[ovirt-users] ldap servers configuration can be misleading with AD

Ondra Machacek omachace at redhat.com
Tue Apr 19 15:35:44 UTC 2016


On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
> I tried to plug ovirt using my company AD.
>
> But I have a problem, the DNS srv records are not well managed and I can't use them so I changed pool.default.serverset.type from srvrecord to failover.

With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not 
well managed'?

Can you please send engine log or if you are on 3.6, then use this 
command to test and provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=ad-search.log aaa search --entity-name=userX 
--extension-name=ad-authz

Btw: Do you use mutli domain AD setup? Or only single domain?

>
> But it was not enough, it was still using those invalid records. It was used by pool.default.dc-resolve.default.serverset.type too. I found that after digging in the source. I wonder why it should be specified twice. Why pool.default.dc-resolve.default.serverset and pool.default.serverset are different ?

You can disable 'dc-resolve' by 'pool.default.dc-resolve.enable = false',
but first you should find issue.

>
> I also need to specify search.ad-resolve-upn.search-request.baseDN because it didn't found it any more. I wonder if it's related.
>
> My aaa property file:
>
> include = <ad.properties>
>
> vars.domain = MYDOME
> vars.user = A_DN
> vars.password = the_password
> vars.forest = my_forest
>
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> pool.default.serverset.type = failover
> pool.default.serverset.failover.1.server = server1
> pool.default.serverset.failover.2.server = server2
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file = trust.jks
> pool.default.ssl.truststore.password =
> pool.default.ssl.startTLSProtocol = TLSv1.2
>
> pool.default.connection-options.connectTimeoutMillis = 500
> pool.default.dc-resolve.enable = true
> pool.default.dc-resolve.default.serverset.type = failover
> pool.default.dc-resolve.serverset.failover.1.server = server1
> pool.default.dc-resolve.serverset.failover.2.server = server2
>
> search.ad-resolve-upn.search-request.baseDN = BASE_DN
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



More information about the Users mailing list