So, it turns out that one of the domain controllers had a different certificate chain (outside of my team's control) which was inexplicably causing the whole thing to fail.
I would run "ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user [email protected] --profile=liberty.edu" and everything would look fine up until the point that it needed to "doFetchPrincipalRecord", at which point it would fail to get the principal record for the account. The bind would succeed, but because "Creating LDAPConnectionPool" would fail on *just one* of the domain controllers, it for some reason seemed to invalidate all of the entries in that pool, thereby causing the fetching of principal records to fail even though the bind succeeded on one of the OK domain controllers. Is this behavior intended? I really think this should be classified as a bug. For what it's worth, this was resolved by getting the certificate chain from the problem DC and then adding it to the Java Keystore with the other certificate chain that all the other domain controllers use. _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/ZCQPBSP4HW35JNJDPJUULDQVAP7C5A43/
