11:25 p.m.
I have tried the following combinations of certificates added to the
keystore:
* PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
SSL certificates
* All CA certificates from the LDAP machine
* All CA certificates from the LDAP machine plus the machine's own
certificate
* The machine's own certificate only
None fix the issue. As I understand it, adding just the CA bundle from
PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
should also work.
Previously (when using port 636 and TLS/SSL), to fix
SSLPeerUnverifiedException, I added all of the CA certificates from the
LDAP machine, plus its own certificate (this last part fixed it).
In the mean time, to try and fix the original issue of "external_id", is
there any way to disable certificate verification for STARTTLS?
On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
You should add *ONLY* the ca certificate top level to the keystore.
----- Original Message -----
> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Sent: Monday, June 15, 2015 10:54:02 PM
> Subject: Re: [ovirt-users] Adding users through LDAP fails on
"external_id"
>
> OK, started using the STARTTLS protocol. Tested working using
> ldapsearch, but now ovirt-engine's engine.log complains:
>
> java.io.IOException: Unable to verify an attempt to to establish a
> secure connection to 'directory.roboticresearch.com:389' becau\
> se an unexpected error was encountered during validation processing:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> Not sure what is wrong. We fixed this before by adding the
> ca-certificates from the LDAP server as well as the LDAP server
> certificate into the .jks keystore.
>
> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
>> ----- Original Message -----
>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Sent: Monday, June 15, 2015 10:14:34 PM
>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>> "external_id"
>>>
>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
>>>
>>> The full configuration files are as follows (I removed commented-out
>>> lines for brevity). Communications with the LDAP server seem to work
>>> correctly now.
>>>
>>> __profile1.properties__
>>>
>>> #
>>>
>>> # Select
>>> one
>>>
>>> #
>>>
>>> include = <openldap.properties>
>> reading bellow, you may want to try rfc2307-openldap as your schema seems
>> to be rfc2307 compatible.
>>
>> <snip>
>>
>>> pool.default.serverset.type = single
>>> pool.default.serverset.single.server = ${global:vars.server}
>>> pool.default.serverset.single.port = 636
>> why do you modify port? please use startTLS on default port.
>>
>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
>>> #pool.default.auth.simple.password = ${global:vars.password}
>> why did you comment this, do you allow anonymous access?
>>
>>> # Create keystore, import certificate chain and uncomment
>>> # if using ssl/tls.
>>> #pool.default.ssl.startTLS = true
>> please uncomment this^
>>
>>> pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.server}.jks
>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
>>>
>>> # TLS settings and authentication
>>> pool.default.ssl.enable = true
>> please do not use ssl unless startTLS is not supported, and it is in
>> openldap.
>>
>>> pool.default.ssl.startTLS = false
>> please set this to true.
>>
>>> pool.default.ssl.host-name-verify.enable = true
>>> pool.default.ssl.host-name-verify.wildcards = false
>>> pool.default.ssl.insecure = false
>>> pool.default.ssl.protocol = TLSv1
>>> #pool.default.ssl.startTLSProtocol = TLSv1
>> these are the default, you do not need to add these.
>>
>>> pool.default.auth.type = none
>> why have you set this explicitly?
>>
>>> # Mapping
>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>> please remove mapping, it should work without.
>>
>>> # Variables
>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>> givenName, sn, Email
>>> sequence.openldap-init-vars.040.var-set.value =
>>> (objectClass=posixAccount)(uid=*)
>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>> sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>> why have you added these? maybe you have rfc2307 compatible schema?
>>
>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
>>>> This probably state that you do not use the correct driver.
>>>>
>>>> You did not mention what LDAP server do you use, and you pasted only
>>>> partial profile.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>>>>> To: users(a)ovirt.org
>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
>>>>> Subject: [ovirt-users] Adding users through LDAP fails on
"external_id"
>>>>>
>>>>> Hello,
>>>>>
>>>>> We have a small oVirt cluster set up, and are trying to get it
>>>>> integrated with our LDAP server.
>>>>>
>>>>> I've changed some configuration values in order to try and make
it
>>>>> function, and it seems to communicate correctly with the LDAP
server.
