[ovirt-users] AAA
Alon Bar-Lev
alonbl at redhat.com
Thu Jan 29 15:20:06 UTC 2015
----- Original Message -----
> From: "Koen Vanoppen" <vanoppen.koen at gmail.com>
> To: "Ondra Machacek" <omachace at redhat.com>, users at ovirt.org
> Sent: Thursday, January 29, 2015 3:46:09 PM
> Subject: Re: [ovirt-users] AAA
>
> I saw that when I pressed the send button. If I do that i again get the
> following:
>
> 2015-01-29 14:28:35,891 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
> 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to query DNS in order to retrieve SRV records with
> name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException:
> DNS name not found [response code 3]; remaining name '_ldap._
> tcp.ldap.mydomain.com '
> 2015-01-29 14:28:35,924 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to query DNS in order to retrieve SRV records with
> name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException:
> DNS name not found [response code 3]; remaining name '_ldap._
> tcp.ldap.mydomain.com '
>
> And yes I replayed mydomain with the correct one... :-)
Hi Koen,
I keep asking you... please provide the following so we can help:
1. your real domain name that you are using, I guess mydomain.com is not the correct one and also ldap.mydomain.com is not the active directory domain name, please determine what is the active directory domain name, you can do this via the domains and site manager.
2. the command and full output of dig using:
$ dig @srvdc03.<domain> SRV _ldap._tcp.<domain>
$ dig @srvdc03.<domain> SRV _gc._tcp.<domain>
these srv records MUST exist within active directory DNS, otherwise the active directory itself will not work, your task is to find what <domain> is in your environment and what server runs valid DNS.
3. open the dns manager within active directory, expand the _tcp branch, and attach screen shoot of what you see.
Thanks,
Alon.
>
> 2015-01-29 14:40 GMT+01:00 Ondra Machacek < omachace at redhat.com > :
>
>
>
>
> On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
>
>
> OK... Now I have this one :-)
> WARN [org.ovirt.engineextensions. aaa.ldap.AuthnExtension] (MSC service
> thread 1-2) [ovirt-engine-extension-aaa- ldap.authn::BRU_AIR-authn]
> Cannot initialize LDAP framework, deferring initialization. Error:
> Invalid DNS pseudo-URL(s):
>
> uncomment vars.dns
>
>
>
>
> Changed the properties file to this:
>
> include = <ad.properties>
>
> #
> # Active directory domain name.
> #
> vars.domain = ldap.mydomain.com < http://ldap.mydomain.com > (this one
> resolves to and gives ping back, front end of the pool)
>
> #
> # Search user and its password.
> #
> vars.user = juniper-admin at mydomain.com <mailto: juniper-admin@ mydomain.com >
> vars.password = *****
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these
> resolve and give a ping back)
>
> pool.default.serverset.type = srvrecord
> #pool.default.serverset. single.server = ${global:vars.server}
> pool.default.serverset. srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple. bindDN = ${global:vars.user}
> pool.default.auth.simple. password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url =
> ${global:vars.dns}
> pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
>
>
> Thanks for your effort!
>
>
> 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev < alonbl at redhat.com
> <mailto: alonbl at redhat.com >>:
>
>
>
> ----- Original Message -----
> > From: "Koen Vanoppen" < vanoppen.koen at gmail.com <mailto:
> > vanoppen.koen at gmail. com >>
> > To: "Alon Bar-Lev" < alonbl at redhat.com <mailto: alonbl at redhat.com >>
> > Cc:users at ovirt.org <mailto: users at ovirt.org >
> > Sent: Thursday, January 29, 2015 2:41:52 PM
> > Subject: Re: [ovirt-users] AAA
> >
> > Yes We have:
> >
> > [root at ovirtmgmt01prod ~]# dig @ srvdc03.mydomain.com <
> > http://srvdc03.mydomain.com > SRV _gc._
> > tcp.mydomain.com < http://tcp.mydomain.com >
> >
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23. rc1.el6_5.1 <<>> @
> > srvdc03.mydomain.com < http://srvdc03.mydomain.com >
> > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com >
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;_gc._ tcp.mydomain.com < http://tcp.mydomain.com >. IN SRV
>
> this ^^^^^^^ means that you do not have srv record. are you sure you
> replace mydomain.com < http://mydomain.com > with your actual active
> directory domain name?
