There are two issues. 1. Trust store issue, which is common to both startTLS and SSL, the same trust store is being used and should work in both cases, unless for some reason your server present a different certificate for each channel, which is very odd configuration, are you sure your pool.default.ssl.truststore.file is uncommented and reference to a valid trust store? 2. Incorrect ldap driver, which should probably be rfc2307-openldap. ----- Original Message -----
From: "Zach La Celle" <lacelle@roboticresearch.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, users@ovirt.org Sent: Monday, June 15, 2015 11:25:25 PM Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
I have tried the following combinations of certificates added to the keystore:
* PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our SSL certificates * All CA certificates from the LDAP machine * All CA certificates from the LDAP machine plus the machine's own certificate * The machine's own certificate only
None fix the issue. As I understand it, adding just the CA bundle from PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu should also work.
Previously (when using port 636 and TLS/SSL), to fix SSLPeerUnverifiedException, I added all of the CA certificates from the LDAP machine, plus its own certificate (this last part fixed it).
In the mean time, to try and fix the original issue of "external_id", is there any way to disable certificate verification for STARTTLS?
On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
You should add *ONLY* the ca certificate top level to the keystore.
----- Original Message -----
From: "Zach La Celle" <lacelle@roboticresearch.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Sent: Monday, June 15, 2015 10:54:02 PM Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
OK, started using the STARTTLS protocol. Tested working using ldapsearch, but now ovirt-engine's engine.log complains:
java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'directory.roboticresearch.com:389' becau\ se an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Not sure what is wrong. We fixed this before by adding the ca-certificates from the LDAP server as well as the LDAP server certificate into the .jks keystore.
On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Zach La Celle" <lacelle@roboticresearch.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Sent: Monday, June 15, 2015 10:14:34 PM Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
The full configuration files are as follows (I removed commented-out lines for brevity). Communications with the LDAP server seem to work correctly now.
__profile1.properties__
#
# Select one
#
include = <openldap.properties> reading bellow, you may want to try rfc2307-openldap as your schema seems to be rfc2307 compatible.
<snip>
pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = 636 why do you modify port? please use startTLS on default port.
#pool.default.auth.simple.bindDN = ${global:vars.user} #pool.default.auth.simple.password = ${global:vars.password} why did you comment this, do you allow anonymous access?
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true please uncomment this^
pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
# TLS settings and authentication pool.default.ssl.enable = true please do not use ssl unless startTLS is not supported, and it is in openldap.
pool.default.ssl.startTLS = false please set this to true.
pool.default.ssl.host-name-verify.enable = true pool.default.ssl.host-name-verify.wildcards = false pool.default.ssl.insecure = false pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 these are the default, you do not need to add these.
pool.default.auth.type = none why have you set this explicitly?
# Mapping attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn please remove mapping, it should work without.
# Variables sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, givenName, sn, Email sequence.openldap-init-vars.040.var-set.value = (objectClass=posixAccount)(uid=*) sequence.openldap-init-vars.050.var-set.value = entryUUID, cn sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup) sequence.openldap-init-vars.070.var-set.value = memberUid why have you added these? maybe you have rfc2307 compatible schema?
On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
This probably state that you do not use the correct driver.
You did not mention what LDAP server do you use, and you pasted only partial profile.
----- Original Message ----- > From: "Zach La Celle" <lacelle@roboticresearch.com> > To: users@ovirt.org > Sent: Monday, June 15, 2015 10:04:47 PM > Subject: [ovirt-users] Adding users through LDAP fails on > "external_id" > > Hello, > > We have a small oVirt cluster set up, and are trying to get it > integrated with our LDAP server. > > I've changed some configuration values in order to try and make it > function, and it seems to communicate correctly with the LDAP server. > However, when trying to add the user, I get the following error upon > SQL > entry add: > > 2015-06-15 14:44:49,439 ERROR > [org.ovirt.engine.core.bll.aaa.AddUserCommand] (ajp--127.0.0.1-8702-6) > [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand throw > exception: org.springframework.da\ > o.DataIntegrityViolationException: CallableStatementCallback; SQL > [{call > insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null > value in column "external_id" violates not-null constraint > Where: SQL statement "INSERT INTO users(department, domain, email, > groups, name, note, role, active, surname, user_id, username, > group_ids, > external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\ > 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )" > PL/pgSQL function "insertuser" line 2 at SQL statement; nested > exception > is org.postgresql.util.PSQLException: ERROR: null value in column > "external_id" violates not-null constraint > Where: SQL statement "INSERT INTO users(department, domain, email, > groups, name, note, role, active, surname, user_id, username, > group_ids, > external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\ > 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )" > > I can't figure out what maps from the LDAP user to "external_id" for > the > SQL table entry. > > Here are the changes I made to profile1.properties: > > #Mapping changes > attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = > cn > attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email > attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn > > #LDAP value changes > sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, > givenName, sn, Email > sequence.openldap-init-vars.040.var-set.value = > (objectClass=posixAccount)(uid=*) > sequence.openldap-init-vars.050.var-set.value = entryUUID, cn > sequence.openldap-init-vars.060.var-set.value = > (objectClass=posixGroup) > sequence.openldap-init-vars.070.var-set.value = memberUid > > Any help is appreciated! > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >