<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br></span><span class=""><br>
<br>
</span>better to use startTLS over ldaps.<br>
so yes, the above is the right setting.<br>
you should import the ca certificate, see instructions here[1]<br>
<br>
Alon<br>
<br>
[1] <a href="http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141" target="_blank">http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141</a></blockquote><div><br></div><div><br></div><div>I've done it this way:</div><div><br></div><div>copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt</div><div><br></div><div>keytool -importcert -noprompt -trustcacerts -alias iparootca -file /root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret<br></div><div><br></div><div>put ipaca.jks in /etc/ovirt-engine/aaa/</div><div><br></div><div>ldap1.properties now has</div><div><br></div><div><div># Create keystore, import certificate chain and uncomment</div><div># if using ssl/tls.</div><div>pool.default.ssl.startTLS = true</div><div>#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks</div><div>pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks</div><div>pool.default.ssl.truststore.password = mysecret</div></div><div><br></div><div>and restarted ovirt engine but it seems all conenctions are still through 389 port....</div><div><br></div><div>java 1586 ovirt 300u IPv4 395136 0t0 TCP ovirtmgr.localdomain.local:34263->c7serv</div><div>er.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 301u IPv4 395137 0t0 TCP ovirtmgr.localdomain.local:34264->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 302u IPv4 395138 0t0 TCP ovirtmgr.localdomain.local:34265->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 303u IPv4 395139 0t0 TCP ovirtmgr.localdomain.local:34266->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 304u IPv4 395140 0t0 UDP *:55673</div><div>java 1586 ovirt 305u IPv4 395141 0t0 TCP ovirtmgr.localdomain.local:34267->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 306u IPv4 395142 0t0 TCP ovirtmgr.localdomain.local:34268->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 307u IPv4 395143 0t0 TCP ovirtmgr.localdomain.local:34269->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 308u IPv4 395144 0t0 TCP ovirtmgr.localdomain.local:34270->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 309u IPv4 395145 0t0 UDP *:49690</div><div>java 1586 ovirt 310u IPv4 395146 0t0 TCP ovirtmgr.localdomain.local:34271->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 311u IPv4 395147 0t0 TCP ovirtmgr.localdomain.local:34272->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 312u IPv4 395148 0t0 TCP ovirtmgr.localdomain.local:34273->c7server.localdomain.local:389 (ESTABLISHED)</div><div>java 1586 ovirt 313u IPv4 395149 0t0 TCP ovirtmgr.localdomain.local:34274->c7server.localdomain.local:389 (ESTABLISHED)</div><div> </div></div><br></div></div>