[ovirt-users] oVirt AD integration problems
omachace at redhat.com
Wed Oct 12 06:22:34 UTC 2016
On 10/11/2016 05:32 PM, cmc wrote:
> Hi Ondra,
> Not really. aaa-ldap by default uses just simple bind, no gssapi.
> If you have any problems with certificate I would suggest you to
> check if you are using the correct one, correctly. More info for it
> can be
> found here:
> I've run the following tests in that README you posted above, and all
> worked fine:
> ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
> <http://mydomain.com> --user-name=myuser
> ovirt-engine-extensions-tool aaa search
> --extension-name=mydomain.com-authz --entity=principal --entity-name=myuser
> LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com
> <http://ad.mydomain.com> -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com"
> -W -b "dc=mydomain,dc=com"
> I thought I wouldn't need to import any certificate from AD - is that a
It's not, but you need to use insecure connection then (you need to have
following line in /etc/ovirt-engine/aaa/domain.properties):
pool.default.ssl.insecure = true
So double check that, and if it still won't work, the logs from
ovirt-engine-extensions-tool would help, you can generate them as follows:
$ ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa ....
> Do I need to set up Apache separately to use LDAP auth? The service
> principals exist in the krb5.keytab, but I don't if that is only if you
> are using SSO.
Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
More information about the Users