>>>>> However, when trying to add the user, I get the following error upon
SQL
>>>>> entry add:
>>>>>
>>>>> 2015-06-15 14:44:49,439 ERROR
>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
(ajp--127.0.0.1-8702-6)
>>>>> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand
throw
>>>>> exception: org.springframework.da\
>>>>> o.DataIntegrityViolationException: CallableStatementCallback; SQL
[{call
>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null
>>>>> value in column "external_id" violates not-null constraint
>>>>> Where: SQL statement "INSERT INTO users(department, domain,
email,
>>>>> groups, name, note, role, active, surname, user_id, username,
group_ids,
>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
>>>>> PL/pgSQL function "insertuser" line 2 at SQL statement;
nested exception
>>>>> is org.postgresql.util.PSQLException: ERROR: null value in column
>>>>> "external_id" violates not-null constraint
>>>>> Where: SQL statement "INSERT INTO users(department, domain,
email,
>>>>> groups, name, note, role, active, surname, user_id, username,
group_ids,
>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
>>>>>
>>>>> I can't figure out what maps from the LDAP user to
"external_id" for the
>>>>> SQL table entry.
>>>>>
>>>>> Here are the changes I made to profile1.properties:
>>>>>
>>>>> #Mapping changes
>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
cn
>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>>>
>>>>> #LDAP value changes
>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>>> givenName, sn, Email
>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>> (objectClass=posixAccount)(uid=*)
>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>> sequence.openldap-init-vars.060.var-set.value =
(objectClass=posixGroup)
>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>>
>>>>> Any help is appreciated!
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users(a)ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>
11:29 p.m.
New subject: Adding users through LDAP fails on "external_id"
There are two issues.
1. Trust store issue, which is common to both startTLS and SSL, the same trust store is
being used and should work in both cases, unless for some reason your server present a
different certificate for each channel, which is very odd configuration, are you sure your
pool.default.ssl.truststore.file is uncommented and reference to a valid trust store?
2. Incorrect ldap driver, which should probably be rfc2307-openldap.
----- Original Message -----
From: "Zach La Celle" <lacelle(a)roboticresearch.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>, users(a)ovirt.org
Sent: Monday, June 15, 2015 11:25:25 PM
Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
I have tried the following combinations of certificates added to the
keystore:
* PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
SSL certificates
* All CA certificates from the LDAP machine
* All CA certificates from the LDAP machine plus the machine's own
certificate
* The machine's own certificate only
None fix the issue. As I understand it, adding just the CA bundle from
PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
should also work.
Previously (when using port 636 and TLS/SSL), to fix
SSLPeerUnverifiedException, I added all of the CA certificates from the
LDAP machine, plus its own certificate (this last part fixed it).
In the mean time, to try and fix the original issue of "external_id", is
there any way to disable certificate verification for STARTTLS?
On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> You should add *ONLY* the ca certificate top level to the keystore.
>
> ----- Original Message -----
>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> Sent: Monday, June 15, 2015 10:54:02 PM
>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>> "external_id"
>>
>> OK, started using the STARTTLS protocol. Tested working using
>> ldapsearch, but now ovirt-engine's engine.log complains:
>>
>> java.io.IOException: Unable to verify an attempt to to establish a
>> secure connection to 'directory.roboticresearch.com:389' becau\
>> se an unexpected error was encountered during validation processing:
>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>
>> Not sure what is wrong. We fixed this before by adding the
>> ca-certificates from the LDAP server as well as the LDAP server
>> certificate into the .jks keystore.
>>
>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>> Sent: Monday, June 15, 2015 10:14:34 PM
>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>>> "external_id"
>>>>
>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu
12.04.
>>>>
>>>> The full configuration files are as follows (I removed commented-out
>>>> lines for brevity). Communications with the LDAP server seem to work
>>>> correctly now.
>>>>
>>>> __profile1.properties__
>>>>
>>>> #
>>>>
>>>> # Select
>>>> one
>>>>
>>>> #
>>>>
>>>> include = <openldap.properties>
>>> reading bellow, you may want to try rfc2307-openldap as your schema seems
>>> to be rfc2307 compatible.
