On 11/13/18 10:09 PM, Will Hegedus wrote:
So, it turns out that one of the domain controllers had a different certificate
chain (outside of my team's control) which was inexplicably causing the whole
thing to fail.
I would run "ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user
--user-name=prea...@liberty.edu --profile=liberty.edu" and everything would look fine up until the point
that it needed to "doFetchPrincipalRecord", at which point it would fail to get the principal
record for the account. The bind would succeed, but because "Creating LDAPConnectionPool" would
fail on *just one* of the domain controllers, it for some reason seemed to invalidate all of the entries in
that pool, thereby causing the fetching of principal records to fail even though the bind succeeded on one of
the OK domain controllers.
Is this behavior intended? I really think this should be classified as a bug.
For what it's worth, this was resolved by getting the certificate chain from
the problem DC and then adding it to the Java Keystore with the other
certificate chain that all the other domain controllers use.
Please open a bug will detail information of the AD infrastructure, like
what's the forest what's the domains, and which DC are in domain, and I
will try to take a look. Thanks a lot!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZCQPBSP4HW35JNJDPJUULDQVAP7C5A43/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JNWW5R2Y5AA2TX3HRZD5VLJQCFKRESOV/