Bug 1438319 - [RFE] Adding "Failover between multiple hosts" feature on ovirt-engine-extension-aaa-ldap for RHEV+AD Integration
Summary: [RFE] Adding "Failover between multiple hosts" feature on ovirt-engine-exten...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.0.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-03 03:31 UTC by fjayalat
Modified: 2020-05-14 15:52 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-01 15:41:34 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
AD ports (48.92 KB, image/png)
2017-04-04 01:14 UTC, fjayalat 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2994131 0 None None None 2017-05-01 15:36:23 UTC

Description fjayalat 2017-04-03 03:31:23 UTC 
Description of problem:

Instead of using the SRV record , customer wants a way to manually specify the list of LDAP servers which RHEVM can authenticate against. Current implementation of rhev looks up DNS SRV records based on hte forest information provided through the  ovirt-engine-extension-aaa-ldap utility.

After further inverstigation I found out , if customer decides to use IPA LDAP implementation and if they select the option "Failover between multiple hosts", it allows user to manually specify the list of LDAP server.

Basically customer looking to do the same with Active Directory.




Version-Release number of selected component (if applicable):
ovirt-engine-4.0.7.4-0.1.el7ev.noarch


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
After running "ovirt-engine-extension-aaa-ldap" and selecting AD , customer expecting to see the option "Failover between multiple hosts" like in IPA Ldap implementation.


Additional info:
Comment 1 Ondra Machacek 2017-04-03 12:46:35 UTC 
Assuming that both servers are GC, you can configure as follows:

include = <ad.properties>

vars.domain = ad.example.com
vars.user = user1.com
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.serverset.type = failover
pool.default.serverset.failover.01.server = server1.ad.example.com
pool.default.serverset.failover.02.server = server2.ad.example.com
pool.gc.serverset.failover.port = 3269
pool.authz.serverset.failover.port = 636

pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1.ad.example.com
pool.default.dc-resolve.serverset.failover.2.server = server2.ad.example.com
pool.default.dc-resolve.serverset.failover.port = 636
Comment 4 fjayalat 2017-04-04 01:14:28 UTC 
Created attachment 1268546 [details]
AD ports
Comment 15 Yaniv Kaul 2017-04-27 05:11:05 UTC 
Martin, if it's a common case, please see it's added do documentation, not KCS.
Comment 16 Martin Perina 2017-05-01 15:33:26 UTC 
(In reply to Yaniv Kaul from comment #15)
> Martin, if it's a common case, please see it's added do documentation, not
> KCS.

I don't think this is common case, it's very advanced case and AFAIK requested for the 1st time, so I think KCS article is OK.
Comment 17 Martin Perina 2017-05-01 15:41:34 UTC 
Closing as CURRENTRELEASE, solution verified with ovirt-engine-extension-aaa-ldap-1.2.3-1.el7ev provided by https://errata.devel.redhat.com/advisory/26573
Note You need to log in before you can comment on or make changes to this bug.