>>>
>>> <snip>
>>>
>>>> pool.default.serverset.type = single
>>>> pool.default.serverset.single.server = ${global:vars.server}
>>>> pool.default.serverset.single.port = 636
>>> why do you modify port? please use startTLS on default port.
>>>
>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
>>>> #pool.default.auth.simple.password = ${global:vars.password}
>>> why did you comment this, do you allow anonymous access?
>>>
>>>> # Create keystore, import certificate chain and uncomment
>>>> # if using ssl/tls.
>>>> #pool.default.ssl.startTLS = true
>>> please uncomment this^
>>>
>>>> pool.default.ssl.truststore.file =
>>>> ${local:_basedir}/${global:vars.server}.jks
>>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
>>>>
>>>> # TLS settings and authentication
>>>> pool.default.ssl.enable = true
>>> please do not use ssl unless startTLS is not supported, and it is in
>>> openldap.
>>>
>>>> pool.default.ssl.startTLS = false
>>> please set this to true.
>>>
>>>> pool.default.ssl.host-name-verify.enable = true
>>>> pool.default.ssl.host-name-verify.wildcards = false
>>>> pool.default.ssl.insecure = false
>>>> pool.default.ssl.protocol = TLSv1
>>>> #pool.default.ssl.startTLSProtocol = TLSv1
>>> these are the default, you do not need to add these.
>>>
>>>> pool.default.auth.type = none
>>> why have you set this explicitly?
>>>
>>>> # Mapping
>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>> please remove mapping, it should work without.
>>>
>>>> # Variables
>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>> givenName, sn, Email
>>>> sequence.openldap-init-vars.040.var-set.value =
>>>> (objectClass=posixAccount)(uid=*)
>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>> sequence.openldap-init-vars.060.var-set.value =
(objectClass=posixGroup)
>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>> why have you added these? maybe you have rfc2307 compatible schema?
>>>
>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
>>>>> This probably state that you do not use the correct driver.
>>>>>
>>>>> You did not mention what LDAP server do you use, and you pasted
only
>>>>> partial profile.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Zach La Celle"
<lacelle(a)roboticresearch.com>
>>>>>> To: users(a)ovirt.org
>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
>>>>>> Subject: [ovirt-users] Adding users through LDAP fails on
>>>>>> "external_id"
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> We have a small oVirt cluster set up, and are trying to get it
>>>>>> integrated with our LDAP server.
>>>>>>
>>>>>> I've changed some configuration values in order to try and
make it
>>>>>> function, and it seems to communicate correctly with the LDAP
server.
>>>>>> However, when trying to add the user, I get the following error
upon
>>>>>> SQL
>>>>>> entry add:
>>>>>>
>>>>>> 2015-06-15 14:44:49,439 ERROR
>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
(ajp--127.0.0.1-8702-6)
>>>>>> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand
throw
>>>>>> exception: org.springframework.da\
>>>>>> o.DataIntegrityViolationException: CallableStatementCallback;
SQL
>>>>>> [{call
>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR:
null
>>>>>> value in column "external_id" violates not-null
constraint
>>>>>> Where: SQL statement "INSERT INTO users(department,
domain, email,
>>>>>> groups, name, note, role, active, surname, user_id, username,
>>>>>> group_ids,
>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
>>>>>> PL/pgSQL function "insertuser" line 2 at SQL
statement; nested
>>>>>> exception
>>>>>> is org.postgresql.util.PSQLException: ERROR: null value in
column
>>>>>> "external_id" violates not-null constraint
>>>>>> Where: SQL statement "INSERT INTO users(department,
domain, email,
>>>>>> groups, name, note, role, active, surname, user_id, username,
>>>>>> group_ids,
>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
>>>>>>
>>>>>> I can't figure out what maps from the LDAP user to
"external_id" for
>>>>>> the
>>>>>> SQL table entry.
>>>>>>
>>>>>> Here are the changes I made to profile1.properties:
>>>>>>
>>>>>> #Mapping changes
>>>>>>
attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
>>>>>> cn
>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map =
Email
>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>>>>
>>>>>> #LDAP value changes
>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid,
cn,
>>>>>> givenName, sn, Email
>>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>>> (objectClass=posixAccount)(uid=*)
>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>>> sequence.openldap-init-vars.060.var-set.value =
>>>>>> (objectClass=posixGroup)
>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>>>
>>>>>> Any help is appreciated!
