I am dong AD integration of the Ovirt 4.4 manager. The Insecure method with plain text password saved in /etc/ovirt-engine/aaa/uat.xxxx.com.properties works fine. I am using ovirt-engine-extension-aaa-ldap-setup utility
However this is a hard coding method and insecure way. Hence I wanted to use starttls with PEM encoded certificate file. I obtained a root and intermediate CA from the Ad server and used with starttls
I used below inputs for configuring AD auth with tool "ovirt-engine-extension-aaa-ldap-setup"
Available LDAP implementations:
3 - Active Directory
Please select: 3
Please enter Active Directory Forest name: uat.xxxx.com
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): file
File path: /tmp/rootca.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):
myself@uat.xxxx.comEnter search user password:
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
Please specify profile name that will be visible to users [uat.xxxx.com]:
Please provide credentials to test login flow:
Enter user password:
But I am facing error. What could be the resolution
WARNING: Error while connecting to 'adserver.uat.xxxx.com': LDAPException(resultCode=82 (local error), errorMessage='The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(No trusted certificate found), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
I did verify the root and intemediate certificate:
# openssl verify -verbose -CAfile uatrootca.pem uatca.pem
uatca.pem: OK
1. What could be the reason for "No trusted certificate found" error?
2. Will this method also save the username and password of AD user as plain text in the file /etc/ovirt-engine/aaa/uat.xxxx.com.properties
_______________________________________________