[ovirt-users] oVirt AD integration problems

Ondra Machacek omachace at redhat.com
Wed Oct 12 06:22:34 UTC 2016

On 10/11/2016 05:32 PM, cmc wrote:
> Hi Ondra,
>     Not really. aaa-ldap by default uses just simple bind, no gssapi.
>     If you have any problems with certificate I would suggest you to
>     check if you are using the correct one, correctly. More info for it
>     can be
>     found here:
>     https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397
>     <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397>
> I've run the following tests in that README you posted above, and all
> worked fine:
> ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
> <http://mydomain.com> --user-name=myuser
> ovirt-engine-extensions-tool aaa search
> --extension-name=mydomain.com-authz --entity=principal --entity-name=myuser
> LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com
> <http://ad.mydomain.com> -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com"
> -W -b "dc=mydomain,dc=com"
> I thought I wouldn't need to import any certificate from AD - is that a
> requirement?

It's not, but you need to use insecure connection then (you need to have 
following line in /etc/ovirt-engine/aaa/domain.properties):

  pool.default.ssl.insecure = true

So double check that, and if it still won't work, the logs from 
ovirt-engine-extensions-tool would help, you can generate them as follows:

  $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa ....

> Do I need to set up Apache separately to use LDAP auth? The service
> principals exist in the krb5.keytab, but I don't if that is only if you
> are using SSO.

Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.

> Thanks,
> Cam
> _______________________________________________
>         Users mailing list
>         Users at ovirt.org <mailto:Users at ovirt.org>
>         http://lists.ovirt.org/mailman/listinfo/users
>         <http://lists.ovirt.org/mailman/listinfo/users>

More information about the Users mailing list