On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:



better to use startTLS over ldaps.
so yes, the above is the right setting.
you should import the ca certificate, see instructions here[1]

Alon

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141


I've done it this way:

copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt

keytool -importcert -noprompt -trustcacerts -alias iparootca -file /root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret

put  ipaca.jks in /etc/ovirt-engine/aaa/

ldap1.properties now has

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks
pool.default.ssl.truststore.password = mysecret

and restarted ovirt engine but it seems all conenctions are still through 389 port....

java    1586 ovirt  300u  IPv4             395136      0t0     TCP ovirtmgr.localdomain.local:34263->c7serv
er.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  301u  IPv4             395137      0t0     TCP ovirtmgr.localdomain.local:34264->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  302u  IPv4             395138      0t0     TCP ovirtmgr.localdomain.local:34265->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  303u  IPv4             395139      0t0     TCP ovirtmgr.localdomain.local:34266->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  304u  IPv4             395140      0t0     UDP *:55673
java    1586 ovirt  305u  IPv4             395141      0t0     TCP ovirtmgr.localdomain.local:34267->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  306u  IPv4             395142      0t0     TCP ovirtmgr.localdomain.local:34268->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  307u  IPv4             395143      0t0     TCP ovirtmgr.localdomain.local:34269->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  308u  IPv4             395144      0t0     TCP ovirtmgr.localdomain.local:34270->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  309u  IPv4             395145      0t0     UDP *:49690
java    1586 ovirt  310u  IPv4             395146      0t0     TCP ovirtmgr.localdomain.local:34271->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  311u  IPv4             395147      0t0     TCP ovirtmgr.localdomain.local:34272->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  312u  IPv4             395148      0t0     TCP ovirtmgr.localdomain.local:34273->c7server.localdomain.local:389 (ESTABLISHED)
java    1586 ovirt  313u  IPv4             395149      0t0     TCP ovirtmgr.localdomain.local:34274->c7server.localdomain.local:389 (ESTABLISHED)