<div dir="ltr"><br><div class="gmail_extra">Hi Ondra,<br></div><div class="gmail_extra"><div class="gmail_quote"><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
It's not, but you need to use insecure connection then (you need to have following line in /etc/ovirt-engine/aaa/domain.p<wbr>roperties):<br>
<br>
pool.default.ssl.insecure = true<br></blockquote><div><br></div><div>I ended up generating a cert on one of the AD machines, copying it to the host, and then specified it in the setup process via ovirt-engine-extension-aaa-ldap-setup.<br></div><div>It seems to create a .jks file. It still gave me the same 'peer not authenticated' so I checked the krb5.keytab and saw that there was no SPN for http, so I rejoined the domain and specified http as a service name via adcli, and then things worked.<br></div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<br>
So double check that, and if it still won't work, the logs from ovirt-engine-extensions-tool would help, you can generate them as follows:<br>
<br>
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa ....<span class="gmail-"><br>
<br>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<br>
Do I need to set up Apache separately to use LDAP auth? The service<br>
principals exist in the krb5.keytab, but I don't if that is only if you<br>
are using SSO.<br>
</blockquote>
<br></span>
Yes, that's only if you use SSO. If you use plain LDAP simple bind, you<br>
don't need anything related to kerberos.<br></blockquote><div><br></div><div>I think I was under the impression that you needed to join the domain in order to auth via AD. However, I've now seen one HOWTO that says that you just need the cert from AD to be able to auth securely though I'm not entirely clear whether that works for Apache. Is that correct - Kerberos, binding etc is not needed for the oVirt web interface to auth securely?<br><br></div><div>Thanks,<br><br></div><div>Cam<br></div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<br>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="gmail-">
<br>
Thanks,<br>
<br>
Cam<br>
<br>
______________________________<wbr>_________________<br>
<br>
Users mailing list<br></span>
<a target="_blank" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <mailto:<a target="_blank" href="mailto:Users@ovirt.org">Users@ovirt.org</a>><br>
<a target="_blank" rel="noreferrer" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<<a target="_blank" rel="noreferrer" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>><br>
<br>
<br>
</blockquote>
</blockquote></div><br></div></div>