[ovirt-users] Active Directory authentication setup

16 Jul 2017

      --_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi,
               I've been pulling my hair out over this one. Here's the outp=
ut of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I use=
 "plain" but I don't really want to do that. I searched the error that's sh=
own below and tried several different "fixes" but none of them helped. Thes=
e are Server 2016 DCs. Not too sure where to go next.

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup=
.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-201707151709=
53-wfo1pk.log
          Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3
          Please enter Active Directory Forest name: home.doonga.org
[ INFO  ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO  ] Resolving LDAP SRV record for home.doonga.org
          NOTE:
          It is highly recommended to use secure protocol to access the LDA=
P server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to=
 non standard ldaps protocol.
          Use plain for test environments only.
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]=
: ldaps
          Please select method to obtain PEM encoded CA certificate (File, =
URL, Inline, System, Insecure): System
[ INFO  ] Resolving SRV record 'home.doonga.org'
[ INFO  ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': =
'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact =
LDAP server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': =
'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact =
LDAP server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': =
'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact =
LDAP server"}
[ ERROR ] Cannot connect using any of available options

Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap=
.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.d=
oonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap=
.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.lda=
p.common common._connectLDAP:459 Exception
Traceback (most recent call last):
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovi=
rt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
    c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, i=
n start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in=
 _ldap_call
    result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',=
 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.l=
dap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.do=
onga.org:389': {'info': 'TLS error -8157:Certificate extension not found.',=
 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap=
.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.d=
oonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap=
.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.lda=
p.common common._connectLDAP:459 Exception
Traceback (most recent call last):
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovi=
rt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
    c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, i=
n start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in=
 _ldap_call
    result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',=
 'desc': 'Connect error'}

Any help would be appreciated!
Thanks

--_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
...
...
</o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Stage: Programs detection<o:p></o:p><=
/p>
<p class=3D"MsoNormal">[ INFO  ] Stage: Environment customization<o:p>=
</o:p></p>
<p class=3D"MsoNormal">        &nbs=
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hi,<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;      I’ve been pulling my hair out over t=
his one. Here’s the output of ovirt-engine-extension-aaa-ldap-setup. =
Everything works fine if I use “plain” but I don’t really=
 want to do that. I searched the error that’s shown below and
 tried several different “fixes” but none of them helped. These=
 are Server 2016 DCs. Not too sure where to go next.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Stage: Initializing<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Stage: Environment setup<o:p></o:p></=
p>
<p class=3D"MsoNormal">        &nbs=
p; Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d=
/10-packaging.conf']<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1=
pk.log<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Stage: Environment packages setup<o:p=
p; Welcome to LDAP extension configuration program<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Available LDAP implementations:<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  1 - 389ds<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  2 - 389ds RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  3 - Active Directory<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  4 - IBM Security Directory Server<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  5 - IBM Security Directory Server RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  6 - IPA<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  7 - Novell eDirectory RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p;  8 - OpenLDAP RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">         &nb=
sp; 9 - OpenLDAP Standard Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; 10 - Oracle Unified Directory RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; 11 - RFC-2307 Schema (Generic)<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; 12 - RHDS<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; 13 - RHDS RFC-2307 Schema<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; 14 - iPlanet<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Please select: 3<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Please enter Active Directory Forest name: home.doonga.org<o:p></o:p></p=
...
...
</p>
<p class=3D"MsoNormal">        &nbs=
<p class=3D"MsoNormal">[ INFO  ] Resolving Global Catalog SRV record f=
or home.doonga.org<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Resolving LDAP SRV record for home.do=
onga.org<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; NOTE:<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; It is highly recommended to use secure protocol to access the LDAP serve=
r.<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Protocol startTLS is the standard recommended method to do so.<o:p></o:p=
p; Only in cases in which the startTLS is not supported, fallback to non st=
andard ldaps protocol.<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Use plain for test environments only.<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps=
<o:p></o:p></p>
<p class=3D"MsoNormal">        &nbs=
p; Please select method to obtain PEM encoded CA certificate (File, URL, In=
line, System, Insecure): System<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Resolving SRV record 'home.doonga.org=
'<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Connecting to LDAP using 'ldaps://DC1=
.home.doonga.org:636'<o:p></o:p></p>
<p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC1.home.doo=
nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', =
'desc': "Can't contact LDAP server"}<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Connecting to LDAP using 'ldaps://DC2=
.home.doonga.org:636'<o:p></o:p></p>
<p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC2.home.doo=
nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', =
'desc': "Can't contact LDAP server"}<o:p></o:p></p>
<p class=3D"MsoNormal">[ INFO  ] Connecting to LDAP using 'ldaps://DC3=
.home.doonga.org:636'<o:p></o:p></p>
<p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC3.home.doo=
nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', =
'desc': "Can't contact LDAP server"}<o:p></o:p></p>
<p class=3D"MsoNormal">[ ERROR ] Cannot connect using any of available opti=
ons<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Also:<o:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_=
extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP u=
sing 'ldap://DC2.home.doonga.org:389'<o:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_=
extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS<o=
:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine=
_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception<o:p></o:p=
...
</p>
<p class=3D"MsoNormal">Traceback (most recent call last):<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/share/ovirt-engine-extension-=
aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.p=
y", line 443, in _connectLDAP<o:p></o:p></p>
<p class=3D"MsoNormal">    c.start_tls_s()<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/lib64/python2.7/site-packages=
/ldap/ldapobject.py", line 564, in start_tls_s<o:p></o:p></p>
<p class=3D"MsoNormal">    return self._ldap_call(self._l.st=
art_tls_s)<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/lib64/python2.7/site-packages=
/ldap/ldapobject.py", line 99, in _ldap_call<o:p></o:p></p>
<p class=3D"MsoNormal">    result =3D func(*args,**kwargs)<o=
:p></o:p></p>
<p class=3D"MsoNormal">CONNECT_ERROR: {'info': 'TLS error -8157:Certificate=
 extension not found.', 'desc': 'Connect error'}<o:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engi=
ne_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect us=
ing 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate=
 extension not found.', 'desc': 'Connect
 error'}<o:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_=
extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP u=
sing 'ldap://DC3.home.doonga.org:389'<o:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_=
extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS<o=
:p></o:p></p>
<p class=3D"MsoNormal">2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine=
_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception<o:p></o:p=
</p>
<p class=3D"MsoNormal">Traceback (most recent call last):<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/share/ovirt-engine-extension-=
aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.p=
y", line 443, in _connectLDAP<o:p></o:p></p>
<p class=3D"MsoNormal">    c.start_tls_s()<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/lib64/python2.7/site-packages=
/ldap/ldapobject.py", line 564, in start_tls_s<o:p></o:p></p>
<p class=3D"MsoNormal">    return self._ldap_call(self._l.st=
art_tls_s)<o:p></o:p></p>
<p class=3D"MsoNormal">  File "/usr/lib64/python2.7/site-packages=
/ldap/ldapobject.py", line 99, in _ldap_call<o:p></o:p></p>
<p class=3D"MsoNormal">    result =3D func(*args,**kwargs)<o=
:p></o:p></p>
<p class=3D"MsoNormal">CONNECT_ERROR: {'info': 'TLS error -8157:Certificate=
 extension not found.', 'desc': 'Connect error'}<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Any help would be appreciated!<o:p></o:p></p>
<p class=3D"MsoNormal">Thanks<o:p></o:p></p>
</div>
</body>
</html>
--_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_--

[ovirt-users] Active Directory authentication setup

Todd Punderson