I don't know what did you downloaded.
It should be CA used to sign the LDAP services on AD.
If it's CA created by AD SSL, you can get it for example as follows:
1. Press "Start" -> "Run" and write "cmd" and press
"Enter".
2. Extract the CA certificate using the following command:
```
```
3. Copy ca.der to oVirt machine into /tmp.
4. Convert to PEM format using the following command:
```
$ openssl x509 -in /tmp/ca.der -inform DER -out /tmp/ca.crt
```
On Wed, Oct 11, 2017 at 3:02 PM, nicola gentile
<nicola.gentile.to(a)gmail.com> wrote:
I do this already.
The CA certificate that i download is fine also for ldap?
Nick
2017-10-11 14:56 GMT+02:00 Ondra Machacek <omachace(a)redhat.com>:
> You can download it just a temporary, for example to /tmp.
> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
> After that you can remove the CA file and keep just jks file.
>
> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
> <nicola.gentile.to(a)gmail.com> wrote:
>> Yes I created by aaa-setup tool.
>> I noticed that the CA certificate was expired, than I download new
>> certificate and I run aaa-setup tool.
>>
>> is there a specific place to put the certificate file ca? I put in root home.
>>
>> Thank a lot
>>
>> Nick
>>
>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek <omachace(a)redhat.com>:
>>> It fails on SSL handshake:
>>> sun.security.validator.ValidatorException: No trusted certificate found
>>>
>>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>>> Are use sure you've entered correct CA certificate there?
>>>
>>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>> <nicola.gentile.to(a)gmail.com> wrote:
>>>> 2017-10-11 10:11 GMT+02:00 nicola gentile
<nicola.gentile.to(a)gmail.com>:
>>>>> Hi Martin,
>>>>> I attach aaa.log you suggest
>>>>>
>>>>> Nick
>>>>>
>>>>> 2017-10-10 20:41 GMT+02:00 Martin Perina <mperina(a)redhat.com>:
>>>>>> Hi,
>>>>>>
>>>>>> most probably you are affected by [1], so could you please check
>>>>>> certificates on all your AD servers?
>>>>>> You can verify using following command:
>>>>>>
>>>>>> ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>>> --user-name=<USERNAME> --profile=<PROFILE NAME>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>> [1]
https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj'
Lorenzetto
>>>>>> <lorenzetto.luca(a)gmail.com> wrote:
>>>>>>>
>>>>>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>>>>> <nicola.gentile.to(a)gmail.com> wrote:
>>>>>>> > I run the command you suggest
>>>>>>> > ldapsearch -h domaincontroller.dom.it -b
"dc=dom,dc=it" -D user(a)dom.it
>>>>>>> > -W -x sAMAccountName=user_to_search userPrincipalName |
grep
>>>>>>> > userPrincipalName
>>>>>>> >
>>>>>>> > This is the result:
>>>>>>> >
>>>>>>> > Enter LDAP Password:
>>>>>>> > # requesting: userPrincipalName
>>>>>>> >
>>>>>>>
>>>>>>> Supposing you're using all the right parameters in
ldapsearch command,
>>>>>>> it seems that the user you were looking up is not a valid
user in that
>>>>>>> directory server.
>>>>>>>
>>>>>>> Please check with someone that can access to AD and verify
the status
>>>>>>> of the user with ADSI Edit.
>>>>>>>
>>>>>>> Luca
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> "E' assurdo impiegare gli uomini di intelligenza
eccellente per fare
>>>>>>> calcoli che potrebbero essere affidati a chiunque se si
usassero delle
>>>>>>> macchine"
>>>>>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico
(1646-1716)
>>>>>>>
>>>>>>> "Internet è la più grande biblioteca del mondo.
>>>>>>> Ma il problema è che i libri sono tutti sparsi sul
pavimento"
>>>>>>> John Allen Paulos, Matematico (1945-vivente)
>>>>>>>
>>>>>>> Luca 'remix_tj' Lorenzetto,
http://www.remixtj.net ,
>>>>>>> <lorenzetto.luca(a)gmail.com>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users(a)ovirt.org
>>>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>>