Bug 1302313 - Active Directory forest configuration - bad DNS query
Active Directory forest configuration - bad DNS query
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Profile.ad (Show other bugs)
All Linux
unspecified Severity urgent (vote)
: ---
: ---
Assigned To: Itamar Heim
Ondra Machacek
Depends On:
  Show dependency treegraph
Reported: 2016-01-27 08:15 EST by el_Lechu
Modified: 2016-01-27 08:46 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-27 08:40:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)
bad/good query/response to/from DNS (8.51 KB, text/plain)
2016-01-27 08:15 EST, el_Lechu
no flags Details

  None (edit)
Description el_Lechu 2016-01-27 08:15:48 EST
Created attachment 1118783 [details]
bad/good query/response to/from DNS

Description of problem:
After install ovirt( and ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch and copy and edit example config:
include = <ad.properties>

vars.forest = win2k8.local

vars.user = ovirt-test@${global:vars.forest}
vars.password = password!

pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.forest}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}


ovirt cant query dns in a good way. It seems like ovirt want to query "_ldap._tcp.<domain> " for SRV record (with space at the end), but it should be without space at the end.

Log from ovirt-engine:
[ovirt-engine-extension-aaa-ldap.authz::profile1-authz] Creating LDAP pool 'authz'
2016-01-27 13:52:33 WARNING [ovirt-engine-extension-aaa-ldap.authz::profile1-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.win2k8.local ':  javax.naming.CommunicationException: DNS error [Root exception is java.net.SocketTimeoutException: Receive timed out]; remaining name '_ldap._tcp.win2k8.local ' caused by java.net.SocketTimeoutException: Receive timed out


Configuration with vars.domain works fine.
In attachment log from dns server (first bad query from ovirt - `host -t SRV "_ldap._tcp.win2k8.local "`, at the end good query from shell - without space - `host -t SRV "_ldap._tcp.win2k8.local"`)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure ovirt with aaa-ldap and put "vars.forest" configuration like in example

Actual results:
Can't coonect ovirt to ldap with "vars.forest" config

Expected results:
DNS query from aaa-ldap works fine, SRV record could be find like here (using dig or host):
# host -t SRV _ldap._tcp.win2k8.local
_ldap._tcp.win2k8.local has SRV record 0 100 389 win-nd8lecpmi69.win2k8.local.

Additional info:
Comment 1 Ondra Machacek 2016-01-27 08:30:38 EST
Please ensure that you don't have trailing space at one of those lines:

vars.forest = win2k8.local
pool.default.serverset.srvrecord.domain = ${global:vars.forest}
Comment 2 el_Lechu 2016-01-27 08:40:11 EST
LOL, you r right.  In "vars.forest = win2k8.local" I have a space. Thank you.

Note You need to log in before you can comment on or make changes to this bug.