[ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

nicola gentile nicola.gentile.to at gmail.com
Wed Oct 11 13:02:47 UTC 2017


I do this already.
The CA certificate that i download is fine also for ldap?

Nick

2017-10-11 14:56 GMT+02:00 Ondra Machacek <omachace at redhat.com>:
> You can download it just a temporary, for example to /tmp.
> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
> After that you can remove the CA file and keep just jks file.
>
> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
> <nicola.gentile.to at gmail.com> wrote:
>> Yes I created by aaa-setup tool.
>> I noticed that the CA certificate was expired, than I download new
>> certificate and I run aaa-setup tool.
>>
>> is there a specific place to put the certificate file ca? I put in root home.
>>
>> Thank a lot
>>
>> Nick
>>
>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek <omachace at redhat.com>:
>>> It fails on SSL handshake:
>>>  sun.security.validator.ValidatorException: No trusted certificate found
>>>
>>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>>> Are use sure you've entered correct CA certificate there?
>>>
>>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>> <nicola.gentile.to at gmail.com> wrote:
>>>> 2017-10-11 10:11 GMT+02:00 nicola gentile <nicola.gentile.to at gmail.com>:
>>>>> Hi Martin,
>>>>> I attach aaa.log you suggest
>>>>>
>>>>> Nick
>>>>>
>>>>> 2017-10-10 20:41 GMT+02:00 Martin Perina <mperina at redhat.com>:
>>>>>> Hi,
>>>>>>
>>>>>> most probably you are affected by [1], so could you please check
>>>>>> certificates on all your AD servers?
>>>>>> You can verify using following command:
>>>>>>
>>>>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>>> --user-name=<USERNAME> --profile=<PROFILE NAME>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>>>> <lorenzetto.luca at gmail.com> wrote:
>>>>>>>
>>>>>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>>>>> <nicola.gentile.to at gmail.com> wrote:
>>>>>>> > I run the command you suggest
>>>>>>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D user at dom.it
>>>>>>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>>>>>>> > userPrincipalName
>>>>>>> >
>>>>>>> > This is the result:
>>>>>>> >
>>>>>>> > Enter LDAP Password:
>>>>>>> > # requesting: userPrincipalName
>>>>>>> >
>>>>>>>
>>>>>>> Supposing you're using all the right parameters in ldapsearch command,
>>>>>>> it seems that the user you were looking up is not a valid user in that
>>>>>>> directory server.
>>>>>>>
>>>>>>> Please check with someone that can access to AD and verify the status
>>>>>>> of the user with ADSI Edit.
>>>>>>>
>>>>>>> Luca
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>>>>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>>>>>> macchine"
>>>>>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>>>>>
>>>>>>> "Internet è la più grande biblioteca del mondo.
>>>>>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>>>>>> John Allen Paulos, Matematico (1945-vivente)
>>>>>>>
>>>>>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>>>>>>> <lorenzetto.luca at gmail.com>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>


More information about the Users mailing list