[ovirt-users] ldap servers configuration can be misleading with AD

Ondra Machacek omachace at redhat.com
Wed Apr 20 09:14:19 UTC 2016 

On 04/20/2016 10:33 AM, Fabrice Bacchella wrote:
>
>> Le 20 avr. 2016 à 10:16, Ondra Machacek <omachace at redhat.com> a écrit :
>>
>> On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:
>>>
>>>> Le 19 avr. 2016 à 17:35, Ondra Machacek <omachace at redhat.com> a écrit :
>>>>
>>>> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
>>>>> I tried to plug ovirt using my company AD.
>>>>>
>>>>> But I have a problem, the DNS srv records are not well managed and I can't use them so I changed pool.default.serverset.type from srvrecord to failover.
>>>>
>>>> With AD you should use srvrecord, unless you have somehow miscofigured AD.
>>>> Can you please elaborate more what does it mean 'DNS srv records are not well managed'?
>>>
>>> The command
>>> dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
>>> return 122 lines. Out of that, I can only use less than 10, all other generates timeout. I don't know if it's firewall or forgotten DC that generate that. There is no way I can use srvrecord.
>>> This domain is totally out of my reach, I have to take it as is.
>>
>> ok, that's not good, but if some of the domains which are working are in same site, you can use 'domain-conversion'(works only with srvrecord):
>> pool.default.serverset.srvrecord.domain-conversion.type = regex
>> pool.default.serverset.srvrecord.domain-conversion.regex.pattern = ^(?<domain>.*)$
>> pool.default.serverset.srvrecord.domain-conversion.regex.replacement = WORKING-SITE._sites.${domain}
>
> What is that supposed to do ? All my DC are in the form xx-xxx-dcs99.${domain} and I have to pick a in this list. dig _sites.${domain} return nothing for me
>
> what a regex will do ?

Well AD has something called sites[1].
With this regex, you can specify what computers will only be used.

[1] https://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx

>
>
>> Is that your case? Can you please share log of extensions-tool, so we can better understand
>> your problem and provide better help.
>
> I have no knowledge about AD, I'm a 100% linux sysadmin and just use AD as an LDAP server, so all those forest/GC are unknown things for me.
>
> I will send that in a private mail.
>

OK, will take a look.

More information about the Users mailing list