[ovirt-users] Can't perform search after setting up an Active Directory
Alexis HAUSER
alexis.hauser at telecom-bretagne.eu
Mon May 30 16:17:01 UTC 2016
>Default password is 'changeit' (without quotes).
>Hmm, can you please try use the .jks file generated by aaa-ldap-setup
>tool? Just to be sure.
I still have the same error with the default jks
>Anyway, the strange thing is that aaa-ldap-setup tool passes, but
>extension don't work later.
>My guess is that it could be unsupported TLS version.
>Can you please try running:
> LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H
>ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
>'mypaswd' -b 'CN=users,DC=something,DC=com'
>and
> LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H
>ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
>'mypaswd' -b 'CN=users,DC=something,DC=com'
>Does both commands succed?
Yes, they both succeed.
>If the later one don't work then probably your AD don't accept TLSv1.
>You can change it byt this configuration options:
> pool.default.ssl.startTLSProtocol=TLSv1
>to secure:
> pool.default.ssl.startTLSProtocol=TLSv1.2
>or:
> pool.default.ssl.startTLSProtocol=SSLv3
>But, you should use TLSv1.2.
>If none of this is true, then I would try to enable insecure connection:
> pool.default.ssl.insecure = true
I still get the same SSL error with all these options (even insecure)
>If it will work, then the problem is most probably with certificate.
>If it won't work, then the problem is most probably with startTLS
>configuration on AD side.
So, do you think it's startTLS on AD side ?
More information about the Users
mailing list