[ovirt-users] Can't perform search after setting up an Active Directory

Alexis HAUSER alexis.hauser at telecom-bretagne.eu
Tue May 31 10:03:47 UTC 2016

>Oh, I see it, we was blind all the time. The problem is in AD2 and AD3. 
>AD1 and AD4 are fine.
>So yes the problem is on AD side but only for AD2 and AD3, that's why it 
>worked for
>aaa-ldap-setup :)
>So actually this command shouldn't work for you:
>  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H 
>ldap://AD2.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
>'mypaswd' -b 'CN=users,DC=something,DC=com'
>but this should:
>  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H 
>ldap://AD4.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
>'mypaswd' -b 'CN=users,DC=something,DC=com'

Nice catch ! I made tests on the 4 servers, with ldapsearch :

 OK : ldaps://AD1:636
 Not working : ldaps://AD2:636
 Not working : ldaps://AD3:636
 OK : ldaps://AD4:636

So, half of AD don't like ldaps...

Without using ldaps, it was working for the 3 first of them, but not AD3...(the search user was disabled on this one, I asked for it to be enabled, now ldapsearch works on this one, but only with ldap, not ldaps), so now :

ldapsearch works using ldap:AD1,2,3,4, even when using LDAPTLS_PROTOCOL_MIN=3.2

In the SRV records when using dig _ldap._tcp.mydomain.com, there are 5 AD...One of them has been disabled but not removed from the SRV records. (but when using dig @AD1,2,3,4 _ldap_tcp.mydomain, I can see this 5th AD has been removed)

Now the thing is : I don't have access to SRV records, I don't have access to AD configuration.

For a strange reason it now works with "insecure", but not pool.default.ssl.enable or StartTLS.

More information about the Users mailing list