/listinfo/users
>> <http://lists.ovirt.org/__mailman/listinfo/users>
>> > > > > > >
>> <http://lists.ovirt.org/__mailman/listinfo/users
>> <http://lists.ovirt.org/mailman/listinfo/users>>
>> > > > > > >
>> > > > > > >
>> > > > > > _________________________________________________
>> > > > > > Users mailing list
>> > > > > > Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> > > > > > http://lists.ovirt.org/__mailman/listinfo/users
>> <http://lists.ovirt.org/mailman/listinfo/users>
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>>
>>
>>
>> _________________________________________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/__mailman/listinfo/users
>> <http://lists.ovirt.org/mailman/listinfo/users>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150129/96cada30/attachment-0001.html>
More information about the Users
mailing list