Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory
I don't know what did you downloaded. It should be CA used to sign the LDAP services on AD. If it's CA created by AD SSL, you can get it for example as follows: 1. Press "Start" -> "Run" and write "cmd" and press "Enter". 2. Extract the CA certificate using the following command: ``` > certutil -ca.cert ca.der ``` 3. Copy ca.der to oVirt machine into /tmp. 4. Convert to PEM format using the following command: ``` $ openssl x509 -in /tmp/ca.der -inform DER -out /tmp/ca.crt ``` On Wed, Oct 11, 2017 at 3:02 PM, nicola gentile wrote: > I do this already. > The CA certificate that i download is fine also for ldap? > > Nick > > 2017-10-11 14:56 GMT+02:00 Ondra Machacek : >> You can download it just a temporary, for example to /tmp. >> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory. >> After that you can remove the CA file and keep just jks file. >> >> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile >> wrote: >>> Yes I created by aaa-setup tool. >>> I noticed that the CA certificate was expired, than I download new >>> certificate and I run aaa-setup tool. >>> >>> is there a specific place to put the certificate file ca? I put in root >>> home. >>> >>> Thank a lot >>> >>> Nick >>> >>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek : It fails on SSL handshake: sun.security.validator.ValidatorException: No trusted certificate found How did you create 'polito.it.jks' file? By aaa-setup tool? Are use sure you've entered correct CA certificate there? On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile wrote: > 2017-10-11 10:11 GMT+02:00 nicola gentile : >> Hi Martin, >> I attach aaa.log you suggest >> >> Nick >> >> 2017-10-10 20:41 GMT+02:00 Martin Perina : >>> Hi, >>> >>> most probably you are affected by [1], so could you please check >>> certificates on all your AD servers? >>> You can verify using following command: >>> >>> ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >>> --user-name= --profile= >>> >>> >>> Thanks >>> >>> Martin >>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 >>> >>> >>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto >>> wrote: On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile wrote: > I run the command you suggest > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D > u...@dom.it > -W -x sAMAccountName=user_to_search userPrincipalName | grep > userPrincipalName > > This is the result: > > Enter LDAP Password: > # requesting: userPrincipalName > Supposing you're using all the right parameters in ldapsearch command, it seems that the user you were looking up is not a valid user in that directory server. Please check with someone that can access to AD and verify the status of the user with ADSI Edit. Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users >>> >>> > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory
I do this already. The CA certificate that i download is fine also for ldap? Nick 2017-10-11 14:56 GMT+02:00 Ondra Machacek : > You can download it just a temporary, for example to /tmp. > Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory. > After that you can remove the CA file and keep just jks file. > > On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile > wrote: >> Yes I created by aaa-setup tool. >> I noticed that the CA certificate was expired, than I download new >> certificate and I run aaa-setup tool. >> >> is there a specific place to put the certificate file ca? I put in root home. >> >> Thank a lot >> >> Nick >> >> 2017-10-11 14:18 GMT+02:00 Ondra Machacek : >>> It fails on SSL handshake: >>> sun.security.validator.ValidatorException: No trusted certificate found >>> >>> How did you create 'polito.it.jks' file? By aaa-setup tool? >>> Are use sure you've entered correct CA certificate there? >>> >>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile >>> wrote: 2017-10-11 10:11 GMT+02:00 nicola gentile : > Hi Martin, > I attach aaa.log you suggest > > Nick > > 2017-10-10 20:41 GMT+02:00 Martin Perina : >> Hi, >> >> most probably you are affected by [1], so could you please check >> certificates on all your AD servers? >> You can verify using following command: >> >> ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >> --user-name= --profile= >> >> >> Thanks >> >> Martin >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 >> >> >> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto >> wrote: >>> >>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile >>> wrote: >>> > I run the command you suggest >>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it >>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep >>> > userPrincipalName >>> > >>> > This is the result: >>> > >>> > Enter LDAP Password: >>> > # requesting: userPrincipalName >>> > >>> >>> Supposing you're using all the right parameters in ldapsearch command, >>> it seems that the user you were looking up is not a valid user in that >>> directory server. >>> >>> Please check with someone that can access to AD and verify the status >>> of the user with ADSI Edit. >>> >>> Luca >>> >>> >>> -- >>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare >>> calcoli che potrebbero essere affidati a chiunque se si usassero delle >>> macchine" >>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) >>> >>> "Internet è la più grande biblioteca del mondo. >>> Ma il problema è che i libri sono tutti sparsi sul pavimento" >>> John Allen Paulos, Matematico (1945-vivente) >>> >>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , >>> >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory
