Bug 1438319

Summary: [RFE] Adding "Failover between multiple hosts" feature on ovirt-engine-extension-aaa-ldap for RHEV+AD Integration
Product: Red Hat Enterprise Virtualization Manager Reporter: fjayalat
Component: ovirt-engine-extension-aaa-ldapAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.7CC: bazulay, fjayalat, gveitmic, lsurette, mgoldboi, mperina, oourfali, Rhev-m-bugs, ykaul
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-01 15:41:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AD ports none

Description fjayalat 2017-04-03 03:31:23 UTC 
Description of problem:

Instead of using the SRV record , customer wants a way to manually specify the list of LDAP servers which RHEVM can authenticate against. Current implementation of rhev looks up DNS SRV records based on hte forest information provided through the  ovirt-engine-extension-aaa-ldap utility.

After further inverstigation I found out , if customer decides to use IPA LDAP implementation and if they select the option "Failover between multiple hosts", it allows user to manually specify the list of LDAP server.

Basically customer looking to do the same with Active Directory.




Version-Release number of selected component (if applicable):
ovirt-engine-4.0.7.4-0.1.el7ev.noarch


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
After running "ovirt-engine-extension-aaa-ldap" and selecting AD , customer expecting to see the option "Failover between multiple hosts" like in IPA Ldap implementation.


Additional info:
Comment 1 Ondra Machacek 2017-04-03 12:46:35 UTC 
Assuming that both servers are GC, you can configure as follows:

include = <ad.properties>

vars.domain = ad.example.com
vars.user = user1.com
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.serverset.type = failover
pool.default.serverset.failover.01.server = server1.ad.example.com
pool.default.serverset.failover.02.server = server2.ad.example.com
pool.gc.serverset.failover.port = 3269
pool.authz.serverset.failover.port = 636

pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1.ad.example.com
pool.default.dc-resolve.serverset.failover.2.server = server2.ad.example.com
pool.default.dc-resolve.serverset.failover.port = 636
Comment 4 fjayalat 2017-04-04 01:14:28 UTC 
Created attachment 1268546 [details]
AD ports
Comment 15 Yaniv Kaul 2017-04-27 05:11:05 UTC 
Martin, if it's a common case, please see it's added do documentation, not KCS.
Comment 16 Martin Perina 2017-05-01 15:33:26 UTC 
(In reply to Yaniv Kaul from comment #15)
> Martin, if it's a common case, please see it's added do documentation, not
> KCS.

I don't think this is common case, it's very advanced case and AFAIK requested for the 1st time, so I think KCS article is OK.
Comment 17 Martin Perina 2017-05-01 15:41:34 UTC 
Closing as CURRENTRELEASE, solution verified with ovirt-engine-extension-aaa-ldap-1.2.3-1.el7ev provided by https://errata.devel.redhat.com/advisory/26573