subject:"Re\: \[ovirt\-users\] Fwd\: ovirt\-engine\-extension\-aaa\-ldap active directory"

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek

I don't know what did you downloaded.
It should be CA used to sign the LDAP services on AD.

If it's CA created by AD SSL, you can get it for example as follows:

1. Press "Start" -> "Run" and write "cmd" and press "Enter".
2. Extract the CA certificate using the following command:

```
> certutil -ca.cert ca.der
```
3. Copy ca.der to oVirt machine into /tmp.
4. Convert to PEM format using the following command:

```
$ openssl x509 -in /tmp/ca.der -inform DER -out /tmp/ca.crt
```

On Wed, Oct 11, 2017 at 3:02 PM, nicola gentile
 wrote:
> I do this already.
> The CA certificate that i download is fine also for ldap?
>
> Nick
>
> 2017-10-11 14:56 GMT+02:00 Ondra Machacek :
>> You can download it just a temporary, for example to /tmp.
>> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
>> After that you can remove the CA file and keep just jks file.
>>
>> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
>>  wrote:
>>> Yes I created by aaa-setup tool.
>>> I noticed that the CA certificate was expired, than I download new
>>> certificate and I run aaa-setup tool.
>>>
>>> is there a specific place to put the certificate file ca? I put in root 
>>> home.
>>>
>>> Thank a lot
>>>
>>> Nick
>>>
>>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek :
 It fails on SSL handshake:
  sun.security.validator.ValidatorException: No trusted certificate found

 How did you create 'polito.it.jks' file? By aaa-setup tool?
 Are use sure you've entered correct CA certificate there?

 On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
  wrote:
> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>> Hi Martin,
>> I attach aaa.log you suggest
>>
>> Nick
>>
>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>>> Hi,
>>>
>>> most probably you are affected by [1], so could you please check
>>> certificates on all your AD servers?
>>> You can verify using following command:
>>>
>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>> --user-name= --profile=
>>>
>>>
>>> Thanks
>>>
>>> Martin
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>
>>>
>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>  wrote:

 On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
  wrote:
 > I run the command you suggest
 > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D 
 > u...@dom.it
 > -W -x sAMAccountName=user_to_search userPrincipalName | grep
 > userPrincipalName
 >
 > This is the result:
 >
 > Enter LDAP Password:
 > # requesting: userPrincipalName
 >

 Supposing you're using all the right parameters in ldapsearch command,
 it seems that the user you were looking up is not a valid user in that
 directory server.

 Please check with someone that can access to AD and verify the status
 of the user with ADSI Edit.

 Luca


 --
 "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
 calcoli che potrebbero essere affidati a chiunque se si usassero delle
 macchine"
 Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

 "Internet è la più grande biblioteca del mondo.
 Ma il problema è che i libri sono tutti sparsi sul pavimento"
 John Allen Paulos, Matematico (1945-vivente)

 Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread nicola gentile

I do this already.
The CA certificate that i download is fine also for ldap?

Nick

2017-10-11 14:56 GMT+02:00 Ondra Machacek :
> You can download it just a temporary, for example to /tmp.
> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
> After that you can remove the CA file and keep just jks file.
>
> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
>  wrote:
>> Yes I created by aaa-setup tool.
>> I noticed that the CA certificate was expired, than I download new
>> certificate and I run aaa-setup tool.
>>
>> is there a specific place to put the certificate file ca? I put in root home.
>>
>> Thank a lot
>>
>> Nick
>>
>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek :
>>> It fails on SSL handshake:
>>>  sun.security.validator.ValidatorException: No trusted certificate found
>>>
>>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>>> Are use sure you've entered correct CA certificate there?
>>>
>>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>>  wrote:
 2017-10-11 10:11 GMT+02:00 nicola gentile :
> Hi Martin,
> I attach aaa.log you suggest
>
> Nick
>
> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>> Hi,
>>
>> most probably you are affected by [1], so could you please check
>> certificates on all your AD servers?
>> You can verify using following command:
>>
>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>> --user-name= --profile=
>>
>>
>> Thanks
>>
>> Martin
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>
>>
>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>  wrote:
>>>
>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>  wrote:
>>> > I run the command you suggest
>>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
>>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>>> > userPrincipalName
>>> >
>>> > This is the result:
>>> >
>>> > Enter LDAP Password:
>>> > # requesting: userPrincipalName
>>> >
>>>
>>> Supposing you're using all the right parameters in ldapsearch command,
>>> it seems that the user you were looking up is not a valid user in that
>>> directory server.
>>>
>>> Please check with someone that can access to AD and verify the status
>>> of the user with ADSI Edit.
>>>
>>> Luca
>>>
>>>
>>> --
>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>> macchine"
>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>
>>> "Internet è la più grande biblioteca del mondo.
>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>> John Allen Paulos, Matematico (1945-vivente)
>>>
>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>>> 
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>

 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek

You can download it just a temporary, for example to /tmp.
Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
After that you can remove the CA file and keep just jks file.