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users(a)ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>
12:38 a.m.
New subject: Adding users through LDAP fails on "external_id"
I understand we were using the incorrect driver, and I've switched to
the RFC2307-compatible driver. However, now the TLS sessions won't start.
I've verified that I can do ldapsearch from the oVirt machine without
issue, complete with STARTTLS. So, it seems to be an issue solely in
our oVirt configuration.
Error message and config are below, with your changes. I cannot seem to
get a configuration of the truststore that functions.
Here's the current error message, the SSLPeerUnverifiedException:
2015-06-15 17:32:49,252 DEBUG
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-6) Ignoring Exception: LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred\
while attempting to connect to server
directory.roboticresearch.com:389: java.io.IOException: Unable to
verify an attempt to to establish a secure connection to
'directory.roboticresearch.com:389' becau\
se an unexpected error was encountered during validation processing:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')
The config file is below. Notably, I changed it to use the already
installed java cacerts keystore (which I verified opens with the
changeit password).
include = <rfc2307-openldap.properties>
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 389
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /etc/pki/java/cacerts
pool.default.ssl.truststore.password = changeit
pool.default.ssl.enable = true
pool.default.ssl.host-name-verify.enable = true
pool.default.ssl.host-name-verify.wildcards = false
pool.default.ssl.insecure = false
pool.default.ssl.protocol = TLSv1
pool.default.ssl.startTLSProtocol = TLSv1
pool.default.auth.type = none
On 06/15/2015 04:29 PM, Alon Bar-Lev wrote:
There are two issues.
1. Trust store issue, which is common to both startTLS and SSL, the same trust store is
being used and should work in both cases, unless for some reason your server present a
different certificate for each channel, which is very odd configuration, are you sure your
pool.default.ssl.truststore.file is uncommented and reference to a valid trust store?
2. Incorrect ldap driver, which should probably be rfc2307-openldap.
----- Original Message -----
> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>, users(a)ovirt.org
> Sent: Monday, June 15, 2015 11:25:25 PM
> Subject: Re: [ovirt-users] Adding users through LDAP fails on
"external_id"
>
> I have tried the following combinations of certificates added to the
> keystore:
>
> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
> SSL certificates
> * All CA certificates from the LDAP machine
> * All CA certificates from the LDAP machine plus the machine's own
> certificate
> * The machine's own certificate only
>
> None fix the issue. As I understand it, adding just the CA bundle from
> PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
> should also work.
>
> Previously (when using port 636 and TLS/SSL), to fix
> SSLPeerUnverifiedException, I added all of the CA certificates from the
> LDAP machine, plus its own certificate (this last part fixed it).
>
> In the mean time, to try and fix the original issue of "external_id", is
> there any way to disable certificate verification for STARTTLS?
>
> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
>> You should add *ONLY* the ca certificate top level to the keystore.
>>
>> ----- Original Message -----
>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Sent: Monday, June 15, 2015 10:54:02 PM
>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>> "external_id"
>>>
>>> OK, started using the STARTTLS protocol. Tested working using
>>> ldapsearch, but now ovirt-engine's engine.log complains:
>>>
>>> java.io.IOException: Unable to verify an attempt to to establish a
>>> secure connection to 'directory.roboticresearch.com:389' becau\
>>> se an unexpected error was encountered during validation processing:
>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>
>>> Not sure what is wrong. We fixed this before by adding the
>>> ca-certificates from the LDAP server as well as the LDAP server
>>> certificate into the .jks keystore.
>>>
>>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
>>>> ----- Original Message -----
>>>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>>> Sent: Monday, June 15, 2015 10:14:34 PM
>>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>>>> "external_id"
>>>>>
>>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu
12.04.
>>>>>
>>>>> The full configuration files are as follows (I removed commented-out
>>>>> lines for brevity). Communications with the LDAP server seem to
work
>>>>> correctly now.
