Bug 894681 - (ldap_server_per_dom) RFE: Engine should support having configurable entries for ldap servers per domain
RFE: Engine should support having configurable entries for ldap servers per d...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity high
: ---
: 3.2.0
Assigned To: Yair Zaslavsky
Martin Pavlik
infra
: FutureFeature, Improvement
Depends On: 966046
Blocks: 915537
  Show dependency treegraph
 
Reported: 2013-01-13 01:36 EST by Yair Zaslavsky
Modified: 2016-02-10 14:32 EST (History)
15 users (show)

See Also:
Fixed In Version: sf13
Doc Type: Enhancement
Doc Text:
The -ldapServers option has been added to the rhevm-manage-domains tool, allowing users to set hard coded LDAP server values which will not be overwritten by DNS SRV queries. This option can be used when the domains of the LDAP servers returned by the DNS are down or suffering from connectivity issues. The accepted value for this option is a comma-delimited string FQDN for the LDAP servers in a given domain.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-10 17:43:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
dyasny: Triaged+


Attachments (Terms of Use)
dns_PTR_tcpdump (10.24 KB, application/vnd.tcpdump.pcap)
2013-05-22 06:04 EDT, Martin Pavlik
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 70533 None None None Never
oVirt gerrit 11065 None None None Never

  None (edit)
Description Yair Zaslavsky 2013-01-13 01:36:35 EST
Description of problem:

Ldap server information can be retrieved via:
1. ldapServers configuration value - but it holds only one ldap server per domain
2. If 1 does not exist per domain - using DNS SRV query

We should extend 1 to support multiple servers per domain.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Yair Zaslavsky 2013-01-15 15:06:21 EST
Suggested upstream patch -

http://gerrit.ovirt.org/#/c/11065/
Comment 12 Yaniv Kaul 2013-01-29 04:11:01 EST
(In reply to comment #11)
> (In reply to comment #9)
> > QE: Also please verify that if we add servers A,B,C (from a domain that has
> > servers A,B,C,D for example) that the order of the *Kerberos* servers in
> > krb5.conf is A,B,C,D.
> 
> Yaniv,
> In order to test what you said (and actually, this is a very important note
> regarding the RFE) 
> 
> I don't think we will be able to use the 
> 
> dns_lookup_realm = false
> dns_lookup_kdc = false
> 
> with values of true (we will not have control on how the KDCs are ordered).
> 
> This is currently controlled by a boolean flag at
> /etc/ovirt-engine/manage-domains/manage-domains.conf -
> 
> useDnsLookup=false 
> 
> I guess this should be moved as an optional flag to manage-domains (and not
> be contained in the configuration) and if -ldapServers is used, the values
> of dns_lookup_ream and of dns_lookup_kdc should be set to false.
> 
> Thoughts about this?

If you are using specific LDAP servers, it only makes sense to use specific Kerberos serves. In fact, it makes sense to use the same server for both LDAP and Kerberos.
Comment 13 Yair Zaslavsky 2013-01-29 05:40:53 EST
(In reply to comment #12)
> (In reply to comment #11)
> > (In reply to comment #9)
> > > QE: Also please verify that if we add servers A,B,C (from a domain that has
> > > servers A,B,C,D for example) that the order of the *Kerberos* servers in
> > > krb5.conf is A,B,C,D.
> > 
> > Yaniv,
> > In order to test what you said (and actually, this is a very important note
> > regarding the RFE) 
> > 
> > I don't think we will be able to use the 
> > 
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > 
> > with values of true (we will not have control on how the KDCs are ordered).
> > 
> > This is currently controlled by a boolean flag at
> > /etc/ovirt-engine/manage-domains/manage-domains.conf -
> > 
> > useDnsLookup=false 
> > 
> > I guess this should be moved as an optional flag to manage-domains (and not
> > be contained in the configuration) and if -ldapServers is used, the values
> > of dns_lookup_ream and of dns_lookup_kdc should be set to false.
> > 
> > Thoughts about this?
> 
> If you are using specific LDAP servers, it only makes sense to use specific
> Kerberos serves. In fact, it makes sense to use the same server for both
> LDAP and Kerberos.

Due to krb5LoginModule limitation, this is currently not possible.
Comment 22 Martin Pavlik 2013-05-22 06:03:25 EDT
Putting to ASSIGNED because attempt add domain rhev.example.cz with use of IPs (parameter -ldapServers=10.34.63.50,10.34.63.51) fails.

10.34.63.50 (ps-ad1.rhev.example.cz),10.34.63.51(ps-ad2.rhev.example.cz) are working LDAP servers.

PTR records are correct and are returned to rhevm (see attached tcpdump file)
User in AD exists and can be used (see host name variant on bottom)

[root@mp-rhevm32 ~]# rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=10.34.63.50,10.34.63.51
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Failure while testing domain rhev.example.cz. Details: No user information was found for user

[root@mp-rhevm32 ~]# tail -6 /var/log/ovirt-engine/engine-manage-domains.log
2013-05-22 09:22:53,657 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz
2013-05-22 09:22:53,831 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,845 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,848 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain rhev.example.cz. Details: No user information was found for user

######################################
Variant with host names works fine:
rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=ps-ad1.rhev.example.cz,ps-ad2.rhev.example.cz

user ppepa can log into rhevm and records for domain rhev.example.cz are in vdc_options: LdapServers rhev.example.cz:ps-ad1.rhev.example.cz;ps-ad2.rhev.example.cz

######################################

Yair Zaslavsky managed to reproduce the issue on his upstream environment
Comment 23 Martin Pavlik 2013-05-22 06:04:38 EDT
Created attachment 751644 [details]
dns_PTR_tcpdump
Comment 27 Brian J. Atkisson 2013-05-24 11:26:35 EDT
Red Hat IT very much requires this feature.  In our case, we need RHEV to use different servers from those specified in the SRV records.
Comment 28 errata-xmlrpc 2013-06-10 17:43:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0888.html

Note You need to log in before you can comment on or make changes to this bug.