On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
 wrote:
> Yes I created by aaa-setup tool.
> I noticed that the CA certificate was expired, than I download new
> certificate and I run aaa-setup tool.
>
> is there a specific place to put the certificate file ca? I put in root home.
>
> Thank a lot
>
> Nick
>
> 2017-10-11 14:18 GMT+02:00 Ondra Machacek :
>> It fails on SSL handshake:
>>  sun.security.validator.ValidatorException: No trusted certificate found
>>
>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>> Are use sure you've entered correct CA certificate there?
>>
>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>  wrote:
>>> 2017-10-11 10:11 GMT+02:00 nicola gentile :
 Hi Martin,
 I attach aaa.log you suggest

 Nick

 2017-10-10 20:41 GMT+02:00 Martin Perina :
> Hi,
>
> most probably you are affected by [1], so could you please check
> certificates on all your AD servers?
> You can verify using following command:
>
>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
> --user-name= --profile=
>
>
> Thanks
>
> Martin
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>
>
> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>  wrote:
>>
>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>  wrote:
>> > I run the command you suggest
>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>> > userPrincipalName
>> >
>> > This is the result:
>> >
>> > Enter LDAP Password:
>> > # requesting: userPrincipalName
>> >
>>
>> Supposing you're using all the right parameters in ldapsearch command,
>> it seems that the user you were looking up is not a valid user in that
>> directory server.
>>
>> Please check with someone that can access to AD and verify the status
>> of the user with ADSI Edit.
>>
>> Luca
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>> 
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
>>>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread nicola gentile

Yes I created by aaa-setup tool.
I noticed that the CA certificate was expired, than I download new
certificate and I run aaa-setup tool.

is there a specific place to put the certificate file ca? I put in root home.

Thank a lot

Nick

2017-10-11 14:18 GMT+02:00 Ondra Machacek :
> It fails on SSL handshake:
>  sun.security.validator.ValidatorException: No trusted certificate found
>
> How did you create 'polito.it.jks' file? By aaa-setup tool?
> Are use sure you've entered correct CA certificate there?
>
> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>  wrote:
>> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>>> Hi Martin,
>>> I attach aaa.log you suggest
>>>
>>> Nick
>>>
>>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
 Hi,

 most probably you are affected by [1], so could you please check
 certificates on all your AD servers?
 You can verify using following command:

   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
 --user-name= --profile=


 Thanks

 Martin

 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463


 On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
  wrote:
>
> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>  wrote:
> > I run the command you suggest
> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
> > userPrincipalName
> >
> > This is the result:
> >
> > Enter LDAP Password:
> > # requesting: userPrincipalName
> >
>
> Supposing you're using all the right parameters in ldapsearch command,
> it seems that the user you were looking up is not a valid user in that
> directory server.
>
> Please check with someone that can access to AD and verify the status
> of the user with ADSI Edit.
>
> Luca
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users


>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek

It fails on SSL handshake:
 sun.security.validator.ValidatorException: No trusted certificate found

How did you create 'polito.it.jks' file? By aaa-setup tool?
Are use sure you've entered correct CA certificate there?

On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
 wrote:
> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>> Hi Martin,
>> I attach aaa.log you suggest
>>
>> Nick
>>
>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>>> Hi,
>>>
>>> most probably you are affected by [1], so could you please check
>>> certificates on all your AD servers?
>>> You can verify using following command:
>>>
>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>> --user-name= --profile=
>>>
>>>
>>> Thanks
>>>
>>> Martin
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>
>>>
>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>  wrote:

 On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
  wrote:
 > I run the command you suggest
 > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
 > -W -x sAMAccountName=user_to_search userPrincipalName | grep
 > userPrincipalName
 >
 > This is the result:
 >
 > Enter LDAP Password:
 > # requesting: userPrincipalName
 >

 Supposing you're using all the right parameters in ldapsearch command,
 it seems that the user you were looking up is not a valid user in that
 directory server.

 Please check with someone that can access to AD and verify the status
 of the user with ADSI Edit.

 Luca


 --
 "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
 calcoli che potrebbero essere affidati a chiunque se si usassero delle
 macchine"
 Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

 "Internet è la più grande biblioteca del mondo.
 Ma il problema è che i libri sono tutti sparsi sul pavimento"
 John Allen Paulos, Matematico (1945-vivente)

 Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

5 matches

Site Navigation

Mail list logo

Footer information