Can you connect to the Hosted Engine and run 'setenforce 0' to verify that
it's SELINUX ?
Most probably the certificate(s) should be in '/etc/pki/ovirt-engine/certs/' .
Best Regards,Strahil Nikolov
On Fri, Jan 20, 2023 at 7:32, hemak88@gmail.com<hemak88(a)gmail.com> wrote: I am
dong AD integration of the Ovirt 4.4 manager. The Insecure method with plain text password
saved in /etc/ovirt-engine/aaa/uat.xxxx.com.properties works fine. I am using
ovirt-engine-extension-aaa-ldap-setup utility
However this is a hard coding method and insecure way. Hence I wanted to use starttls with
PEM encoded certificate file. I obtained a root and intermediate CA from the Ad server and
used with starttls
I used below inputs for configuring AD auth with tool
"ovirt-engine-extension-aaa-ldap-setup"
Available LDAP implementations:
3 - Active Directory
Please select: 3
Please enter Active Directory Forest name:
uat.xxxx.com
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System,
Insecure): file
File path: /tmp/rootca.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for
anonymous): myself(a)uat.xxxx.com
Enter search user password:
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
Please specify profile name that will be visible to users [
uat.xxxx.com]:
Please provide credentials to test login flow:
Enter user name: myself(a)uat.xxxx.com
Enter user password:
But I am facing error. What could be the resolution
WARNING: Error while connecting to 'adserver.uat.xxxx.com':
LDAPException(resultCode=82 (local error), errorMessage='The connection reader was
unable to successfully complete TLS negotiation: SSLHandshakeException(No trusted
certificate found), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
I did verify the root and intemediate certificate:
# openssl verify -verbose -CAfile uatrootca.pem uatca.pem
uatca.pem: OK
1. What could be the reason for "No trusted certificate found" error?
2. Will this method also save the username and password of AD user as plain text in the
file /etc/ovirt-engine/aaa/uat.xxxx.com.properties
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CKMCIQV4FI7...