[ovirt-users] Active Directory authentication setup
Todd Punderson
todd at doonga.org
Mon Jul 17 15:53:50 UTC 2017
Sorry to reply to myself, but I figured it out. Putting this here for documentation in case anyone ever runs into this as it was absolutely horrible to troubleshoot.
I had this set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1 (I think that's by default) That caused the CA to issue certs with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm on them instead of sha256RSA. So I changed that registry value to a 0 as well as my CAPolicy.inf file and reissued my Root and Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub CAs in CentOS and it started working.
I actually figured it out from a bug report for Firefox here: https://support.mozilla.org/en-US/questions/986085
Either way it's working now. That drove me nuts for 2+ days.
Thank you anyway for your assistance!
________________________________
From: users-bounces at ovirt.org <users-bounces at ovirt.org> on behalf of Todd Punderson <todd at doonga.org>
Sent: Monday, July 17, 2017 9:05:12 AM
To: Ondra Machacek
Cc: users at ovirt.org
Subject: Re: [ovirt-users] Active Directory authentication setup
Hi,
Agreed on the certificate issue, I fought with it all weekend! Here's the output of those commands:
ldap_url_parse_ext(ldaps://DC3.home.doonga.org)
ldap_create
ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DC3.home.doonga.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.10.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has an invalid signature..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
TLS: can't connect: TLS error -8174:security library: bad database..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I tried digging into this one. I'm very sure the peer doesn't have an invalid signature, I tested the certificate chain with openssl successfully, I'm guessing that error is related to the "bad database". I couldn't quite figure out that part of the error though.
I have an offline root and online issuing CA, here's those certs. I loaded both of these to the system CA trust.
[root at ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
Issuer: CN=Doonga.Org Root CA
Validity
Not Before: Jul 13 01:15:39 2017 GMT
Not After : Jul 13 01:25:39 2037 GMT
Subject: CN=Doonga.Org Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:
d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:
b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:
e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:
67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:
5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:
ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:
45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:
d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:
4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:
4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:
ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:
72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:
de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:
05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:
aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:
6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:
07:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07
1.3.6.1.4.1.311.21.1:
...
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
User Notice:
Explicit Text:
CPS: http://www.doonga.org/pki/cps.txt
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de:
4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12:
af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce:
3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4:
5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b:
e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65:
94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48:
ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e:
c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25:
ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b:
87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4:
e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31:
4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84:
ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11:
f8:98:ae:07
[root at ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
Issuer: CN=Doonga.Org Root CA
Validity
Not Before: Jul 13 02:07:35 2017 GMT
Not After : Jul 13 02:17:35 2027 GMT
Subject: DC=org, DC=doonga, DC=home, CN=Doonga.Org Issuing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:
3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:
0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:
d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:
54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:
da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:
e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:
b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:
db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:
0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:
e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:
75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:
8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:
14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:
73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:
70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:
63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:
fc:89
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
User Notice:
Explicit Text:
CPS: http://www.doonga.org/pki/cps.txt
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl
Authority Information Access:
CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8:
48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f:
f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6:
5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62:
6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55:
cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd:
57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9:
24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c:
ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71:
17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47:
bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad:
6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5:
16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc:
1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52:
fa:d8:9c:31
I'm definitely sure that I have the correct CA certs loaded. I tried removing them and I got an invalid CA error. When they are in place I get the error I'm asking about. So I'm sure it's reading the CA certificates properly.
Thanks very much for your help!
Todd
________________________________
From: Ondra Machacek <omachace at redhat.com>
Sent: Monday, July 17, 2017 3:34:49 AM
To: Todd Punderson
Cc: users at ovirt.org
Subject: Re: [ovirt-users] Active Directory authentication setup
This is most probably certificate issue.
Can you please share output of following command:
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''
And also the output of following command:
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout
Are you sure you added a proper CA cert to your system?
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd at doonga.org> wrote:
> Hi,
>
> I’ve been pulling my hair out over this one. Here’s the
> output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I
> use “plain” but I don’t really want to do that. I searched the error that’s
> shown below and tried several different “fixes” but none of them helped.
> These are Server 2016 DCs. Not too sure where to go next.
>
>
>
> [ INFO ] Stage: Initializing
>
> [ INFO ] Stage: Environment setup
>
> Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>
> Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
>
> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
>
> [ INFO ] Stage: Environment packages setup
>
> [ INFO ] Stage: Programs detection
>
> [ INFO ] Stage: Environment customization
>
> Welcome to LDAP extension configuration program
>
> Available LDAP implementations:
>
> 1 - 389ds
>
> 2 - 389ds RFC-2307 Schema
>
> 3 - Active Directory
>
> 4 - IBM Security Directory Server
>
> 5 - IBM Security Directory Server RFC-2307 Schema
>
> 6 - IPA
>
> 7 - Novell eDirectory RFC-2307 Schema
>
> 8 - OpenLDAP RFC-2307 Schema
>
> 9 - OpenLDAP Standard Schema
>
> 10 - Oracle Unified Directory RFC-2307 Schema
>
> 11 - RFC-2307 Schema (Generic)
>
> 12 - RHDS
>
> 13 - RHDS RFC-2307 Schema
>
> 14 - iPlanet
>
> Please select: 3
>
> Please enter Active Directory Forest name: home.doonga.org
>
> [ INFO ] Resolving Global Catalog SRV record for home.doonga.org
>
> [ INFO ] Resolving LDAP SRV record for home.doonga.org
>
> NOTE:
>
> It is highly recommended to use secure protocol to access the LDAP
> server.
>
> Protocol startTLS is the standard recommended method to do so.
>
> Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
>
> Use plain for test environments only.
>
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> ldaps
>
> Please select method to obtain PEM encoded CA certificate (File,
> URL, Inline, System, Insecure): System
>
> [ INFO ] Resolving SRV record 'home.doonga.org'
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ ERROR ] Cannot connect using any of available options
>
>
>
> Also:
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC2.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
> File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 WARNING
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:463 Cannot connect using
> 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate
> extension not found.', 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC3.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
> File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
>
>
> Any help would be appreciated!
>
> Thanks
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170717/2156a09d/attachment-0001.html>
More information about the Users
mailing list