>>>>>
>>>>> __profile1.properties__
>>>>>
>>>>> #
>>>>>
>>>>> # Select
>>>>> one
>>>>>
>>>>> #
>>>>>
>>>>> include = <openldap.properties>
>>>> reading bellow, you may want to try rfc2307-openldap as your schema
seems
>>>> to be rfc2307 compatible.
>>>>
>>>> <snip>
>>>>
>>>>> pool.default.serverset.type = single
>>>>> pool.default.serverset.single.server = ${global:vars.server}
>>>>> pool.default.serverset.single.port = 636
>>>> why do you modify port? please use startTLS on default port.
>>>>
>>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
>>>>> #pool.default.auth.simple.password = ${global:vars.password}
>>>> why did you comment this, do you allow anonymous access?
>>>>
>>>>> # Create keystore, import certificate chain and uncomment
>>>>> # if using ssl/tls.
>>>>> #pool.default.ssl.startTLS = true
>>>> please uncomment this^
>>>>
>>>>> pool.default.ssl.truststore.file =
>>>>> ${local:_basedir}/${global:vars.server}.jks
>>>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
>>>>>
>>>>> # TLS settings and authentication
>>>>> pool.default.ssl.enable = true
>>>> please do not use ssl unless startTLS is not supported, and it is in
>>>> openldap.
>>>>
>>>>> pool.default.ssl.startTLS = false
>>>> please set this to true.
>>>>
>>>>> pool.default.ssl.host-name-verify.enable = true
>>>>> pool.default.ssl.host-name-verify.wildcards = false
>>>>> pool.default.ssl.insecure = false
>>>>> pool.default.ssl.protocol = TLSv1
>>>>> #pool.default.ssl.startTLSProtocol = TLSv1
>>>> these are the default, you do not need to add these.
>>>>
>>>>> pool.default.auth.type = none
>>>> why have you set this explicitly?
>>>>
>>>>> # Mapping
>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
cn
>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>> please remove mapping, it should work without.
>>>>
>>>>> # Variables
>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>>> givenName, sn, Email
>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>> (objectClass=posixAccount)(uid=*)
>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>> sequence.openldap-init-vars.060.var-set.value =
(objectClass=posixGroup)
>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>> why have you added these? maybe you have rfc2307 compatible schema?
>>>>
>>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
>>>>>> This probably state that you do not use the correct driver.
>>>>>>
>>>>>> You did not mention what LDAP server do you use, and you pasted
only
>>>>>> partial profile.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Zach La Celle"
<lacelle(a)roboticresearch.com>
>>>>>>> To: users(a)ovirt.org
>>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
>>>>>>> Subject: [ovirt-users] Adding users through LDAP fails on
>>>>>>> "external_id"
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> We have a small oVirt cluster set up, and are trying to get
it
>>>>>>> integrated with our LDAP server.
>>>>>>>
>>>>>>> I've changed some configuration values in order to try
and make it
>>>>>>> function, and it seems to communicate correctly with the LDAP
server.
>>>>>>> However, when trying to add the user, I get the following
error upon
>>>>>>> SQL
>>>>>>> entry add:
>>>>>>>
>>>>>>> 2015-06-15 14:44:49,439 ERROR
>>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
(ajp--127.0.0.1-8702-6)
>>>>>>> [3b15cbfe] Command
org.ovirt.engine.core.bll.aaa.AddUserCommand throw
>>>>>>> exception: org.springframework.da\
>>>>>>> o.DataIntegrityViolationException: CallableStatementCallback;
SQL
>>>>>>> [{call
>>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}];
ERROR: null
>>>>>>> value in column "external_id" violates not-null
constraint
>>>>>>> Where: SQL statement "INSERT INTO users(department,
domain, email,
>>>>>>> groups, name, note, role, active, surname, user_id,
username,
>>>>>>> group_ids,
>>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 ,
$\
>>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14
)"
>>>>>>> PL/pgSQL function "insertuser" line 2 at SQL
statement; nested
>>>>>>> exception
>>>>>>> is org.postgresql.util.PSQLException: ERROR: null value in
column
>>>>>>> "external_id" violates not-null constraint
>>>>>>> Where: SQL statement "INSERT INTO users(department,
domain, email,
>>>>>>> groups, name, note, role, active, surname, user_id,
username,
>>>>>>> group_ids,
>>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 ,
$\
>>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14
)"
>>>>>>>
>>>>>>> I can't figure out what maps from the LDAP user to
"external_id" for
>>>>>>> the
>>>>>>> SQL table entry.
