[ovirt-users] Can't perform search after setting up an Active Directory

Ondra Machacek omachace at redhat.com
Thu May 26 09:26:17 UTC 2016

On 05/26/2016 10:11 AM, Alexis HAUSER wrote:
>> You use 389 with SSL? I guess you wrongly specified it.
>> But, if you want to use SSL and you have it on 636, then you should
>> create new SRV dns
>> records for example: _ldaps._tcp.university.mydomain.com ... 636
> Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On the DNS server I'm using ?

On DNS you are using, usually on AD DNS.

>> and then change:
>>  pool.default.serverset.srvrecord.service=ldaps
>> But I guess you wanted to use startTLS with 389, which you can enable by
>> adding:
>>  pool.default.ssl.startTLS=true
>> and remove line:
>>  pool.default.ssl.enable=true
>> Does it solve your issue?
> Actually, it's using ldaps yes. It doesnt solve my issue but I don't know where this DNS server comes from, I think it doesn't exist...

In AD startTLS usually works by default, strange. Why you disable it?

> I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com and the same with ":636" at the end, but none of them works, it's still trying to reach this weird address with underlines : _ldaps._tcp.university.mydomain.com
> "2016-05-26 09:54:52,872 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/ [] [ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.university.mydomain.com':  javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldaps._tcp.campus.enst-bretagne.fr'"

This error means, that you don't have SRV record for 
'_ldaps._tcp.university.mydomain.com'. You need to create first, before 
changing aaa-ldap configuration.

You can check if it's resolvable, by running following command:

  $ dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV

>>> I meant I had to disable the LDAP (openLDAP) profile, renaming the file with .save so ovirt doesn't detect them. If both profiles are activated, ovirt-web interface propose >>me the DN of the LDAP into AD (in namespace field)... Is that a bug or normal behavior ?
>> Hmm, that's strange, because only files with *.properties suffix should
>> be detected and used. So yes please open bz that also other suffixes are
>> loaded.
> Actually that's what I said : only .properties file are detected. The problem is about the namespaces : when LDAP.properties file and AD.properties file are activated, the namespace suggested in the web interface in the user tab, when choosing AD, is the DN of the LDAP...Which seems to be a bug....Namespaces of everything are mixed...And if I select internal and then select again AD, a new namespace appears : * (from internal).
> This a weird behavior, right ?

Yes, that's weird, but I guess it's misconfigured. Doesn't your names of 
extensions conflict?
I think that you combine values(names) 'ovirt.engine.extension.name' for 
both AD and OpenLDAP. It should differ. Can you post those configurations?

More information about the Users mailing list