On 10/12/2016 03:31 PM, cmc wrote:
Hi Ondra, It's not, but you need to use insecure connection then (you need to have following line in /etc/ovirt-engine/aaa/domain.properties): pool.default.ssl.insecure = true I ended up generating a cert on one of the AD machines, copying it to the host, and then specified it in the setup process via ovirt-engine-extension-aaa-ldap-setup. It seems to create a .jks file. It still gave me the same 'peer not authenticated' so I checked the krb5.keytab and saw that there was no SPN for http, so I rejoined the domain and specified http as a service name via adcli, and then things worked. So double check that, and if it still won't work, the logs from ovirt-engine-extensions-tool would help, you can generate them as follows: $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa .... Do I need to set up Apache separately to use LDAP auth? The service principals exist in the krb5.keytab, but I don't if that is only if you are using SSO. Yes, that's only if you use SSO. If you use plain LDAP simple bind, you don't need anything related to kerberos. I think I was under the impression that you needed to join the domain in order to auth via AD. However, I've now seen one HOWTO that says that you just need the cert from AD to be able to auth securely though I'm not entirely clear whether that works for Apache. Is that correct - Kerberos, binding etc is not needed for the oVirt web interface to auth securely?
Yes, you really do not need anything kerberos related to securely bind to AD via LDAP simple bind over TLS/SSL. This is really strange to me what errors you are getting, but you probably configured apache (or something else?) to require keytab, but you don't have to, and you can remove that configuration.
Thanks, Cam Thanks, Cam _______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> <http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users