Bug 1053030

Summary: [RFE][AAA] Mechanism for determining which Domain Controller is 'active' for authentication
Product: Red Hat Enterprise Virtualization Manager Reporter: Clifton Coursey <ccoursey>
Component: RFEsAssignee: Scott Herold <sherold>
Status: CLOSED CURRENTRELEASE QA Contact: Shai Revivo <srevivo>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.0CC: alonbl, bazulay, byount, ccoursey, gklein, iheim, lpeer, oourfali, rbalakri, ssekidde, yeylon, ylavi
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0Flags: sherold: Triaged+
Hardware: x86_64   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-21 12:07:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1063095    

Description Clifton Coursey 2014-01-14 15:37:28 UTC 
Description of problem:
How can we determine what domain controller is currently being used for Active Directory Authentication and other AD requests?

We will be implementing the multiple Domain Controller
This capability  will be required in order to troubleshoot possible  future AD authentication issues.
Addition we would like to know what the Failover mechanism is? 

For example:
If we have 3 domain controllers listed how does rhevm determine which AD controller is used to service requests and what is the critera that us used to failover to the next one.


Version-Release number of selected component (if applicable):
N/A

How reproducible:
N/A


Additional info:
The only way to get an idea of this information is the following:
Do a service record lookup...

# dig -t SRV _ldap._tcp.yourdomain.com
Comment 6 Alon Bar-Lev 2015-02-03 11:28:32 UTC 
in 3.5 using the new LDAP provider ovirt-engine-extension-aaa-ldap[1][2], there are several policies (serverset) to access domain.

the recommendation for active directory is to use DNS SRVRecord, which will select the server with the higher priority and refresh every interval.

you can select other policies if you like.

enabling debug at level ALL will also enable you to see what ip address is being accessed.

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD