Re: [ovirt-users] Can't perform search after setting up an Active Directory
Default password is 'changeit' (without quotes).
Hmm, can you please try use the .jks file generated by aaa-ldap-setup
tool? Just to be sure.
I still have the same error with the default jks
Anyway, the strange thing is that aaa-ldap-setup tool passes, but
extension don't work later.
My guess is that it could be unsupported TLS version.
Can you please try running:
LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H
ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
'mypaswd' -b 'CN=users,DC=something,DC=com'
and
LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H
ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
'mypaswd' -b 'CN=users,DC=something,DC=com'
Does both commands succed?
Yes, they both succeed.
If the later one don't work then probably your AD don't accept
TLSv1.
You can change it byt this configuration options:
pool.default.ssl.startTLSProtocol=TLSv1
to secure:
pool.default.ssl.startTLSProtocol=TLSv1.2
or:
pool.default.ssl.startTLSProtocol=SSLv3
But, you should use TLSv1.2.
If none of this is true, then I would try to enable insecure connection:
pool.default.ssl.insecure = true
I still get the same SSL error with all these options (even insecure)
If it will work, then the problem is most probably with certificate.
If it won't work, then the problem is most probably with startTLS
configuration on AD side.
So, do you think it's startTLS on AD side ?