[ovirt-users] ldap servers configuration can be misleading with AD

Fabrice Bacchella fabrice.bacchella at orange.fr
Tue Apr 19 17:46:20 UTC 2016


> Le 19 avr. 2016 à 17:35, Ondra Machacek <omachace at redhat.com> a écrit :
> 
> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
>> I tried to plug ovirt using my company AD.
>> 
>> But I have a problem, the DNS srv records are not well managed and I can't use them so I changed pool.default.serverset.type from srvrecord to failover.
> 
> With AD you should use srvrecord, unless you have somehow miscofigured AD.
> Can you please elaborate more what does it mean 'DNS srv records are not well managed'?

The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates timeout. I don't know if it's firewall or forgotten DC that generate that. There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.

> 
> Can you please send engine log or if you are on 3.6, then use this command to test and provide log:
> $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa search --entity-name=userX --extension-name=ad-authz

I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

With pool.default.serverset.type = failover and pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool  bla
real	1m29.264s
user	0m6.837s
sys	0m0.291s
and a 278KB log file.


And with my setup (pool.default.serverset.type and pool.default.dc-resolve.default.serverset.type set to failover, pool.default.connection-options.connectTimeoutMillis = 500), I got
real	0m5.084s
user	0m6.343s
sys	0m0.164s
and a 199KB log file.


With pool.default.dc-resolve.enable = false, the results is the same than with failover for every one.

> 
> Btw: Do you use mutli domain AD setup? Or only single domain?

I think it's a single domain, but I'm not a Microsoft expert at all.





More information about the Users mailing list