> have you tried to look into your dns manager for this information as
> well?
>
> >
> > ;; AUTHORITY SECTION:
> > mydomain.com < http://mydomain.com >. 3600 IN SOA
> srvdc03.mydomain.com < http://srvdc03.mydomain.com >.
> > hostmaster.airport. 1398582 900 600 86400 3600
> >
> > ;; Query time: 12 msec
> > ;; SERVER: 10.110.3.123#53(10.110.3.123)
> > ;; WHEN: Thu Jan 29 13:40:41 2015
> > ;; MSG SIZE rcvd: 98
> >
> >
> >
> > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev < alonbl at redhat.com
> <mailto: alonbl at redhat.com >>:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Koen Vanoppen" < vanoppen.koen at gmail.com
> <mailto: vanoppen.koen at gmail. com >>
> > > > To: "Alon Bar-Lev" < alonbl at redhat.com
> <mailto: alonbl at redhat.com >>, users at ovirt.org <mailto: users at ovirt.org >
> > > > Sent: Thursday, January 29, 2015 2:19:32 PM
> > > > Subject: Re: [ovirt-users] AAA
> > > >
> > > > Big thanks for your help, but still the same:
> > > >
> > > > #
> > > > # Active directory domain name.
> > > > #
> > > > vars.domain = mydomain.com < http://mydomain.com >
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
> > > > vars.user = admin@${global:vars.domain}
> > > > vars.password = *****
> > > >
> > > > #
> > > > # Optional DNS servers, if enterprise
> > > > # DNS server cannot resolve the domain srvrecord.
> > > > #
> > > > vars.dns = dns://srvdc03.${global:vars. domain}
> > > > dns://srvdc04.${global:vars. domain}
> > > >
> > > > pool.default.serverset.type = srvrecord
> > > > pool.default.serverset. srvrecord.domain = ${global:vars.domain}
> > > > pool.default.auth.simple. bindDN = ${global:vars.user}
> > > > pool.default.auth.simple. password = ${global:vars.password}
> > > >
> > > > # Uncomment if using custom DNS
> > > >
> > >
> pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url
> =
> > > > ${global:vars.dns}
> > > > pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
> > > >
> > > >
> > > >
> > > > [ovirt-engine-extension-aaa- ldap.authz::BRU_AIR-authz]
> Cannot initialize
> > > > LDAP framework, deferring initialization. Error: No DNS SRV
> records were
> > > > found with record name '_gc._tcp.brussels.airport'.
> > > >
> > > > And I can't put '_gc._ tcp.mydomain.com
> < http://tcp.mydomain.com > in the dns... Isn't there another
> > > > way it just resolves the dns servers I gave him?
> > > >
> > >
> > > Microsoft Domain controller must have gc service entry within
> DNS to work
> > > properly.
> > > 1. Are you sure you have Microsoft DNS installed on
> srvdc03.mydomain.com < http://srvdc03.mydomain.com > ?
> > > 2. Can you please execute:
> > > $ dig @ srvdc03.mydomain.com < http://srvdc03.mydomain.com > SRV
> _gc._ tcp.mydomain.com < http://tcp.mydomain.com >
> > > 3. Can you please open the DNS manager within your domain and
> search for
> > > srv records? Maybe you have DNS installed only on few servers,
> using the
> > > DNS manager you can also see which.
> > >
> > > >
> > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev < alonbl at redhat.com
> <mailto: alonbl at redhat.com >>:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Ondra Machacek" < omachace at redhat.com
> <mailto: omachace at redhat.com >>
> > > > > > To: "Koen Vanoppen" < vanoppen.koen at gmail.com
> <mailto: vanoppen.koen at gmail. com >>, users at ovirt.org
> <mailto: users at ovirt.org >
> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
> > > > > > Subject: Re: [ovirt-users] AAA
> > > > > >
> > > > > >
> > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
> > > > > > > No, I don't. and I wouldn't know how he got to this name...
