--_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Hi,
Agreed on the certificate issue, I fought with it all weekend! Here's =
the output of those commands:
ldap_url_parse_ext(ldaps://DC3.home.doonga.org)
ldap_create
ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DC3.home.doonga.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.10.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription=3D'l=
dap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has=
an invalid signature..
TLS: error: connect - force handshake failure: errno 21 - moznss error -817=
4
TLS: can't connect: TLS error -8174:security library: bad database..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I tried digging into this one. I'm very sure the peer doesn't have an inval=
id signature, I tested the certificate chain with openssl successfully, I'm=
guessing that error is related to the "bad database". I couldn't quite
fig=
ure out that part of the error though.
I have an offline root and online issuing CA, here's those certs. I loaded =
both of these to the system CA trust.
[root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
Issuer:
CN=3DDoonga.Org Root CA
Validity
Not Before: Jul 13 01:15:39 2017 GMT
Not After : Jul 13 01:25:39 2037 GMT
Subject:
CN=3DDoonga.Org Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:
d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:
b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:
e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:
67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:
5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:
ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:
45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:
d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:
4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:
4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:
ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:
72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:
de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:
05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:
aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:
6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:
07:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07
1.3.6.1.4.1.311.21.1:
...
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
User Notice:
Explicit Text:
CPS:
http://www.doonga.org/pki/cps.txt
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de:
4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12:
af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce:
3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4:
5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b:
e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65:
94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48:
ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e:
c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25:
ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b:
87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4:
e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31:
4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84:
ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11:
f8:98:ae:07
[root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
Issuer:
CN=3DDoonga.Org Root CA
Validity
Not Before: Jul 13 02:07:35 2017 GMT
Not After : Jul 13 02:17:35 2027 GMT
Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome,
CN=3DDoonga.Org Issuing =
CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:
3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:
0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:
d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:
54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:
da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:
e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:
b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:
db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:
0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:
e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:
75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:
8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:
14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:
73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:
70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:
63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:
fc:89
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
User Notice:
Explicit Text:
CPS:
http://www.doonga.org/pki/cps.txt
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9=
:8B:07
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl
Authority Information Access:
CA Issuers -
URI:http://www.doonga.org/pki/CAROOT_Doonga.Or=
g%20Root%20CA.crt
Signature Algorithm: rsassaPss
Hash Algorithm: sha256
Mask Algorithm: mgf1 with sha256
Salt Length: 20
Trailer Field: 0xbc (default)
70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8:
48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f:
f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6:
5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62:
6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55:
cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd:
57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9:
24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c:
ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71:
17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47:
bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad:
6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5:
16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc:
1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52:
fa:d8:9c:31
I'm definitely sure that I have the correct CA certs loaded. I tried removi=
ng them and I got an invalid CA error. When they are in place I get the err=
or I'm asking about. So I'm sure it's reading the CA certificates properly.
Thanks very much for your help!
Todd
________________________________
From: Ondra Machacek <omachace(a)redhat.com
Sent:
Monday, July 17, 2017 3:34:49 AM
To: Todd Punderson
Cc: users(a)ovirt.org
Subject: Re: [ovirt-users] Active Directory authentication setup
This is most probably certificate issue.
Can you please share output of following command:
$ ldapsearch -d 1 -H
ldaps://DC3.home.doonga.org -x -s base -b ''
And also the output of following command:
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout
Are you sure you added a proper CA cert to your system?
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd(a)doonga.org> wrote:
Hi,
I=92ve been pulling my hair out over this one. Here=92s th=
e
output of ovirt-engine-extension-aaa-ldap-setup. Everything works
fine if=
I
use =93plain=94 but I don=92t really want to do that. I searched the
erro=
r that=92s
shown below and tried several different =93fixes=94 but none of them
help=
ed.
