10:34 a.m.
This is most probably certificate issue.
Can you please share output of following command:
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''
And also the output of following command:
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout
Are you sure you added a proper CA cert to your system?
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd(a)doonga.org> wrote:
Hi,
I’ve been pulling my hair out over this one. Here’s the
output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I
use “plain” but I don’t really want to do that. I searched the error that’s
shown below and tried several different “fixes” but none of them helped.
These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file:
/tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO ] Resolving LDAP SRV record for home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the LDAP
server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to
non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
ldaps
Please select method to obtain PEM encoded CA certificate (File,
URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636':
{'info':
'TLS error -8157:Certificate extension not found.', 'desc':
"Can't contact
LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636':
{'info':
'TLS error -8157:Certificate extension not found.', 'desc':
"Can't contact
LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636':
{'info':
'TLS error -8157:Certificate extension not found.', 'desc':
"Can't contact
LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:391 Connecting to LDAP using
'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:459 Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not
found.',
'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:463 Cannot connect using
'ldap://DC2.home.doonga.org:389': {'info': 'TLS error
-8157:Certificate
extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:391 Connecting to LDAP using
'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
common._connectLDAP:459 Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not
found.',
'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users