Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity.
----- Original Message ----- > From: "Alon Bar-Lev" <alo...@redhat.com> > To: "Steve Dainard" <sdain...@spd1.com> > Cc: "users" <users@ovirt.org> > Sent: Wednesday, October 7, 2015 12:01:59 AM > Subject: Re: [ovirt-users] LDAP authentication with TLS > > Hi, > > Can you please send me the profile, the keystore you created and the output > of: > > openssl s_client -connect server:636 -showcerts < /dev/null > > Thanks! > > ----- Original Message ----- > > From: "Steve Dainard" <sdain...@spd1.com> > > To: "users" <users@ovirt.org> > > Sent: Tuesday, October 6, 2015 11:50:41 PM > > Subject: [ovirt-users] LDAP authentication with TLS > > > > Hello, > > > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > > > I've configured the appropriate aaa profile but I'm getting TLS errors > > when I search for users to add via ovirt: > > > > The connection reader was unable to successfully complete TLS > > negotiation: javax_net_ssl_SSLHandshakeException: > > sun_security_validator_ValidatorException: No trusted certificate > > found caused by sun_security_validator_ValidatorException: No trusted > > certificate found > > > > I added the external CA certificate using keytool as per > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > > appropriate adjustments of course: > > > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ > > -file myrootca.pem -keystore myrootca.jks -storepass changeit > > > > I know this certificate works, and can connect to LDAP with TLS as I'm > > using the same LDAP configuration/certificate with SSSD. > > > > Can anyone clarify whether I should be adding the external CA > > certificate or the LDAP host certificate with keytool or any other > > suggestions? > > > > Thanks, > > Steve > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users