Hi Ondra,

It's not, but you need to use insecure connection then (you need to have
> following line in /etc/ovirt-engine/aaa/domain.properties):
>
>  pool.default.ssl.insecure = true
>

I ended up generating a cert on one of the AD machines, copying it to the
host, and then specified it in the setup process via
ovirt-engine-extension-aaa-ldap-setup.
It seems to create a .jks file. It still gave me the same 'peer not
authenticated' so I checked the krb5.keytab and saw that there was no SPN
for http, so I rejoined the domain and specified http as a service name via
adcli, and then things worked.


>
> So double check that, and if it still won't work, the logs from
> ovirt-engine-extensions-tool would help, you can generate them as follows:
>
>  $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log
> aaa ....
>
>
>> Do I need to set up Apache separately to use LDAP auth? The service
>> principals exist in the krb5.keytab, but I don't if that is only if you
>> are using SSO.
>>
>
> Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
> don't need anything related to kerberos.
>

I think I was under the impression that you needed to join the domain in
order to auth via AD. However, I've now seen one HOWTO that says that you
just need the cert from AD to be able to auth securely though I'm not
entirely clear whether that works for Apache. Is that correct - Kerberos,
binding etc is not needed for the oVirt web interface to auth securely?

Thanks,

Cam


>
>
>> Thanks,
>>
>> Cam
>>
>> _______________________________________________
>>
>>         Users mailing list
>>         Users@ovirt.org <mailto:Users@ovirt.org>
>>         http://lists.ovirt.org/mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>
>>
>>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to