These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file:
/tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name:
home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for
home.doonga.org
[ INFO ] Resolving LDAP SRV record for
home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the L=
DAP
server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback =
to
non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTL=
S]:
ldaps
Please select method to obtain PEM encoded CA certificate (File=
,
URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636':
{'info'=
:
'TLS error -8157:Certificate extension not found.',
'desc': "Can't contac=
t
LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636':
{'info'=
:
'TLS error -8157:Certificate extension not found.',
'desc': "Can't contac=
t
LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636':
{'info'=
:
'TLS error -8157:Certificate extension not found.',
'desc': "Can't contac=
t
LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:391 Connecting to LDAP using
'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:459 Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en=
gine-extension-aaa-ldap/ldap/common.py",
line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,=
in
start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, =
in
_ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.=
',
'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:463 Cannot connect using
'ldap://DC2.home.doonga.org:389': {'info': 'TLS error
-8157:Certificate
extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:391 Connecting to LDAP using
'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:459 Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en=
gine-extension-aaa-ldap/ldap/common.py",
line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,=
in
start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, =
in
_ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.=
',
'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html
<head
<meta http-equiv=3D"Content-Type"
content=3D"text/html; charset=3DWindows-1=
252"
<meta
name=3D"Generator" content=3D"Microsoft Exchange Server"
<!-- converted from text --><style><!--
.EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style
</head
<body
<meta content=3D"text/html;
charset=3DUTF-8"
<style
type=3D"text/css" style=3D""
<!--
p
{margin-top:0;
margin-bottom:0}
--
</style
<div
dir=3D"ltr"
<div
id=3D"x_divtagdefaultwrapper" dir=3D"ltr"
style=3D"font-size:12pt; col=
or:#000000; font-family:Calibri,Arial,Helvetica,sans-serif"
<p>Hi,</p
<p> Agreed on the certificate issue, I fought
with it al=
l weekend! Here's the output of those commands:</p
<p><br
</p
<p></p
<div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org)</div
<div>ldap_create</div
<div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)</div
<div>ldap_sasl_bind</div
<div>ldap_send_initial_request</div
<div>ldap_new_connection 1 1 0</div
<div>ldap_int_open_connection</div
<div>ldap_connect_to_host: TCP DC3.home.doonga.org:636</div
<div>ldap_new_socket: 3</div
<div>ldap_prepare_socket: 3</div
<div>ldap_connect_to_host: Trying
172.16.10.4:636</div
<div>ldap_pvt_connect: fd: 3
tm: -1 async: 0</div
<div>attempting to
connect:</div
<div>connect
success</div
<div>TLS: certdb config:
configDir=3D'/etc/openldap/certs' tokenDescription=
=3D'ldap(0)' certPrefix=3D'' keyPrefix=3D''
flags=3DreadOnly</div
<div>TLS: using moznss
security dir /etc/openldap/certs prefix .</div
<div>TLS: certificate [(null)] is not valid - error -8182:Peer's
certificat=
e has an invalid signature..</div
<div>TLS: error: connect - force handshake failure: errno 21 - moznss error=
-8174</div
<div>TLS: can't connect:
TLS error -8174:security library: bad database..</=
div
<div>ldap_err2string</div
<div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div
<div><br
</div
I tried digging into this one.
I'm very sure the peer doesn't have an inval=
id signature, I tested the certificate chain with openssl successfully, I'm=
guessing that error is related to the "bad database". I couldn't=
quite figure out that part of the error though.
