Info about AD integration and Root CA

Hello, in docs for 4.2 RHV (I think it applies to oVirt 4.2 too) for attaching to AD there is the statement " To set up secure connection between the LDAP server and the Manager, ensure a PEM- encoded CA certificate has been prepared. See Section D.2, “Setting Up Encrypted Communication between the Manager and an LDAP Server” for more information. " and in Appendix " To set up encrypted communication between the Red Hat Virtualization Manager and an LDAP server, obtain the root CA certificate of the LDAP server. . . " and in readme file referred in the Appendix (/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.8/README) there is the command: " Active Directory Windows: > certutil -ca.cert myrootca.der Linux: $ openssl -in myrootca.der -inform DER -out myrootca.pem " In my case on Windows DC (that is a Windows 2012 R2 server with "Domain functional level: Windows Server 2003") I get this error: C:\Users\Administrator.MYDOMAIN>certutil -ca.cert mydomain.der CertUtil: The system cannot find the file specified. C:\Users\Administrator.MYDOMAIN> What does it mean exactly? Thanks in advance, Gianluca

Hi, Sorry, but this seems to be Active directory specific issue. I would suggest to ask on some Microsoft AD specific forum for such issue. On 21/02/2019 16:41, Gianluca Cecchi wrote:
Hello, in docs for 4.2 RHV (I think it applies to oVirt 4.2 too) for attaching to AD there is the statement " To set up secure connection between the LDAP server and the Manager, ensure a PEM- encoded CA certificate has been prepared. See Section D.2, “Setting Up Encrypted Communication between the Manager and an LDAP Server” for more information. " and in Appendix " To set up encrypted communication between the Red Hat Virtualization Manager and an LDAP server, obtain the root CA certificate of the LDAP server. . . " and in readme file referred in the Appendix (/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.8/README) there is the command:
" Active Directory
Windows: > certutil -ca.cert myrootca.der Linux: $ openssl -in myrootca.der -inform DER -out myrootca.pem "
In my case on Windows DC (that is a Windows 2012 R2 server with "Domain functional level: Windows Server 2003") I get this error:
C:\Users\Administrator.MYDOMAIN>certutil -ca.cert mydomain.der CertUtil: The system cannot find the file specified.
C:\Users\Administrator.MYDOMAIN>
What does it mean exactly?
Thanks in advance, Gianluca
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/D5FYNS2LTBI33Z...

On Sat, Feb 23, 2019 at 5:33 PM Ondra Machacek <omachace@redhat.com> wrote:
Hi,
Sorry, but this seems to be Active directory specific issue. I would suggest to ask on some Microsoft AD specific forum for such issue.
I'm far from being an AD expert, but digging a bit it seems that actually the question seems more wider. In the sense that deploying certificate and opening ldap services for bind and authenticate is an optional thing on Windows domain. And in my case the domain where I have to join doesn't have them deployed. I found an interesting blog here: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-s... Some extract about LDAP activation notes: " By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring  device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials. . . . Note: Only LDAP data transfers are exposed. Other authentication or authorization data using Kerberos, SASL, and even NTLM have their own encryption systems. The Microsoft Management Console (mmc) snap-ins, since Windows 2000 SP4 have used LDAP sign and seal  or Simple Authentication and Security Layer (SASL)  and replication between domain controllers is encrypted using Kerberos  . " So the situation is that oVirt/RHV can currently interact with AD only through LDAP bind that travels in clear by default on AD, from which the need to enroll certificate on AD and enabling ldaps or StartTLS It could be interesting to enable other means of AD integration, like vSphere already does, joining the AD domain and so using native encrypted SSO communications. An interesting article here from Nakivo: https://www.nakivo.com/blog/vmware-vsphere-active-directory-integration/ Any ongoing effort to go in this direction? Samba could join with minimal effort a Windows domain, I think... Thanks, Gianluca
participants (2)
-
Gianluca Cecchi
-
Ondra Machacek