Hello,
I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers
are fine and function normally for a number of other services, but I can't get this
working.
Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble
is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path
to the same cert used via nslcd/PAM for logging in to the host, it replies:
[ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
[ INFO ] Executing startTLS
[WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info':
'authentication required', 'desc': 'Server is unwilling to
perform'}
[ ERROR ] Cannot connect using any of available options
"Unwilling to perform" makes me think -aaa-ldap-setup is trying something the
backend doesn't support, but I'm having trouble guessing what that could be since
the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass
later in the script. And the log isn't much more forthcoming.
I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
Before I head in to the code, has anyone seen this?
Thanks,
-j
- - - - snip - - - -
Relevant log details:
2018-02-08 15:15:08,625-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 URLs:
['ldap://x.squaretrade.com:389']
2018-02-08 15:15:08,626-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391
Connecting to LDAP using 'ldap://x.squaretrade.com:389'
2018-02-08 15:15:08,627-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442
Executing startTLS
2018-02-08 15:15:08,640-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:445 Perform
search
2018-02-08 15:15:08,641-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 451, in _connectLDAP
timeout=60,
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in
search_st
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in
search_ext_s
return self.result(msgid,all=1,timeout=timeout)[1]
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in
result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in
result2
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in
result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in
result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc':
'Server is unwilling to perform'}
2018-02-08 15:15:08,642-0800 WARNING
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot
connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication
required', 'desc': 'Server is unwilling to perform'}
2018-02-08 15:15:08,643-0800 ERROR
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:787
Cannot connect using any of available options
2018-02-08 15:15:08,644-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:788
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 782, in _customization_late
insecure=insecure,
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 468, in _connectLDAP
_('Cannot connect using any of available options')
SoftRuntimeError: Cannot connect using any of available options