<p></p
<p><br
</p
<p>I have an offline root and
online issuing CA, here's those certs. I load=
ed both of these to the system CA trust.</p
<p><br
</p
<p></p
<div>[root@ovirt-engine ~]#
openssl x509 -in /root/root.pem -text -no=
out</div
<div>Certificate:</div
<div> Data:</div
<div> Version:
3 (0x2)</div
<div>
Serial Number:</div
<div>
1a:01:7c:fc:bf:77:9c:95:4e:1=
3:7d:bf:36:a8:be:5b</div
<div>
Signature Algorithm: rsassaPss</div
<div> Hash Algorithm:
sha256</div
<div>
Mask Algorithm: mgf1 with sha256</di=
v
<div>
Salt Length: 20</div
<div>
Trailer Field: 0xbc (default)</div
<div> Issuer:
CN=3DDoonga.Org Root CA</div
<div>
Validity</div
<div> Not
Before: Jul 13 01:15:39 =
2017 GMT</div
<div>
Not After : Jul 13 01:25:39 =
2037 GMT</div
<div>
Subject:
CN=3DDoonga.Org Root CA</div
<div> Subject
Public Key Info:</div
<div>
Public Key Algorithm: rsaEnc=
ryption</div
<div>
Public-Key: (2=
048 bit)</div
<div>
Modulus:</div
<div>
=
00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:</div
<div>
=
d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:</div
<div>
=
b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:</div
<div>
=
e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:</div
<div>
=
67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:</div
<div>
=
5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:</div
<div>
=
ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:</div
<div>
=
45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:</div
<div>
=
d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:</div
<div>
=
4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:</div
<div>
=
4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:</div
<div>
=
ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:</div
<div>
=
72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:</div
<div>
=
de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:</div
<div>
=
05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:</div
<div>
=
aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:</div
<div>
=
6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:</div
<div>
=
07:75</div
<div>
Exponent: 6553=
7 (0x10001)</div
<div>
X509v3 extensions:</div
<div> X509v3
Key Usage:</div
<div>
Digital Signat=
ure, Certificate Sign, CRL Sign</div
<div> X509v3
Basic Constraints: cr=
itical</div
<div>
CA:TRUE</div
<div>
X509v3 Subject Key Identifie=
r:</div
<div>
72:21:77:3F:D7=
:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div
<div>
1.3.6.1.4.1.311.21.1:</div
<div>
...</div
<div>
X509v3 Certificate Policies:=
</div
<div>
Policy: 1.3.6.=
1.4.1.37476.9000.53</div
<div>
User No=
tice:</div
<div>
=
Explicit Text:</div
<div>
CPS: ht=
tp://www.doonga.org/pki/cps.txt</div
<div><br
</div
<div> Signature Algorithm:
rsassaPss</div
<div>
Hash Algorithm: sha256</div
<div>
Mask Algorithm: mgf1 with sha256</di=
v
<div>
Salt Length: 20</div
<div>
Trailer Field: 0xbc (default)</div
<div><br
</div
<div>
56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:=
e0:23:17:56:ac:de:</div
<div>
4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:=
dd:b7:b7:08:b2:12:</div
<div>
af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:=
83:5e:ae:4d:46:ce:</div
<div>
3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:=
31:0f:fb:ef:2b:d4:</div
<div>
5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:=
5c:94:16:9a:6f:9b:</div
<div>
e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:=
ca:88:94:5d:bd:65:</div
<div>
94:55:ad:90:72:57:78:8e:88:bc:40:81:=
ff:68:d3:5f:63:48:</div
<div>
ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:=
97:2c:64:a0:17:5e:</div
<div>
c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:=
1d:6b:5a:71:d4:25:</div
<div>
ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:=
11:6d:3b:d7:ff:4b:</div
<div>
87:68:14:93:81:bc:64:20:14:3e:f7:99:=
c5:5d:fc:b9:3a:b4:</div
<div>
e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:=
c2:41:54:45:7d:31:</div
<div>
4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:=
f6:b2:1c:bf:2f:84:</div
<div>
ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:=
4a:0f:8b:1e:42:11:</div
<div>
f8:98:ae:07</div
<div><br
</div
<div>[root@ovirt-engine ~]# openssl x509 -in
/root/sub.pem -text -noo=
ut</div
<div>Certificate:</div
<div> Data:</div
<div> Version:
3 (0x2)</div
<div>
Serial Number:</div
<div>
50:00:00:00:02:2e:ac:e2:5e:b=
2:d5:fc:11:00:00:00:00:00:02</div
<div> Signature Algorithm: rsassaPss</div
<div>
Hash Algorithm: sha256</div
<div> Mask Algorithm:
