
Hello, Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt: The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course: keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD. Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions? Thanks, Steve

Hi, Can you please send me the profile, the keystore you created and the output of: openssl s_client -connect server:636 -showcerts < /dev/null Thanks! ----- Original Message -----
From: "Steve Dainard" <sdainard@spd1.com> To: "users" <users@ovirt.org> Sent: Tuesday, October 6, 2015 11:50:41 PM Subject: [ovirt-users] LDAP authentication with TLS
Hello,
Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt:
The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found
I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course:
keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit
I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD.
Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions?
Thanks, Steve _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity. ----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Steve Dainard" <sdainard@spd1.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, October 7, 2015 12:01:59 AM Subject: Re: [ovirt-users] LDAP authentication with TLS
Hi,
Can you please send me the profile, the keystore you created and the output of:
openssl s_client -connect server:636 -showcerts < /dev/null
Thanks!
----- Original Message -----
From: "Steve Dainard" <sdainard@spd1.com> To: "users" <users@ovirt.org> Sent: Tuesday, October 6, 2015 11:50:41 PM Subject: [ovirt-users] LDAP authentication with TLS
Hello,
Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt:
The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found
I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course:
keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit
I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD.
Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions?
Thanks, Steve _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

What are you using as the var.server parameter... does it match the cert... On Wed, Oct 7, 2015 at 2:43 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity.
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Steve Dainard" <sdainard@spd1.com> Cc: "users" <users@ovirt.org> Sent: Wednesday, October 7, 2015 12:01:59 AM Subject: Re: [ovirt-users] LDAP authentication with TLS
Hi,
Can you please send me the profile, the keystore you created and the output of:
openssl s_client -connect server:636 -showcerts < /dev/null
Thanks!
----- Original Message -----
From: "Steve Dainard" <sdainard@spd1.com> To: "users" <users@ovirt.org> Sent: Tuesday, October 6, 2015 11:50:41 PM Subject: [ovirt-users] LDAP authentication with TLS
Hello,
Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt:
The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found
I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course:
keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit
I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD.
Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions?
Thanks, Steve _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Donny Davis
participants (3)
-
Alon Bar-Lev
-
Donny Davis
-
Steve Dainard