I am dong AD integration of the Ovirt 4.4 manager. The Insecure method with plain text
password saved in /etc/ovirt-engine/aaa/uat.xxxx.com.properties works fine. I am using
ovirt-engine-extension-aaa-ldap-setup utility
However this is a hard coding method and insecure way. Hence I wanted to use starttls with
PEM encoded certificate file. I obtained a root and intermediate CA from the Ad server and
used with starttls
I used below inputs for configuring AD auth with tool
"ovirt-engine-extension-aaa-ldap-setup"
Available LDAP implementations:
3 - Active Directory
Please select: 3
Please enter Active Directory Forest name:
uat.xxxx.com
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System,
Insecure): file
File path: /tmp/rootca.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for
anonymous): myself(a)uat.xxxx.com
Enter search user password:
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
Please specify profile name that will be visible to users [
uat.xxxx.com]:
Please provide credentials to test login flow:
Enter user name: myself(a)uat.xxxx.com
Enter user password:
But I am facing error. What could be the resolution
WARNING: Error while connecting to 'adserver.uat.xxxx.com':
LDAPException(resultCode=82 (local error), errorMessage='The connection reader was
unable to successfully complete TLS negotiation: SSLHandshakeException(No trusted
certificate found), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
I did verify the root and intemediate certificate:
# openssl verify -verbose -CAfile uatrootca.pem uatca.pem
uatca.pem: OK
1. What could be the reason for "No trusted certificate found" error?
2. Will this method also save the username and password of AD user as plain text in the
file /etc/ovirt-engine/aaa/uat.xxxx.com.properties