mgf1 with sha256</di=
v
<div>
Salt Length: 20</div
<div>
Trailer Field: 0xbc (default)</div
<div> Issuer:
CN=3DDoonga.Org Root CA</div
<div>
Validity</div
<div> Not
Before: Jul 13 02:07:35 =
2017 GMT</div
<div>
Not After : Jul 13 02:17:35 =
2027 GMT</div
<div>
Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome,=
CN=3DDoonga.Org Issuing CA</div
<div> Subject Public Key
Info:</div
<div>
Public Key Algorithm: rsaEnc=
ryption</div
<div>
Public-Key: (2=
048 bit)</div
<div>
Modulus:</div
<div>
=
00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:</div
<div>
=
3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:</div
<div>
=
0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:</div
<div>
=
d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:</div
<div>
=
54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:</div
<div>
=
da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:</div
<div>
=
e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:</div
<div>
=
b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:</div
<div>
=
db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:</div
<div>
=
0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:</div
<div>
=
e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:</div
<div>
=
75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:</div
<div>
=
8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:</div
<div>
=
14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:</div
<div>
=
73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:</div
<div>
=
70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:</div
<div>
=
63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:</div
<div>
=
fc:89</div
<div>
Exponent: 6553=
7 (0x10001)</div
<div>
X509v3 extensions:</div
<div>
1.3.6.1.4.1.311.21.1:</div
<div>
...</div
<div>
X509v3 Subject Key Identifie=
r:</div
<div>
21:BB:5D:9C:46=
:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD</div
<div> X509v3
Certificate Policies:=
</div
<div>
Policy: 1.3.6.=
1.4.1.37476.9000.53</div
<div>
User No=
tice:</div
<div>
=
Explicit Text:</div
<div>
CPS: ht=
tp://www.doonga.org/pki/cps.txt</div
<div><br
</div
<div>
1.3.6.1.4.1.311.20.2:</div
<div>
.</div
<div>.S.u.b.C.A</div
<div>
X509v3 Key Usage:</div
<div>
Digital Signat=
ure, Certificate Sign, CRL Sign</div
<div> X509v3
Basic Constraints: cr=
itical</div
<div>
CA:TRUE</div
<div>
X509v3 Authority Key Identif=
ier:</div
<div>
keyid:72:21:77=
:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div
<div><br
</div
<div>
X509v3 CRL Distribution Poin=
ts:</div
<div><br
</div
<div>
Full Name:</di=
v
<div>
URI:htt=
p://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl</div
<div><br
</div
<div>
Authority Information Access=
:</div
<div>
CA Issuers - U=
RI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt</div
<div><br
</div
<div>
Signature Algorithm: rsassaPss</div
<div> Hash Algorithm:
sha256</div
<div>
Mask Algorithm: mgf1 with sha256</di=
v
<div>
Salt Length: 20</div
<div>
Trailer Field: 0xbc (default)</div
<div><br
</div
<div>
70:f2:32:da:17:22:40:4a:e7:20:12:44:=
99:62:82:d7:97:e8:</div
<div>
48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:=
74:9a:81:51:7c:6f:</div
<div>
f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:=
da:1c:28:26:1c:e6:</div
<div>
5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:=
8f:e0:e8:75:99:62:</div
<div>
6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:=
61:ff:fc:4c:2b:55:</div
<div>
cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:=
a5:6a:3d:ad:fe:cd:</div
<div>
57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:=
03:4f:e1:36:e1:f9:</div
<div>
24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:=
2f:2a:67:43:a3:1c:</div
<div>
ce:22:7e:9a:47:49:a6:e9:35:30:77:35:=
9c:01:3a:41:bd:71:</div
<div>
17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:=
c1:cc:1a:03:d0:47:</div
<div>
bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:=
dd:de:16:cd:64:ad:</div
<div>
6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:=
dd:7e:b0:6e:86:f5:</div
<div>
16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:=
aa:71:5c:ba:4f:cc:</div
<div>
1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:=
ef:4f:68:86:96:52:</div
<div>
fa:d8:9c:31</div
<div><br
</div
I'm definitely sure that I have the correct CA certs
loaded. I tried removi=
ng them and I got an invalid CA error. When they are in place I get the err=
or I'm asking about. So I'm sure it's reading the CA certificates properly.