> > > > > >
> > > > > > Well, then you have to, if you want to use
> > > 'pool.default.serverset.type
> > > > > > = srvrecord'.
> > > > > >
> > > > > > It just need to know where your global catalog is
> running, since it's
> > > > > > needed for new provider.
> > > > > >
> > > > > > It searches for global catalog like this:
> > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
> > > > > >
> > > > > > So you need to have this SRV record in DNS, if you want
> to use
> > > srvrecord
> > > > > > serverset type. Or you don't have to if you use single
> server type.
> > > > >
> > > > > active directory will not work without access to global
> catalog.
> > > > > please set one or more of the domain controllers as dns
> server, for
> > > > > example:
> > > > >
> > > > > vars.dns = dns://dc1.${global:vars. domain}
> > > dns://dc2.${global:vars. domain}
> > > > >
> > > > > please also uncomment/add these lines to make vars.dns
> effective.
> > > > >
> > > > >
> > >
> pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url
> > > > > = ${global:vars.dns}
> > > > > pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
> > > > >
> > > > > Thanks!
> > > > >
> > > > > >
> > > > > > >
> > > > > > > Thanks for the reply!
> > > > > > >
> > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek
> < omachace at redhat.com <mailto: omachace at redhat.com >
> > > > > > > <mailto: omachace at redhat.com <mailto: omachace at redhat.com >>> :
>
> > > > > > >
> > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
> > > > > > >
> > > > > > > Can somebody help me setting up AAA for ovirt
> 3.5.1?
> > > > > > >
> > > > > > > I'm getting this now:
> > > > > > >
> > > > > > > 2015-01-29 11:35:36,889 WARN
> > > > > > >
> [org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension] (MSC
> > > > > > > service thread
> > > > > > > 1-1)
> > > [ovirt-engine-extension-aaa-__ ldap.authz::BRU_AIR-authz]
> > > > > > > Cannot
> > > > > > > initialize LDAP framework, deferring
> initialization.
> > > Error: An
> > > > > > > error
> > > > > > > occurred while attempting to query DNS in order to
> > > retrieve SRV
> > > > > > > records
> > > > > > > with name '_gc._tcp.brussels.airport':
> > > > > > > javax.naming.__ NameNotFoundException: DNS name
> not found
> > > > > > > [response code
> > > > > > > 3]; remaining name '_gc._tcp.brussels.airport'
> > > > > > >
> > > > > > >
> > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV
> record in DNS
> > > ?
> > > > > > >
> > > > > > >
> > > > > > > my 3 configs:
> > > > > > > _*BRU_AIR-authn.properties*_
> > > > > > > ovirt.engine.extension.name
> < http://ovirt.engine. extension.name > <
> > > > > http://ovirt.engine.extension. name >
> > > > > > > < http://ovirt.engine. __ extensi on.name
> < http://extension.name >
> > > > > > > < http://ovirt.engine. extension.name >> =
> > > > > > > BRU_AIR-authn
> > > > > > > ovirt.engine.extension.__ bindings.method =
> jbossmodule
> > > > > > >
> ovirt.engine.extension.__ binding.jbossmodule.module =
> > > > > > > org.ovirt.engine-extensions.__ aaa.ldap
> > > > > > >
> ovirt.engine.extension.__ binding.jbossmodule.class =
> > > > > > >
> org.ovirt.engineextensions.__ aaa.ldap.AuthnExtension
> > > > > > > ovirt.engine.extension.__ provides =
> > > > > > > org.ovirt.engine.api.__ extensions.aaa.Authn
> > > > > > > ovirt.engine.aaa.authn.__ profi le.name
> < http://profile.name >
> > > > > > > < http://ovirt.engine.aaa. authn.profile.name >
> > > > > > > < http://ovirt.engine.aaa. __ aut hn.profile.name
> < http://authn.profile.name >
