[ovirt-users] Can't perform search after setting up an Active Directory

Ondra Machacek omachace at redhat.com
Mon May 30 20:44:31 UTC 2016



On 05/30/2016 06:17 PM, Alexis HAUSER wrote:
>> Default password is 'changeit' (without quotes).
>> Hmm, can you please try use the .jks file generated by aaa-ldap-setup
>> tool? Just to be sure.
>
>
> I still have the same error with the default jks
>
>
>> Anyway, the strange thing is that aaa-ldap-setup tool passes, but
>> extension don't work later.
>> My guess is that it could be unsupported TLS version.
>> Can you please try running:
>>  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H
>> ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
>> 'mypaswd' -b 'CN=users,DC=something,DC=com'
>> and
>>   LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H
>> ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w
>> 'mypaswd' -b 'CN=users,DC=something,DC=com'
>
>> Does both commands succed?
>
>
> Yes, they both succeed.
>
>
>> If the later one don't work then probably your AD don't accept TLSv1.
>> You can change it byt this configuration options:
>> pool.default.ssl.startTLSProtocol=TLSv1
>> to secure:
>> pool.default.ssl.startTLSProtocol=TLSv1.2
>> or:
>>  pool.default.ssl.startTLSProtocol=SSLv3
>> But, you should use TLSv1.2.
>> If none of this is true, then I would try to enable insecure connection:
>>  pool.default.ssl.insecure = true
>
>
> I still get the same SSL error with all these options (even insecure)
>
>
>> If it will work, then the problem is most probably with certificate.
>> If it won't work, then the problem is most probably with startTLS
>> configuration on AD side.
>
>
>
> So, do you think it's startTLS on AD side ?
>

Oh, I see it, we was blind all the time. The problem is in AD2 and AD3. 
AD1 and AD4 are fine.
So yes the problem is on AD side but only for AD2 and AD3, that's why it 
worked for
aaa-ldap-setup :)

So actually this command shouldn't work for you:

  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H 
ldap://AD2.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
'mypaswd' -b 'CN=users,DC=something,DC=com'

but this should:

  LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H 
ldap://AD4.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w 
'mypaswd' -b 'CN=users,DC=something,DC=com'



More information about the Users mailing list