<p></p
<p><br
</p
<p>Thanks very much for your
help!</p
<p>Todd</p
<p><br
</p
</div
<hr tabindex=3D"-1"
style=3D"display:inline-block; width:98%"
<div
id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri,
sans-serif" =
color=3D"#000000" style=3D"font-size:11pt"><b>From:</b>
Ondra Machacek <=
omachace(a)redhat.com&gt;<br
<b>Sent:</b> Monday,
July 17, 2017 3:34:49 AM<br
<b>To:</b> Todd
Punderson<br
<b>Cc:</b>
users(a)ovirt.org<br
<b>Subject:</b> Re:
[ovirt-users] Active Directory authentication setup</fo=
nt
<div> </div
</div
</div
<font size=3D"2"><span
style=3D"font-size:10pt;"
<div
class=3D"PlainText">This is most probably certificate issue.<br
<br
Can you please share output of
following command:<br
<br
$ ldapsearch -d 1 -H
ldaps://DC3.home.doonga.org -x -s base -b
''<br
<br
And also
the output of following command:<br
<br
$ openssl x509 -in
/path/to/your/active_diretory_ca.pem -text -noout<=
br
<br
Are you sure you added a proper CA
cert to your system?<br
<br
<br
On Sun, Jul 16, 2017 at 1:04 AM,
Todd Punderson &lt;todd(a)doonga.org&gt; wro=
te:<br
> Hi,<br
><br
>  =
; I=92ve been pulling my hair out over this one. Here=92s=
the<br
> output of
ovirt-engine-extension-aaa-ldap-setup. Everything works fine=
if I<br
> use =93plain=94 but I
don=92t really want to do that. I searched the e=
rror that=92s<br
> shown below and tried
several different =93fixes=94 but none of them h=
elped.<br
> These are Server 2016 DCs.
Not too sure where to go next.<br
><br
><br
><br
>
[ INFO ] Stage: Initializing<br
><br
> [ INFO ] Stage:
Environment setup<br
><br
>
Configurat=
ion files:<br
>
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'=
]<br
><br
>
Log file:<=
br
>
/tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log<b=
r
><br
>
Version: o=
topi-1.6.2 (otopi-1.6.2-1.el7.centos)<br
><br
> [ INFO ] Stage:
Environment packages setup<br
><br
> [ INFO ] Stage: Programs detection<br
><br
>
[ INFO ] Stage: Environment customization<br
><br
>
Welcome to=
LDAP extension configuration program<br
><br
>
Available =
LDAP implementations:<br
><br
>
1 - =
389ds<br
><br
>
2 - =
389ds RFC-2307 Schema<br
><br
>
3 - =
Active Directory<br
><br
>
4 - =
IBM Security Directory Server<br
><br
>
5 - =
IBM Security Directory Server RFC-2307 Schema<br
><br
>
6 - =
IPA<br
><br
>
7 - =
Novell eDirectory RFC-2307 Schema<br
><br
>
8 - =
OpenLDAP RFC-2307 Schema<br
><br
>
9 - =
OpenLDAP Standard Schema<br
><br
>
10 - Oracl=
e Unified Directory RFC-2307 Schema<br
><br
>
11 - RFC-2=
307 Schema (Generic)<br
><br
>
12 - RHDS<=
br
><br
>
13 - RHDS =
RFC-2307 Schema<br
><br
>
14 - iPlan=
et<br
><br
>
Please sel=
ect: 3<br
><br
>
Please ent=
er Active Directory Forest name: home.doonga.org<br
><br
> [ INFO ]
Resolving Global Catalog SRV record for home.doonga.org=
<br
><br
>
[ INFO ] Resolving LDAP SRV record for home.doonga.org<br
><br
>
NOTE:<br
><br
>
It is high=
ly recommended to use secure protocol to access the LDAP<br
> server.<br
><br
>
Protocol s=
tartTLS is the standard recommended method to do so.<br
><br
>
Only in ca=
ses in which the startTLS is not supported, fallback to<br
>
non standard ldaps protocol.<br
><br
>
Use plain =
for test environments only.<br
><br
>
Please sel=
ect protocol to use (startTLS, ldaps, plain) [startTLS]:<br
> ldaps<br
><br
>
Please sel=
ect method to obtain PEM encoded CA certificate (File,<br
>
URL, Inline, System, Insecure): System<br
><br
> [ INFO ]
Resolving SRV record 'home.doonga.org'<br
><br
> [ INFO ]
Connecting to LDAP using 'ldaps://DC1.home.doonga.org:6=
