Description of problem: Instead of using the SRV record , customer wants a way to manually specify the list of LDAP servers which RHEVM can authenticate against. Current implementation of rhev looks up DNS SRV records based on hte forest information provided through the ovirt-engine-extension-aaa-ldap utility. After further inverstigation I found out , if customer decides to use IPA LDAP implementation and if they select the option "Failover between multiple hosts", it allows user to manually specify the list of LDAP server. Basically customer looking to do the same with Active Directory. Version-Release number of selected component (if applicable): ovirt-engine-4.0.7.4-0.1.el7ev.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: After running "ovirt-engine-extension-aaa-ldap" and selecting AD , customer expecting to see the option "Failover between multiple hosts" like in IPA Ldap implementation. Additional info:
Assuming that both servers are GC, you can configure as follows: include = <ad.properties> vars.domain = ad.example.com vars.user = user1.com vars.password = password pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = failover pool.default.serverset.failover.01.server = server1.ad.example.com pool.default.serverset.failover.02.server = server2.ad.example.com pool.gc.serverset.failover.port = 3269 pool.authz.serverset.failover.port = 636 pool.default.dc-resolve.default.serverset.type = failover pool.default.dc-resolve.serverset.failover.1.server = server1.ad.example.com pool.default.dc-resolve.serverset.failover.2.server = server2.ad.example.com pool.default.dc-resolve.serverset.failover.port = 636
Created attachment 1268546 [details] AD ports
Martin, if it's a common case, please see it's added do documentation, not KCS.
(In reply to Yaniv Kaul from comment #15) > Martin, if it's a common case, please see it's added do documentation, not > KCS. I don't think this is common case, it's very advanced case and AFAIK requested for the 1st time, so I think KCS article is OK.
Closing as CURRENTRELEASE, solution verified with ovirt-engine-extension-aaa-ldap-1.2.3-1.el7ev provided by https://errata.devel.redhat.com/advisory/26573