9:41 a.m.
Hello,
in docs for 4.2 RHV (I think it applies to oVirt 4.2 too) for attaching to
AD there is the statement
"
To set up secure connection between the LDAP server and the Manager, ensure
a PEM-
encoded CA certificate has been prepared. See Section D.2, “Setting Up
Encrypted
Communication between the Manager and an LDAP Server” for more information.
"
and in Appendix
"
To set up encrypted communication between the Red Hat Virtualization
Manager and an LDAP server, obtain the root CA certificate of the LDAP
server. . .
"
and in readme file referred in the Appendix
(/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.8/README) there is the
command:
"
Active Directory
Windows: > certutil -ca.cert myrootca.der
Linux: $ openssl -in myrootca.der -inform DER -out myrootca.pem
"
In my case on Windows DC (that is a Windows 2012 R2 server with "Domain
functional level: Windows Server 2003") I get this error:
C:\Users\Administrator.MYDOMAIN>certutil -ca.cert mydomain.der
CertUtil: The system cannot find the file specified.
C:\Users\Administrator.MYDOMAIN>
What does it mean exactly?
Thanks in advance,
Gianluca
10:33 a.m.
Hi,
Sorry, but this seems to be Active directory specific issue. I would
suggest to ask on some Microsoft AD specific forum for such issue.
On 21/02/2019 16:41, Gianluca Cecchi wrote:
> Hello,
> in docs for 4.2 RHV (I think it applies to oVirt 4.2 too) for attaching
> to AD there is the statement
> "
> To set up secure connection between the LDAP server and the Manager,
> ensure a PEM-
> encoded CA certificate has been prepared. See Section D.2, “Setting Up
> Encrypted
> Communication between the Manager and an LDAP Server” for more information.
> "
> and in Appendix
> "
> To set up encrypted communication between the Red Hat Virtualization
> Manager and an LDAP server, obtain the root CA certificate of the LDAP
> server. . .
> "
> and in readme file referred in the Appendix
> (/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.8/README) there is
> the command:
>
> "
> Active Directory
>
> Windows: > certutil -ca.cert myrootca.der
> Linux: $ openssl -in myrootca.der -inform DER -out myrootca.pem
> "
>
> In my case on Windows DC (that is a Windows 2012 R2 server with "Domain
> functional level: Windows Server 2003") I get this error:
>
> C:\Users\Administrator.MYDOMAIN>certutil -ca.cert mydomain.der
> CertUtil: The system cannot find the file specified.
>
> C:\Users\Administrator.MYDOMAIN>
>
> What does it mean exactly?
>
> Thanks in advance,
> Gianluca
>
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/D5FYNS2LTBI...
>
3:54 a.m.
On Sat, Feb 23, 2019 at 5:33 PM Ondra Machacek <omachace(a)redhat.com> wrote:
Hi,
Sorry, but this seems to be Active directory specific issue. I would
suggest to ask on some Microsoft AD specific forum for such issue.
I'm far from being an AD expert, but digging a bit it seems that actually
the question seems more wider.
In the sense that deploying certificate and opening ldap services for bind
and authenticate is an optional thing on Windows domain.
And in my case the domain where I have to join doesn't have them deployed.
I found an interesting blog here:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-ove...
Some extract about LDAP activation notes:
"
By default, LDAP communications between client and server applications are
not encrypted. This means that it would be possible to use a network
monitoring  device or software and view the communications traveling
between LDAP client and server computers. This is especially problematic
when an LDAP simple bind is used because credentials (username and
password) is passed over the network unencrypted. This could quickly lead
to the compromise of credentials.
. . .
Note:
Only LDAP data transfers are exposed. Other authentication or authorization
data using Kerberos, SASL, and even NTLM have their own encryption systems.
The Microsoft Management Console (mmc) snap-ins, since Windows 2000 SP4
have used LDAP sign and seal  or Simple Authentication and Security Layer
(SASL)  and replication between domain controllers is encrypted using
Kerberos  .
"
So the situation is that oVirt/RHV can currently interact with AD only
through LDAP bind that travels in clear by default on AD, from which the
need to enroll certificate on AD and enabling ldaps or StartTLS
It could be interesting to enable other means of AD integration, like
vSphere already does, joining the AD domain and so using native encrypted
SSO communications.
An interesting article here from Nakivo:
https://www.nakivo.com/blog/vmware-vsphere-active-directory-integration/
Any ongoing effort to go in this direction? Samba could join with minimal
effort a Windows domain, I think...
Thanks,
Gianluca
2092
days inactive
2096
days old
2 comments
2 participants
participants (2)
-
Gianluca Cecchi -
Ondra Machacek