Re: [ovirt-users] LDAP authentication with TLS
What are you using as the var.server parameter... does it match the cert... On Wed, Oct 7, 2015 at 2:43 PM, Alon Bar-Lev wrote: > > Summary: > Using legacy ldaps protocol the user's expected certificate was retrieved. > Using startTLS a different and a self signed certificate was retrieved. > Two different identities via the two interfaces which should have returned > a single identity. > > - Original Message - > > From: "Alon Bar-Lev" > > To: "Steve Dainard" > > Cc: "users" > > Sent: Wednesday, October 7, 2015 12:01:59 AM > > Subject: Re: [ovirt-users] LDAP authentication with TLS > > > > Hi, > > > > Can you please send me the profile, the keystore you created and the > output > > of: > > > > openssl s_client -connect server:636 -showcerts < /dev/null > > > > Thanks! > > > > - Original Message - > > > From: "Steve Dainard" > > > To: "users" > > > Sent: Tuesday, October 6, 2015 11:50:41 PM > > > Subject: [ovirt-users] LDAP authentication with TLS > > > > > > Hello, > > > > > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > > > > > I've configured the appropriate aaa profile but I'm getting TLS errors > > > when I search for users to add via ovirt: > > > > > > The connection reader was unable to successfully complete TLS > > > negotiation: javax_net_ssl_SSLHandshakeException: > > > sun_security_validator_ValidatorException: No trusted certificate > > > found caused by sun_security_validator_ValidatorException: No trusted > > > certificate found > > > > > > I added the external CA certificate using keytool as per > > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > > > appropriate adjustments of course: > > > > > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ > > >-file myrootca.pem -keystore myrootca.jks -storepass changeit > > > > > > I know this certificate works, and can connect to LDAP with TLS as I'm > > > using the same LDAP configuration/certificate with SSSD. > > > > > > Can anyone clarify whether I should be adding the external CA > > > certificate or the LDAP host certificate with keytool or any other > > > suggestions? > > > > > > Thanks, > > > Steve > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Donny Davis ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP authentication with TLS
Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity. - Original Message - > From: "Alon Bar-Lev" > To: "Steve Dainard" > Cc: "users" > Sent: Wednesday, October 7, 2015 12:01:59 AM > Subject: Re: [ovirt-users] LDAP authentication with TLS > > Hi, > > Can you please send me the profile, the keystore you created and the output > of: > > openssl s_client -connect server:636 -showcerts < /dev/null > > Thanks! > > - Original Message - > > From: "Steve Dainard" > > To: "users" > > Sent: Tuesday, October 6, 2015 11:50:41 PM > > Subject: [ovirt-users] LDAP authentication with TLS > > > > Hello, > > > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > > > I've configured the appropriate aaa profile but I'm getting TLS errors > > when I search for users to add via ovirt: > > > > The connection reader was unable to successfully complete TLS > > negotiation: javax_net_ssl_SSLHandshakeException: > > sun_security_validator_ValidatorException: No trusted certificate > > found caused by sun_security_validator_ValidatorException: No trusted > > certificate found > > > > I added the external CA certificate using keytool as per > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > > appropriate adjustments of course: > > > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ > >-file myrootca.pem -keystore myrootca.jks -storepass changeit > > > > I know this certificate works, and can connect to LDAP with TLS as I'm > > using the same LDAP configuration/certificate with SSSD. > > > > Can anyone clarify whether I should be adding the external CA > > certificate or the LDAP host certificate with keytool or any other > > suggestions? > > > > Thanks, > > Steve > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP authentication with TLS
Hi, Can you please send me the profile, the keystore you created and the output of: openssl s_client -connect server:636 -showcerts < /dev/null Thanks! - Original Message - > From: "Steve Dainard" > To: "users" > Sent: Tuesday, October 6, 2015 11:50:41 PM > Subject: [ovirt-users] LDAP authentication with TLS > > Hello, > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > I've configured the appropriate aaa profile but I'm getting TLS errors > when I search for users to add via ovirt: > > The connection reader was unable to successfully complete TLS > negotiation: javax_net_ssl_SSLHandshakeException: > sun_security_validator_ValidatorException: No trusted certificate > found caused by sun_security_validator_ValidatorException: No trusted > certificate found > > I added the external CA certificate using keytool as per > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > appropriate adjustments of course: > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ >-file myrootca.pem -keystore myrootca.jks -storepass changeit > > I know this certificate works, and can connect to LDAP with TLS as I'm > using the same LDAP configuration/certificate with SSSD. > > Can anyone clarify whether I should be adding the external CA > certificate or the LDAP host certificate with keytool or any other > suggestions? > > Thanks, > Steve > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] LDAP authentication with TLS
Hello, Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. I've configured the appropriate aaa profile but I'm getting TLS errors when I search for users to add via ovirt: The connection reader was unable to successfully complete TLS negotiation: javax_net_ssl_SSLHandshakeException: sun_security_validator_ValidatorException: No trusted certificate found caused by sun_security_validator_ValidatorException: No trusted certificate found I added the external CA certificate using keytool as per https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with appropriate adjustments of course: keytool -importcert -noprompt -trustcacerts -alias myrootca \ -file myrootca.pem -keystore myrootca.jks -storepass changeit I know this certificate works, and can connect to LDAP with TLS as I'm using the same LDAP configuration/certificate with SSSD. Can anyone clarify whether I should be adding the external CA certificate or the LDAP host certificate with keytool or any other suggestions? Thanks, Steve ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users