[ovirt-users] oVirt AD integration problems
Ondra Machacek
omachace at redhat.com
Wed Oct 12 06:22:34 UTC 2016
On 10/11/2016 05:32 PM, cmc wrote:
> Hi Ondra,
>
>
>
>
> Not really. aaa-ldap by default uses just simple bind, no gssapi.
> If you have any problems with certificate I would suggest you to
> check if you are using the correct one, correctly. More info for it
> can be
> found here:
>
>
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397
> <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397>
>
>
>
> I've run the following tests in that README you posted above, and all
> worked fine:
>
> ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
> <http://mydomain.com> --user-name=myuser
> ovirt-engine-extensions-tool aaa search
> --extension-name=mydomain.com-authz --entity=principal --entity-name=myuser
> LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com
> <http://ad.mydomain.com> -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com"
> -W -b "dc=mydomain,dc=com"
>
> I thought I wouldn't need to import any certificate from AD - is that a
> requirement?
It's not, but you need to use insecure connection then (you need to have
following line in /etc/ovirt-engine/aaa/domain.properties):
pool.default.ssl.insecure = true
So double check that, and if it still won't work, the logs from
ovirt-engine-extensions-tool would help, you can generate them as follows:
$ ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa ....
>
> Do I need to set up Apache separately to use LDAP auth? The service
> principals exist in the krb5.keytab, but I don't if that is only if you
> are using SSO.
Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.
>
> Thanks,
>
> Cam
>
> _______________________________________________
>
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
More information about the Users
mailing list