>>>>>>>
>>>>>>> Here are the changes I made to profile1.properties:
>>>>>>>
>>>>>>> #Mapping changes
>>>>>>>
attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
>>>>>>> cn
>>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map =
Email
>>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map =
cn
>>>>>>>
>>>>>>> #LDAP value changes
>>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID,
uid, cn,
>>>>>>> givenName, sn, Email
>>>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>>>> (objectClass=posixAccount)(uid=*)
>>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID,
cn
>>>>>>> sequence.openldap-init-vars.060.var-set.value =
>>>>>>> (objectClass=posixGroup)
>>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>>>>
>>>>>>> Any help is appreciated!
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users(a)ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>
12:45 a.m.
New subject: Adding users through LDAP fails on "external_id"
----- Original Message -----
From: "Zach La Celle" <lacelle(a)roboticresearch.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Tuesday, June 16, 2015 12:38:21 AM
Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
I understand we were using the incorrect driver, and I've switched to
the RFC2307-compatible driver. However, now the TLS sessions won't start.
I've verified that I can do ldapsearch from the oVirt machine without
issue, complete with STARTTLS. So, it seems to be an issue solely in
our oVirt configuration.
Error message and config are below, with your changes. I cannot seem to
get a configuration of the truststore that functions.
Here's the current error message, the SSLPeerUnverifiedException:
2015-06-15 17:32:49,252 DEBUG
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-6) Ignoring Exception: LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred\
while attempting to connect to server
directory.roboticresearch.com:389: java.io.IOException: Unable to
verify an attempt to to establish a secure connection to
'directory.roboticresearch.com:389' becau\
se an unexpected error was encountered during validation processing:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')
The config file is below. Notably, I changed it to use the already
installed java cacerts keystore (which I verified opens with the
changeit password).
include = <rfc2307-openldap.properties>
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 389
please remove this port settings ^ as this is the default.
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /etc/pki/java/cacerts
pool.default.ssl.truststore.password = changeit
can you please create your own keystore with only top level certificate[1]?
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
pool.default.ssl.enable = true
please remove this ^
pool.default.ssl.host-name-verify.enable = true
pool.default.ssl.host-name-verify.wildcards = false
please remove these ^
pool.default.ssl.insecure = false
pool.default.ssl.protocol = TLSv1
pool.default.ssl.startTLSProtocol = TLSv1
please remove these ^
pool.default.auth.type = none
please remove this ^ not sure why you added it.
>
> On 06/15/2015 04:29 PM, Alon Bar-Lev wrote:
> > There are two issues.
> >
> > 1. Trust store issue, which is common to both startTLS and SSL, the same
> > trust store is being used and should work in both cases, unless for some
> > reason your server present a different certificate for each channel, which
> > is very odd configuration, are you sure your
> > pool.default.ssl.truststore.file is uncommented and reference to a valid
> > trust store?
> >
> > 2. Incorrect ldap driver, which should probably be rfc2307-openldap.
> >
> > ----- Original Message -----
> >> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
> >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>, users(a)ovirt.org
> >> Sent: Monday, June 15, 2015 11:25:25 PM
> >> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >> "external_id"
> >>
> >> I have tried the following combinations of certificates added to the
> >> keystore:
> >>
> >> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
> >> SSL certificates
> >> * All CA certificates from the LDAP machine
> >> * All CA certificates from the LDAP machine plus the machine's own
> >> certificate
> >> * The machine's own certificate only
> >>
> >> None fix the issue. As I understand it, adding just the CA bundle from
> >> PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
> >> should also work.
> >>
> >> Previously (when using port 636 and TLS/SSL), to fix
> >> SSLPeerUnverifiedException, I added all of the CA certificates from the
> >> LDAP machine, plus its own certificate (this last part fixed it).
> >>
> >> In the mean time, to try and fix the original issue of
"external_id", is
> >> there any way to disable certificate verification for STARTTLS?
