[ovirt-users] Can't perform search after setting up an Active Directory

Alexis HAUSER alexis.hauser at telecom-bretagne.eu
Thu May 26 15:28:41 UTC 2016

This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV
I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION

If I use : pool.default.serverset.srvrecord.service = ldaps
In the logs I see this : "An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"

The same happens with : dig @any_of_the_4_AD_server _ldap._tcp.my_forest_name.com SRV

So why dig can resolve it but not ovirt ?

>If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
>This variables says what DNS server(s) should be used to send DNS 
>queries, instead of the
>default one from /etc/resolv.conf.
>So if you specify:
>  vars.dns = dns://ad_server.mydomain.com
>then aaa-ldap do following:
>  $ dig @ad_server.mydomain.com 
>_ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>if you remove 'vars.dns' varibale then aaa-ldap does following:
>  $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>so default DNS servers are used.

Interesting, now I understand better...

>In config files no. The correct approach is configure DNS properly. 
>Because SRV record
>provides you port on which that service operates. So I would suggest you 
>either create new SRV record named 'ldaps' with port 636(in your AD 
>DNS), or use startTLS with port 389.

"ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ?

With startTLS I didn't have any success (and I don't really get why) :

"2016-05-26 17:23:36,535 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/ [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot initialize LDAP framework, deferring initialization. Error: 00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece"

"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"

More information about the Users mailing list