[ovirt-users] Can't perform search after setting up an Active Directory

Alexis HAUSER alexis.hauser at telecom-bretagne.eu
Thu May 26 13:35:15 UTC 2016


>So it means that aaa-ldap then tries to do following:
>LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H 
>ldaps://mydomain.com:389 -x -D 'CN=Something,DC=myserver,DC=come' -w 
>'mypaswd' -b 'CN=users,DC=something,DC=com'
>Which won't work, because you do ldaps on 389 port. (I guess it don't 
>work, unless you changed default AD configuration)
>What you need to do is to specify a port for ldaps service. It's 
>ussually done as I said before. 

Yes that's true, it would work only with 636, not 389.


Yes, I understood that, and I said before, when I set "pool.default.serverset.srvrecord.service = ldaps", the parameter "vars.dns" is ignored by ovirt...
When I use "vars.dns = dns://ad_server.mydomain.com", restart ovirt-engine, attempt to login and then check the logs, I see in the logs it is still trying to use "_ldaps._tcp.university.mydomain.com" instead... It really totally ignore the vars.dns parameter !

Now if use only "vars.dns = dns://ad_server.mydomain.com", and disable (comment) "pool.default.serverset.srvrecord.service = ldaps", in the logs, I see the right DNS used (ad_server.mydomain.com), but as you said, on the wrong port.

If I specify the port with "vars.dns = dns://ad_server.mydomain.com:636", I still see in the log it's trying to use port 389. Which mean the port number is totally ignore in "vars.dns" parameter.
 

>To get more info how the 
>DNSSRVRecordServerSet works you can read this:
>https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/DNSSRVRecordServerSet.html

Interesting, but here _ldap_tcp is not used. And I'm not a java delopper, I won't know how to do with these classes etc...


>> It seems to confirm what I said : this DNS entry doesn't seem to exist.

>Yes, and it should, or you need to change 
>_ldap._tcp.university.mydomain.com SRV record to point on 636, or 
>configure 389 port to accept ldaps. That's just my guess.

So does it mean there is no way to specify to ovirt config files that I want to use another DNS on 636 port ?


>Configurations looks OK, so you hit some bug, can you please opent a bz 
>for it? Thanks.

Ok, no problem, I'll do that.



More information about the Users mailing list