> >>
> >> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> >>> You should add *ONLY* the ca certificate top level to the keystore.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Zach La Celle" <lacelle(a)roboticresearch.com>
> >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> >>>> Sent: Monday, June 15, 2015 10:54:02 PM
> >>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >>>> "external_id"
> >>>>
> >>>> OK, started using the STARTTLS protocol. Tested working using
> >>>> ldapsearch, but now ovirt-engine's engine.log complains:
> >>>>
> >>>> java.io.IOException: Unable to verify an attempt to to establish a
> >>>> secure connection to 'directory.roboticresearch.com:389'
becau\
> >>>> se an unexpected error was encountered during validation
processing:
> >>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >>>>
> >>>> Not sure what is wrong. We fixed this before by adding the
> >>>> ca-certificates from the LDAP server as well as the LDAP server
> >>>> certificate into the .jks keystore.
> >>>>
> >>>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Zach La Celle"
<lacelle(a)roboticresearch.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> >>>>>> Sent: Monday, June 15, 2015 10:14:34 PM
> >>>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails
on
> >>>>>> "external_id"
> >>>>>>
> >>>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on
Ubuntu 12.04.
> >>>>>>
> >>>>>> The full configuration files are as follows (I removed
commented-out
> >>>>>> lines for brevity). Communications with the LDAP server
seem to work
> >>>>>> correctly now.
> >>>>>>
> >>>>>> __profile1.properties__
> >>>>>>
> >>>>>> #
> >>>>>>
> >>>>>> # Select
> >>>>>> one
> >>>>>>
> >>>>>> #
> >>>>>>
> >>>>>> include = <openldap.properties>
> >>>>> reading bellow, you may want to try rfc2307-openldap as your
schema
> >>>>> seems
> >>>>> to be rfc2307 compatible.
> >>>>>
> >>>>> <snip>
> >>>>>
> >>>>>> pool.default.serverset.type = single
> >>>>>> pool.default.serverset.single.server =
${global:vars.server}
> >>>>>> pool.default.serverset.single.port = 636
> >>>>> why do you modify port? please use startTLS on default port.
> >>>>>
> >>>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
> >>>>>> #pool.default.auth.simple.password =
${global:vars.password}
> >>>>> why did you comment this, do you allow anonymous access?
> >>>>>
> >>>>>> # Create keystore, import certificate chain and uncomment
> >>>>>> # if using ssl/tls.
> >>>>>> #pool.default.ssl.startTLS = true
> >>>>> please uncomment this^
> >>>>>
> >>>>>> pool.default.ssl.truststore.file =
> >>>>>> ${local:_basedir}/${global:vars.server}.jks
> >>>>>> pool.default.ssl.truststore.password =
sdfnliwneponalsdinosaivnewal
> >>>>>>
> >>>>>> # TLS settings and authentication
> >>>>> pool.default.ssl.enable = true
>
>>>>> please do not use ssl unless startTLS is not supported, and it is in
> >>>>> openldap.
> >>>>>
> >>>>>> pool.default.ssl.startTLS = false
> >>>>> please set this to true.
> >>>>>
> >>>>>> pool.default.ssl.host-name-verify.enable = true
> >>>>>> pool.default.ssl.host-name-verify.wildcards = false
> >>>>>> pool.default.ssl.insecure = false
> >>>>>> pool.default.ssl.protocol = TLSv1
> >>>>>> #pool.default.ssl.startTLSProtocol = TLSv1
> >>>>> these are the default, you do not need to add these.
> >>>>>
> >>>>> pool.default.auth.type = none
>
>>>>> why have you set this explicitly?
> >>>>>
> >>>>>> # Mapping
> >>>>>>
attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
> >>>>>> cn
> >>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map
= Email
> >>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map =
cn
> >>>>> please remove mapping, it should work without.
> >>>>>
> >>>>>> # Variables
> >>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID,
uid, cn,
> >>>>>> givenName, sn, Email
> >>>>>> sequence.openldap-init-vars.040.var-set.value =
> >>>>>> (objectClass=posixAccount)(uid=*)
> >>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID,
cn
> >>>>>> sequence.openldap-init-vars.060.var-set.value =
> >>>>>> (objectClass=posixGroup)
> >>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
> >>>>> why have you added these? maybe you have rfc2307 compatible
schema?