You can download it just a temporary, for example to /tmp. Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory. After that you can remove the CA file and keep just jks file. On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile wrote: > Yes I created by aaa-setup tool. > I noticed that the CA certificate was expired, than I download new > certificate and I run aaa-setup tool. > > is there a specific place to put the certificate file ca? I put in root home. > > Thank a lot > > Nick > > 2017-10-11 14:18 GMT+02:00 Ondra Machacek : >> It fails on SSL handshake: >> sun.security.validator.ValidatorException: No trusted certificate found >> >> How did you create 'polito.it.jks' file? By aaa-setup tool? >> Are use sure you've entered correct CA certificate there? >> >> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile >> wrote: >>> 2017-10-11 10:11 GMT+02:00 nicola gentile : Hi Martin, I attach aaa.log you suggest Nick 2017-10-10 20:41 GMT+02:00 Martin Perina : > Hi, > > most probably you are affected by [1], so could you please check > certificates on all your AD servers? > You can verify using following command: > > ovirt-engine-extensions-tool --log-level=FINEST aaa login-user > --user-name= --profile= > > > Thanks > > Martin > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 > > > On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto > wrote: >> >> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile >> wrote: >> > I run the command you suggest >> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it >> > -W -x sAMAccountName=user_to_search userPrincipalName | grep >> > userPrincipalName >> > >> > This is the result: >> > >> > Enter LDAP Password: >> > # requesting: userPrincipalName >> > >> >> Supposing you're using all the right parameters in ldapsearch command, >> it seems that the user you were looking up is not a valid user in that >> directory server. >> >> Please check with someone that can access to AD and verify the status >> of the user with ADSI Edit. >> >> Luca >> >> >> -- >> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare >> calcoli che potrebbero essere affidati a chiunque se si usassero delle >> macchine" >> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) >> >> "Internet è la più grande biblioteca del mondo. >> Ma il problema è che i libri sono tutti sparsi sul pavimento" >> John Allen Paulos, Matematico (1945-vivente) >> >> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > > >>> >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory
Yes I created by aaa-setup tool. I noticed that the CA certificate was expired, than I download new certificate and I run aaa-setup tool. is there a specific place to put the certificate file ca? I put in root home. Thank a lot Nick 2017-10-11 14:18 GMT+02:00 Ondra Machacek : > It fails on SSL handshake: > sun.security.validator.ValidatorException: No trusted certificate found > > How did you create 'polito.it.jks' file? By aaa-setup tool? > Are use sure you've entered correct CA certificate there? > > On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile > wrote: >> 2017-10-11 10:11 GMT+02:00 nicola gentile : >>> Hi Martin, >>> I attach aaa.log you suggest >>> >>> Nick >>> >>> 2017-10-10 20:41 GMT+02:00 Martin Perina : Hi, most probably you are affected by [1], so could you please check certificates on all your AD servers? You can verify using following command: ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --user-name= --profile= Thanks Martin [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto wrote: > > On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile > wrote: > > I run the command you suggest > > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it > > -W -x sAMAccountName=user_to_search userPrincipalName | grep > > userPrincipalName > > > > This is the result: > > > > Enter LDAP Password: > > # requesting: userPrincipalName > > > > Supposing you're using all the right parameters in ldapsearch command, > it seems that the user you were looking up is not a valid user in that > directory server. > > Please check with someone that can access to AD and verify the status > of the user with ADSI Edit. > > Luca > > > -- > "E' assurdo impiegare gli uomini di intelligenza eccellente per fare > calcoli che potrebbero essere affidati a chiunque se si usassero delle > macchine" > Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) > > "Internet è la più grande biblioteca del mondo. > Ma il problema è che i libri sono tutti sparsi sul pavimento" > John Allen Paulos, Matematico (1945-vivente) > > Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory
It fails on SSL handshake: sun.security.validator.ValidatorException: No trusted certificate found How did you create 'polito.it.jks' file? By aaa-setup tool? Are use sure you've entered correct CA certificate there? On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile wrote: > 2017-10-11 10:11 GMT+02:00 nicola gentile : >> Hi Martin, >> I attach aaa.log you suggest >> >> Nick >> >> 2017-10-10 20:41 GMT+02:00 Martin Perina : >>> Hi, >>> >>> most probably you are affected by [1], so could you please check >>> certificates on all your AD servers? >>> You can verify using following command: >>> >>> ovirt-engine-extensions-tool --log-level=FINEST aaa login-user >>> --user-name= --profile= >>> >>> >>> Thanks >>> >>> Martin >>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 >>> >>> >>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto >>> wrote: On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile wrote: > I run the command you suggest > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it > -W -x sAMAccountName=user_to_search userPrincipalName | grep > userPrincipalName > > This is the result: > > Enter LDAP Password: > # requesting: userPrincipalName > Supposing you're using all the right parameters in ldapsearch command, it seems that the user you were looking up is not a valid user in that directory server. Please check with someone that can access to AD and verify the status of the user with ADSI Edit. Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users >>> >>> > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
