Re: [ovirt-users] oVirt AD integration problems

Wed, 12 Oct 2016 23:53:55 -0700 

On 10/12/2016 03:31 PM, cmc wrote:


Hi Ondra,

    It's not, but you need to use insecure connection then (you need to
    have following line in /etc/ovirt-engine/aaa/domain.properties):

     pool.default.ssl.insecure = true


I ended up generating a cert on one of the AD machines, copying it to
the host, and then specified it in the setup process via
ovirt-engine-extension-aaa-ldap-setup.
It seems to create a .jks file. It still gave me the same 'peer not
authenticated' so I checked the krb5.keytab and saw that there was no
SPN for http, so I rejoined the domain and specified http as a service
name via adcli, and then things worked.



    So double check that, and if it still won't work, the logs from
    ovirt-engine-extensions-tool would help, you can generate them as
    follows:

     $ ovirt-engine-extensions-tool --log-level=FINEST
    --log-file=/tmp/aaa.log aaa ....


        Do I need to set up Apache separately to use LDAP auth? The service
        principals exist in the krb5.keytab, but I don't if that is only
        if you
        are using SSO.


    Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
    don't need anything related to kerberos.


I think I was under the impression that you needed to join the domain in
order to auth via AD. However, I've now seen one HOWTO that says that
you just need the cert from AD to be able to auth securely though I'm
not entirely clear whether that works for Apache. Is that correct -
Kerberos, binding etc is not needed for the oVirt web interface to auth
securely?


Yes, you really do not need anything kerberos related to securely bind
to AD via LDAP simple bind over TLS/SSL. This is really strange to me
what errors you are getting, but you probably configured apache (or
something else?) to require keytab, but you don't have to, and you can
remove that configuration.



Thanks,

Cam




        Thanks,

        Cam

        _______________________________________________

                Users mailing list
                Users@ovirt.org <mailto:Users@ovirt.org>
        <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                http://lists.ovirt.org/mailman/listinfo/users
        <http://lists.ovirt.org/mailman/listinfo/users>
                <http://lists.ovirt.org/mailman/listinfo/users
        <http://lists.ovirt.org/mailman/listinfo/users>>




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






















					Reply via email to