> >>>>>
> >>>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
> >>>>>>> This probably state that you do not use the correct
driver.
> >>>>>>>
> >>>>>>> You did not mention what LDAP server do you use, and you
pasted only
> >>>>>>> partial profile.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Zach La Celle"
<lacelle(a)roboticresearch.com>
> >>>>>>>> To: users(a)ovirt.org
> >>>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
> >>>>>>>> Subject: [ovirt-users] Adding users through LDAP
fails on
> >>>>>>>> "external_id"
> >>>>>>>>
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> We have a small oVirt cluster set up, and are trying
to get it
> >>>>>>>> integrated with our LDAP server.
> >>>>>>>>
> >>>>>>>> I've changed some configuration values in order
to try and make it
> >>>>>>>> function, and it seems to communicate correctly with
the LDAP
> >>>>>>>> server.
> >>>>>>>> However, when trying to add the user, I get the
following error upon
> >>>>>>>> SQL
> >>>>>>>> entry add:
> >>>>>>>>
> >>>>>>>> 2015-06-15 14:44:49,439 ERROR
> >>>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
> >>>>>>>> (ajp--127.0.0.1-8702-6)
> >>>>>>>> [3b15cbfe] Command
org.ovirt.engine.core.bll.aaa.AddUserCommand
> >>>>>>>> throw
> >>>>>>>> exception: org.springframework.da\
> >>>>>>>> o.DataIntegrityViolationException:
CallableStatementCallback; SQL
> >>>>>>>> [{call
> >>>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?)}]; ERROR: null
> >>>>>>>> value in column "external_id" violates
not-null constraint
> >>>>>>>> Where: SQL statement "INSERT INTO
users(department, domain, email,
> >>>>>>>> groups, name, note, role, active, surname, user_id,
username,
> >>>>>>>> group_ids,
> >>>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4
, $5 , $\
> >>>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 ,
$14 )"
> >>>>>>>> PL/pgSQL function "insertuser" line 2 at
SQL statement; nested
> >>>>>>>> exception
> >>>>>>>> is org.postgresql.util.PSQLException: ERROR: null
value in column
> >>>>>>>> "external_id" violates not-null
constraint
> >>>>>>>> Where: SQL statement "INSERT INTO
users(department, domain, email,
> >>>>>>>> groups, name, note, role, active, surname, user_id,
username,
> >>>>>>>> group_ids,
> >>>>>>>> external_id,namespace) VALUES( $1 , $2 , $3 , $4
, $5 , $\
> >>>>>>>> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 ,
$14 )"
> >>>>>>>>
> >>>>>>>> I can't figure out what maps from the LDAP user
to "external_id" for
> >>>>>>>> the
> >>>>>>>> SQL table entry.
> >>>>>>>>
> >>>>>>>> Here are the changes I made to profile1.properties:
> >>>>>>>>
> >>>>>>>> #Mapping changes
> >>>>>>>>
attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
> >>>>>>>> cn
> >>>>>>>>
attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
> >>>>>>>>
attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
> >>>>>>>>
> >>>>>>>> #LDAP value changes
> >>>>>>>> sequence.openldap-init-vars.030.var-set.value =
entryUUID, uid, cn,
> >>>>>>>> givenName, sn, Email
> >>>>>>>> sequence.openldap-init-vars.040.var-set.value =
> >>>>>>>> (objectClass=posixAccount)(uid=*)
> >>>>>>>> sequence.openldap-init-vars.050.var-set.value =
entryUUID, cn
> >>>>>>>> sequence.openldap-init-vars.060.var-set.value =
> >>>>>>>> (objectClass=posixGroup)
> >>>>>>>> sequence.openldap-init-vars.070.var-set.value =
memberUid
> >>>>>>>>
> >>>>>>>> Any help is appreciated!
> >>>>>>>> _______________________________________________
> >>>>>>>> Users mailing list
> >>>>>>>> Users(a)ovirt.org
> >>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>
> >>
>
>
3448
days inactive
3448
days old
3 comments
2 participants
participants (2)
-
Alon Bar-Lev -
Zach La Celle