<div dir="ltr">What are you using as the var.server parameter... does it match the cert... </div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 7, 2015 at 2:43 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Summary:<br>
Using legacy ldaps protocol the user's expected certificate was retrieved.<br>
Using startTLS a different and a self signed certificate was retrieved.<br>
Two different identities via the two interfaces which should have returned a single identity.<br>
<div class="HOEnZb"><div class="h5"><br>
----- Original Message -----<br>
> From: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> To: "Steve Dainard" <<a href="mailto:sdainard@spd1.com">sdainard@spd1.com</a>><br>
> Cc: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> Sent: Wednesday, October 7, 2015 12:01:59 AM<br>
> Subject: Re: [ovirt-users] LDAP authentication with TLS<br>
><br>
> Hi,<br>
><br>
> Can you please send me the profile, the keystore you created and the output<br>
> of:<br>
><br>
> openssl s_client -connect server:636 -showcerts < /dev/null<br>
><br>
> Thanks!<br>
><br>
> ----- Original Message -----<br>
> > From: "Steve Dainard" <<a href="mailto:sdainard@spd1.com">sdainard@spd1.com</a>><br>
> > To: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> > Sent: Tuesday, October 6, 2015 11:50:41 PM<br>
> > Subject: [ovirt-users] LDAP authentication with TLS<br>
> ><br>
> > Hello,<br>
> ><br>
> > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.<br>
> ><br>
> > I've configured the appropriate aaa profile but I'm getting TLS errors<br>
> > when I search for users to add via ovirt:<br>
> ><br>
> > The connection reader was unable to successfully complete TLS<br>
> > negotiation: javax_net_ssl_SSLHandshakeException:<br>
> > sun_security_validator_ValidatorException: No trusted certificate<br>
> > found caused by sun_security_validator_ValidatorException: No trusted<br>
> > certificate found<br>
> ><br>
> > I added the external CA certificate using keytool as per<br>
> > <a href="https://github.com/oVirt/ovirt-engine-extension-aaa-ldap" rel="noreferrer" target="_blank">https://github.com/oVirt/ovirt-engine-extension-aaa-ldap</a> with<br>
> > appropriate adjustments of course:<br>
> ><br>
> > keytool -importcert -noprompt -trustcacerts -alias myrootca \<br>
> > -file myrootca.pem -keystore myrootca.jks -storepass changeit<br>
> ><br>
> > I know this certificate works, and can connect to LDAP with TLS as I'm<br>
> > using the same LDAP configuration/certificate with SSSD.<br>
> ><br>
> > Can anyone clarify whether I should be adding the external CA<br>
> > certificate or the LDAP host certificate with keytool or any other<br>
> > suggestions?<br>
> ><br>
> > Thanks,<br>
> > Steve<br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> > <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
> ><br>
><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Donny Davis<br><br></div></div>
</div>