[ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

Ondra Machacek omachace at redhat.com
Wed Oct 11 13:23:53 UTC 2017 

I don't know what did you downloaded.
It should be CA used to sign the LDAP services on AD.

If it's CA created by AD SSL, you can get it for example as follows:

1. Press "Start" -> "Run" and write "cmd" and press "Enter".
2. Extract the CA certificate using the following command:

    ```
    > certutil -ca.cert ca.der
    ```
3. Copy ca.der to oVirt machine into /tmp.
4. Convert to PEM format using the following command:

    ```
    $ openssl x509 -in /tmp/ca.der -inform DER -out /tmp/ca.crt
    ```

On Wed, Oct 11, 2017 at 3:02 PM, nicola gentile
<nicola.gentile.to at gmail.com> wrote:
> I do this already.
> The CA certificate that i download is fine also for ldap?
>
> Nick
>
> 2017-10-11 14:56 GMT+02:00 Ondra Machacek <omachace at redhat.com>:
>> You can download it just a temporary, for example to /tmp.
>> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
>> After that you can remove the CA file and keep just jks file.
>>
>> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
>> <nicola.gentile.to at gmail.com> wrote:
>>> Yes I created by aaa-setup tool.
>>> I noticed that the CA certificate was expired, than I download new
>>> certificate and I run aaa-setup tool.
>>>
>>> is there a specific place to put the certificate file ca? I put in root home.
>>>
>>> Thank a lot
>>>
>>> Nick
>>>
>>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek <omachace at redhat.com>:
>>>> It fails on SSL handshake:
>>>>  sun.security.validator.ValidatorException: No trusted certificate found
>>>>
>>>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>>>> Are use sure you've entered correct CA certificate there?
>>>>
>>>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>>> <nicola.gentile.to at gmail.com> wrote:
>>>>> 2017-10-11 10:11 GMT+02:00 nicola gentile <nicola.gentile.to at gmail.com>:
>>>>>> Hi Martin,
>>>>>> I attach aaa.log you suggest
>>>>>>
>>>>>> Nick
>>>>>>
>>>>>> 2017-10-10 20:41 GMT+02:00 Martin Perina <mperina at redhat.com>:
>>>>>>> Hi,
>>>>>>>
>>>>>>> most probably you are affected by [1], so could you please check
>>>>>>> certificates on all your AD servers?
>>>>>>> You can verify using following command:
>>>>>>>
>>>>>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>>>> --user-name=<USERNAME> --profile=<PROFILE NAME>
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>>>>> <lorenzetto.luca at gmail.com> wrote:
>>>>>>>>
>>>>>>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>>>>>> <nicola.gentile.to at gmail.com> wrote:
>>>>>>>> > I run the command you suggest
>>>>>>>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D user at dom.it
>>>>>>>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>>>>>>>> > userPrincipalName
>>>>>>>> >
>>>>>>>> > This is the result:
>>>>>>>> >
>>>>>>>> > Enter LDAP Password:
>>>>>>>> > # requesting: userPrincipalName
>>>>>>>> >
>>>>>>>>
>>>>>>>> Supposing you're using all the right parameters in ldapsearch command,
>>>>>>>> it seems that the user you were looking up is not a valid user in that
>>>>>>>> directory server.
>>>>>>>>
>>>>>>>> Please check with someone that can access to AD and verify the status
>>>>>>>> of the user with ADSI Edit.
>>>>>>>>
>>>>>>>> Luca
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>>>>>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>>>>>>> macchine"
>>>>>>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>>>>>>
>>>>>>>> "Internet è la più grande biblioteca del mondo.
>>>>>>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>>>>>>> John Allen Paulos, Matematico (1945-vivente)
>>>>>>>>
>>>>>>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>>>>>>>> <lorenzetto.luca at gmail.com>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>

More information about the Users mailing list