36'<br
><br
> [WARNING] Cannot connect using
'ldaps://DC1.home.doonga.org:636': {'in=
fo':<br
> 'TLS error
-8157:Certificate extension not found.', 'desc': "Can'=
t contact<br
> LDAP
server"}<br
><br
> [ INFO ] Connecting to LDAP using
'ldaps://DC2.home.doonga.org:6=
36'<br
><br
> [WARNING] Cannot connect using
'ldaps://DC2.home.doonga.org:636': {'in=
fo':<br
> 'TLS error
-8157:Certificate extension not found.', 'desc': "Can'=
t contact<br
> LDAP
server"}<br
><br
> [ INFO ] Connecting to LDAP using
'ldaps://DC3.home.doonga.org:6=
36'<br
><br
> [WARNING] Cannot connect using
'ldaps://DC3.home.doonga.org:636': {'in=
fo':<br
> 'TLS error
-8157:Certificate extension not found.', 'desc': "Can'=
t contact<br
> LDAP
server"}<br
><br
> [ ERROR ] Cannot connect using any of available
options<br
><br
><br
><br
> Also:<br
><br
>
2017-07-15 18:18:06 INFO<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:391 Connecting to LDAP
using<br
>
'ldap://DC2.home.doonga.org:389'<br
><br
> 2017-07-15 18:18:06
INFO<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:442 Executing startTLS<br
><br
>
2017-07-15 18:18:06 DEBUG<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:459 Exception<br
><br
>
Traceback (most recent call last):<br
><br
>
File<br
>
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/=
ovirt-engine-extension-aaa-ldap/ldap/common.py",<br
> line 443, in _connectLDAP<br
><br
> c.start_tls_s()<br
><br
> File
"/usr/lib64/python2.7/site-packages/ldap/ldapobj=
ect.py", line 564, in<br
>
start_tls_s<br
><br
> return
self._ldap_call(self._l.start_tls_s)<br=
><br
> File
"/usr/lib64/python2.7/site-packages/ldap/ldapobj=
ect.py", line 99, in<br
>
_ldap_call<br
><br
> result =3D
func(*args,**kwargs)<br
><br
> CONNECT_ERROR: {'info': 'TLS error
-8157:Certificate extension not fou=
nd.',<br
> 'desc':
'Connect error'}<br
><br
> 2017-07-15 18:18:06 WARNING<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:463 Cannot connect using<br
> 'ldap://DC2.home.doonga.org:389':
{'info': 'TLS error -8157:Certificat=
e<br
> extension not found.', 'desc':
'Connect error'}<br
><br
> 2017-07-15 18:18:06 INFO<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:391 Connecting to LDAP
using<br
>
'ldap://DC3.home.doonga.org:389'<br
><br
> 2017-07-15 18:18:06
INFO<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:442 Executing startTLS<br
><br
>
2017-07-15 18:18:06 DEBUG<br
>
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br
> common._connectLDAP:459 Exception<br
><br
>
Traceback (most recent call last):<br
><br
>
File<br
>
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/=
ovirt-engine-extension-aaa-ldap/ldap/common.py",<br
> line 443, in _connectLDAP<br
><br
> c.start_tls_s()<br
><br
> File
"/usr/lib64/python2.7/site-packages/ldap/ldapobj=
ect.py", line 564, in<br
>
start_tls_s<br
><br
> return
self._ldap_call(self._l.start_tls_s)<br=
><br
> File
"/usr/lib64/python2.7/site-packages/ldap/ldapobj=
ect.py", line 99, in<br
>
_ldap_call<br
><br
> result =3D
func(*args,**kwargs)<br
><br
> CONNECT_ERROR: {'info': 'TLS error
-8157:Certificate extension not fou=
nd.',<br
> 'desc':
'Connect error'}<br
><br
><br
><br
> Any help would be
appreciated!<br
><br
> Thanks<br
><br
><br
>
_______________________________________________<br
>
Users mailing list<br
> Users(a)ovirt.org<br
> <a
href=3D"http://lists.ovirt.org/mailman/listinfo/users">http:...
.ovirt.org/mailman/listinfo/users</a><br
><br
</div
</span></font
</body
</html
--_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_--