Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity. ----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Steve Dainard" <sdainard@spd1.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, October 7, 2015 12:01:59 AM Subject: Re: [ovirt-users] LDAP authentication with TLS
Hi,
Can you please send me the profile, the keystore you created and the output of:
openssl s_client -connect server:636 -showcerts < /dev/null
Thanks!
----- Original Message -----
From: "Steve Dainard" <sdainard@spd1.com> To: "users" <users@ovirt.org> Sent: Tuesday, October 6, 2015 11:50:41 PM Subject: [ovirt-users] LDAP authentication with TLS
Hello,
Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt:
The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found
I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course:
keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit
I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD.
Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions?
Thanks, Steve _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users