[ovirt-users] Can't perform search after setting up an Active Directory

Ondra Machacek omachace at redhat.com
Thu May 26 17:58:20 UTC 2016 

On 05/26/2016 05:28 PM, Alexis HAUSER wrote:
> This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV

^_ldap

> I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION
>
> If I use : pool.default.serverset.srvrecord.service = ldaps
> In the logs I see this : "An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"

^_ldaps

>
> The same happens with : dig @any_of_the_4_AD_server _ldap._tcp.my_forest_name.com SRV

^_ldap

>
> So why dig can resolve it but not ovirt ?

you use '_ldaps._tcp' in ovirt not '_ldap._tcp' as in dig.

And '_ldaps' is what's missing in your DNS.

>
>
>
>> If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
>> This variables says what DNS server(s) should be used to send DNS
>> queries, instead of the
>> default one from /etc/resolv.conf.
>> So if you specify:
>>  vars.dns = dns://ad_server.mydomain.com
>> then aaa-ldap do following:
>>  $ dig @ad_server.mydomain.com
>> _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>> if you remove 'vars.dns' varibale then aaa-ldap does following:
>>  $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>> so default DNS servers are used.
>
>
> Interesting, now I understand better...
>
>
>> In config files no. The correct approach is configure DNS properly.
>> Because SRV record
>> provides you port on which that service operates. So I would suggest you
>> either create new SRV record named 'ldaps' with port 636(in your AD
>> DNS), or use startTLS with port 389.
>
>
> "ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ?
>

Unfortunatelly using '_ldaps._tcp' is not any standart. But that's what 
usually people do if they can't use startTLS.

>
> With startTLS I didn't have any success (and I don't really get why) :
>
> "2016-05-26 17:23:36,535 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-6) [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot initialize LDAP framework, deferring initialization. Error: 00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece"
>
> "{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=00000000: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"
>
>

This message doesn't say much. Can you please send full Java exception 
stack trace?
Don't forget to also remove lines:

  pool.default.ssl.enable = true
  pool.default.serverset.srvrecord.service = ldaps

More information about the Users mailing list