On 10/11/2016 05:32 PM, cmc wrote:
Hi Ondra,
Not really. aaa-ldap by default uses just simple bind, no gssapi. If you have any problems with certificate I would suggest you to check if you are using the correct one, correctly. More info for it can be found here:
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397>
I've run the following tests in that README you posted above, and all worked fine:
ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com <http://mydomain.com> --user-name=myuser ovirt-engine-extensions-tool aaa search --extension-name=mydomain.com-authz --entity=principal --entity-name=myuser LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com <http://ad.mydomain.com> -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com" -W -b "dc=mydomain,dc=com"
I thought I wouldn't need to import any certificate from AD - is that a requirement?
It's not, but you need to use insecure connection then (you need to have following line in /etc/ovirt-engine/aaa/domain.properties): pool.default.ssl.insecure = true So double check that, and if it still won't work, the logs from ovirt-engine-extensions-tool would help, you can generate them as follows: $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa ....
Do I need to set up Apache separately to use LDAP auth? The service principals exist in the krb5.keytab, but I don't if that is only if you are using SSO.
Yes, that's only if you use SSO. If you use plain LDAP simple bind, you don't need anything related to kerberos.
Thanks,
Cam
_______________________________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>