Bug 894681 (ldap_server_per_dom)
Summary: | RFE: Engine should support having configurable entries for ldap servers per domain | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Yair Zaslavsky <yzaslavs> | ||||
Component: | ovirt-engine | Assignee: | Yair Zaslavsky <yzaslavs> | ||||
Status: | CLOSED ERRATA | QA Contact: | Martin Pavlik <mpavlik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | unspecified | CC: | batkisso, byount, dyasny, iheim, lpeer, oourfali, parsonsa, pstehlik, Rhev-m-bugs, sgrinber, tvvcox, wduffee, yeylon, ykaul | ||||
Target Milestone: | --- | Keywords: | FutureFeature, Improvement | ||||
Target Release: | 3.2.0 | Flags: | dyasny:
Triaged+
|
||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | infra | ||||||
Fixed In Version: | sf13 | Doc Type: | Enhancement | ||||
Doc Text: |
The -ldapServers option has been added to the rhevm-manage-domains tool, allowing users to set hard coded LDAP server values which will not be overwritten by DNS SRV queries. This option can be used when the domains of the LDAP servers returned by the DNS are down or suffering from connectivity issues.
The accepted value for this option is a comma-delimited string FQDN for the LDAP servers in a given domain.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-06-10 21:43:00 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 966046 | ||||||
Bug Blocks: | 915537 | ||||||
Attachments: |
|
Description
Yair Zaslavsky
2013-01-13 06:36:35 UTC
Suggested upstream patch - http://gerrit.ovirt.org/#/c/11065/ (In reply to comment #11) > (In reply to comment #9) > > QE: Also please verify that if we add servers A,B,C (from a domain that has > > servers A,B,C,D for example) that the order of the *Kerberos* servers in > > krb5.conf is A,B,C,D. > > Yaniv, > In order to test what you said (and actually, this is a very important note > regarding the RFE) > > I don't think we will be able to use the > > dns_lookup_realm = false > dns_lookup_kdc = false > > with values of true (we will not have control on how the KDCs are ordered). > > This is currently controlled by a boolean flag at > /etc/ovirt-engine/manage-domains/manage-domains.conf - > > useDnsLookup=false > > I guess this should be moved as an optional flag to manage-domains (and not > be contained in the configuration) and if -ldapServers is used, the values > of dns_lookup_ream and of dns_lookup_kdc should be set to false. > > Thoughts about this? If you are using specific LDAP servers, it only makes sense to use specific Kerberos serves. In fact, it makes sense to use the same server for both LDAP and Kerberos. (In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #9) > > > QE: Also please verify that if we add servers A,B,C (from a domain that has > > > servers A,B,C,D for example) that the order of the *Kerberos* servers in > > > krb5.conf is A,B,C,D. > > > > Yaniv, > > In order to test what you said (and actually, this is a very important note > > regarding the RFE) > > > > I don't think we will be able to use the > > > > dns_lookup_realm = false > > dns_lookup_kdc = false > > > > with values of true (we will not have control on how the KDCs are ordered). > > > > This is currently controlled by a boolean flag at > > /etc/ovirt-engine/manage-domains/manage-domains.conf - > > > > useDnsLookup=false > > > > I guess this should be moved as an optional flag to manage-domains (and not > > be contained in the configuration) and if -ldapServers is used, the values > > of dns_lookup_ream and of dns_lookup_kdc should be set to false. > > > > Thoughts about this? > > If you are using specific LDAP servers, it only makes sense to use specific > Kerberos serves. In fact, it makes sense to use the same server for both > LDAP and Kerberos. Due to krb5LoginModule limitation, this is currently not possible. Putting to ASSIGNED because attempt add domain rhev.example.cz with use of IPs (parameter -ldapServers=10.34.63.50,10.34.63.51) fails. 10.34.63.50 (ps-ad1.rhev.example.cz),10.34.63.51(ps-ad2.rhev.example.cz) are working LDAP servers. PTR records are correct and are returned to rhevm (see attached tcpdump file) User in AD exists and can be used (see host name variant on bottom) [root@mp-rhevm32 ~]# rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=10.34.63.50,10.34.63.51 Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record. Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record. Failure while testing domain rhev.example.cz. Details: No user information was found for user [root@mp-rhevm32 ~]# tail -6 /var/log/ovirt-engine/engine-manage-domains.log 2013-05-22 09:22:53,657 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz 2013-05-22 09:22:53,689 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz 2013-05-22 09:22:53,689 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz 2013-05-22 09:22:53,831 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed 2013-05-22 09:22:53,845 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed 2013-05-22 09:22:53,848 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain rhev.example.cz. Details: No user information was found for user ###################################### Variant with host names works fine: rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=ps-ad1.rhev.example.cz,ps-ad2.rhev.example.cz user ppepa can log into rhevm and records for domain rhev.example.cz are in vdc_options: LdapServers rhev.example.cz:ps-ad1.rhev.example.cz;ps-ad2.rhev.example.cz ###################################### Yair Zaslavsky managed to reproduce the issue on his upstream environment Created attachment 751644 [details]
dns_PTR_tcpdump
Red Hat IT very much requires this feature. In our case, we need RHEV to use different servers from those specified in the SRV records. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0888.html |