> > > > > > > < http://ovirt.engine.aaa. authn.profile.name >> =
> BRU-AIR
> > > > > > > ovirt.engine.aaa.authn.authz._ _plugin =
> BRU_AIR-authz
> > > > > > > config.profile.file.1 =
> > > > > /etc/ovirt-engine/aaa/BRU_AIR. __properties
> > > > > > >
> > > > > > > _*BRU_AIR-authz.properties*_
> > > > > > > ovirt.engine.extension.name
> < http://ovirt.engine. extension.name > <
> > > > > http://ovirt.engine.extension. name >
> > > > > > > < http://ovirt.engine. __ extensi on.name
> < http://extension.name >
>
> > > > > > > < http://ovirt.engine. extension.name >> =
> > > > > > > BRU_AIR-authz
> > > > > > > ovirt.engine.extension.__ bindings.method =
> jbossmodule
> > > > > > >
> ovirt.engine.extension.__ binding.jbossmodule.module =
> > > > > > > org.ovirt.engine-extensions.__ aaa.ldap
> > > > > > >
> ovirt.engine.extension.__ binding.jbossmodule.class =
> > > > > > >
> org.ovirt.engineextensions.__ aaa.ldap.AuthzExtension
> > > > > > > ovirt.engine.extension.__ provides =
> > > > > > > org.ovirt.engine.api.__ extensions.aaa.Authz
> > > > > > > config.profile.file.1 =
> > > > > /etc/ovirt-engine/aaa/BRU_AIR. __properties
> > > > > > >
> > > > > > > _*BRU_AIR.properties*_
> > > > > > > include = <ad.properties>
> > > > > > >
> > > > > > > #
> > > > > > > # Active directory domain name.
> > > > > > > #
> > > > > > > vars.domain = mydomain.com
> < http://mydomain.com > < http://mydomain.com >
> > > > > > > < http://mydomain.com >
> > > > > > >
> > > > > > > #
> > > > > > > # Search user and its password.
> > > > > > > #
> > > > > > > vars.user = admin@${global:vars.domain}
> > > > > > > vars.password = ***********
> > > > > > >
> > > > > > > #
> > > > > > > # Optional DNS servers, if enterprise
> > > > > > > # DNS server cannot resolve the domain srvrecord.
> > > > > > > #
> > > > > > > vars.dns = dns:// dc01.mydomain.com
> < http://dc01.mydomain.com > <
> > > http://dc01.mydomain.com >
> > > > > > > < http://dc01.mydomain.com >
> > > > > > >
> > > > > > > pool.default.serverset.type = srvrecord
> > > > > > > pool.default.serverset.__ srvrecord.domain =
> > > > > ${global:vars.domain}
> > > > > > > pool.default.auth.simple.__ bindDN =
> ${global:vars.user}
> > > > > > > pool.default.auth.simple.__ password =
> > > ${global:vars.password
> > > > > > >
> > > > > > > In the GUI for adding user I get this:
> > > > > > >
> > > > > > > An error occurred while attempting to query DNS
> in order to
> > > > > > > retrieve SRV
> > > > > > > records with name '_gc__tcp_brussels_airport':
> > > > > > > javax_naming___ NameNotFoundException: DNS name
> not found
> > > > > > > [response code
> > > > > > > 3]; remaining name '_gc__tcp_brussels_airport'
> > > > > > >
> > > > > > > Any ideas? I ran out...
> > > > > > >
> > > > > > > Kind regards,
> > > > > > >
> > > > > > > Koen
> > > > > > >
> > > > > > >
> > > > > > > ______________________________ ___________________
> > > > > > > Users mailing list
> > > > > > > Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > > > > > > http://lists.ovirt.org/__ mailman/listinfo/users
> > > > > > > < http://lists.ovirt.org/ mailman/listinfo/users >
> > > > > > >
> > > > > > >
> > > > > > ______________________________ _________________
> > > > > > Users mailing list
> > > > > > Users at ovirt.org <mailto: Users at ovirt.org >
> > > > > > http://lists.ovirt.org/ mailman/listinfo/users
> > > > > >
> > > > >
> > > >
> > >
> >
>
>
>
>
> ______________________________ _________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/ mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list