>Default password is 'changeit' (without quotes). >Hmm, can you please try use the .jks file generated by aaa-ldap-setup >tool? Just to be sure.
I still have the same error with the default jks >Anyway, the strange thing is that aaa-ldap-setup tool passes, but >extension don't work later. >My guess is that it could be unsupported TLS version. >Can you please try running: > LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H >ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >and > LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H >ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >Does both commands succed? Yes, they both succeed. >If the later one don't work then probably your AD don't accept TLSv1. >You can change it byt this configuration options: > pool.default.ssl.startTLSProtocol=TLSv1 >to secure: > pool.default.ssl.startTLSProtocol=TLSv1.2 >or: > pool.default.ssl.startTLSProtocol=SSLv3 >But, you should use TLSv1.2. >If none of this is true, then I would try to enable insecure connection: > pool.default.ssl.insecure = true I still get the same SSL error with all these options (even insecure) >If it will work, then the problem is most probably with certificate. >If it won't work, then the problem is most probably with startTLS >configuration on AD side. So, do you think it's startTLS on AD side ? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users