Re: [ovirt-users] oVirt AD integration problems
On 10/11/2016 05:32 PM, cmc wrote:
Hi Ondra,
Not really. aaa-ldap by default uses just simple bind, no gssapi.
If you have any problems with certificate I would suggest you to
check if you are using the correct one, correctly. More info for it
can be
found here:
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
<https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
I've run the following tests in that README you posted above, and all
worked fine:
ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
<http://mydomain.com> --user-name=myuser
ovirt-engine-extensions-tool aaa search
--extension-name=mydomain.com-authz --entity=principal --entity-name=myuser
LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com
<http://ad.mydomain.com> -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com"
-W -b "dc=mydomain,dc=com"
I thought I wouldn't need to import any certificate from AD - is that a
requirement?
It's not, but you need to use insecure connection then (you need to have
following line in /etc/ovirt-engine/aaa/domain.properties):
pool.default.ssl.insecure = true
So double check that, and if it still won't work, the logs from
ovirt-engine-extensions-tool would help, you can generate them as follows:
$ ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa ....
Do I need to set up Apache separately to use LDAP auth? The service
principals exist in the krb5.keytab, but I don't if that is only if you
are using SSO.
Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.
Thanks,
Cam
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>