[ovirt-users] Can't perform search after setting up an Active Directory

Alexis HAUSER alexis.hauser at telecom-bretagne.eu
Mon May 30 16:17:01 UTC 2016


>Default password is 'changeit' (without quotes).
>Hmm, can you please try use the .jks file generated by aaa-ldap-setup 
>tool? Just to be sure.


I still have the same error with the default jks


>Anyway, the strange thing is that aaa-ldap-setup tool passes, but 
>extension don't work later.
>My guess is that it could be unsupported TLS version.
>Can you please try running:
>  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H 
>ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
>'mypaswd' -b 'CN=users,DC=something,DC=com'
>and
>   LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H 
>ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
>'mypaswd' -b 'CN=users,DC=something,DC=com'

>Does both commands succed?


Yes, they both succeed.


>If the later one don't work then probably your AD don't accept TLSv1.
>You can change it byt this configuration options:
> pool.default.ssl.startTLSProtocol=TLSv1
>to secure:
> pool.default.ssl.startTLSProtocol=TLSv1.2
>or:
>  pool.default.ssl.startTLSProtocol=SSLv3
>But, you should use TLSv1.2.
>If none of this is true, then I would try to enable insecure connection:
>  pool.default.ssl.insecure = true


I still get the same SSL error with all these options (even insecure)


>If it will work, then the problem is most probably with certificate.
>If it won't work, then the problem is most probably with startTLS 
>configuration on AD side.



So, do you think it's startTLS on AD side ?



More information about the Users mailing list