[ovirt-users] ldap servers configuration can be misleading with AD
Fabrice Bacchella
fabrice.bacchella at orange.fr
Tue Apr 19 17:46:20 UTC 2016
> Le 19 avr. 2016 à 17:35, Ondra Machacek <omachace at redhat.com> a écrit :
>
> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
>> I tried to plug ovirt using my company AD.
>>
>> But I have a problem, the DNS srv records are not well managed and I can't use them so I changed pool.default.serverset.type from srvrecord to failover.
>
> With AD you should use srvrecord, unless you have somehow miscofigured AD.
> Can you please elaborate more what does it mean 'DNS srv records are not well managed'?
The command
dig +short _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates timeout. I don't know if it's firewall or forgotten DC that generate that. There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.
>
> Can you please send engine log or if you are on 3.6, then use this command to test and provide log:
> $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa search --entity-name=userX --extension-name=ad-authz
I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
With pool.default.serverset.type = failover and pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool bla
real 1m29.264s
user 0m6.837s
sys 0m0.291s
and a 278KB log file.
And with my setup (pool.default.serverset.type and pool.default.dc-resolve.default.serverset.type set to failover, pool.default.connection-options.connectTimeoutMillis = 500), I got
real 0m5.084s
user 0m6.343s
sys 0m0.164s
and a 199KB log file.
With pool.default.dc-resolve.enable = false, the results is the same than with failover for every one.
>
> Btw: Do you use mutli domain AD setup? Or only single domain?
I think it's a single domain, but I'm not a Microsoft expert at all.
More information about the Users
mailing list