[ovirt-users] LDAP authentication with TLS

Donny Davis donny at cloudspin.me
Wed Oct 7 22:10:57 UTC 2015 

What are you using as the var.server parameter... does it match the cert...

On Wed, Oct 7, 2015 at 2:43 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

>
> Summary:
> Using legacy ldaps protocol the user's expected certificate was retrieved.
> Using startTLS a different and a self signed certificate was retrieved.
> Two different identities via the two interfaces which should have returned
> a single identity.
>
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > To: "Steve Dainard" <sdainard at spd1.com>
> > Cc: "users" <users at ovirt.org>
> > Sent: Wednesday, October 7, 2015 12:01:59 AM
> > Subject: Re: [ovirt-users] LDAP authentication with TLS
> >
> > Hi,
> >
> > Can you please send me the profile, the keystore you created and the
> output
> > of:
> >
> > openssl s_client -connect server:636 -showcerts < /dev/null
> >
> > Thanks!
> >
> > ----- Original Message -----
> > > From: "Steve Dainard" <sdainard at spd1.com>
> > > To: "users" <users at ovirt.org>
> > > Sent: Tuesday, October 6, 2015 11:50:41 PM
> > > Subject: [ovirt-users] LDAP authentication with TLS
> > >
> > > Hello,
> > >
> > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
> > >
> > > I've configured the appropriate aaa profile but I'm getting TLS errors
> > >  when I search for users to add via ovirt:
> > >
> > > The connection reader was unable to successfully complete TLS
> > > negotiation: javax_net_ssl_SSLHandshakeException:
> > > sun_security_validator_ValidatorException: No trusted certificate
> > > found caused by sun_security_validator_ValidatorException: No trusted
> > > certificate found
> > >
> > > I added the external CA certificate using keytool as per
> > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with
> > > appropriate adjustments of course:
> > >
> > > keytool -importcert -noprompt -trustcacerts -alias myrootca \
> > >        -file myrootca.pem -keystore myrootca.jks -storepass changeit
> > >
> > > I know this certificate works, and can connect to LDAP with TLS as I'm
> > > using the same LDAP configuration/certificate with SSSD.
> > >
> > > Can anyone clarify whether I should be adding the external CA
> > > certificate or the LDAP host certificate with keytool or any other
> > > suggestions?
> > >
> > > Thanks,
> > > Steve
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Donny Davis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151007/6e540132/attachment-0001.html>

More information about the Users mailing list