--_000_6b7a2162f38f487282f45d66bb344368doongaorg_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Sorry to reply to myself, but I figured it out. Putting this here for docu= mentation in case anyone ever runs into this as it was absolutely horrible = to troubleshoot. I had this set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSv= c\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm =3D 1 (I think th= at's by default) That caused the CA to issue certs with RSASSA-PSS (1.2.840= .113549.1.1.10) algorithm on them instead of sha256RSA. So I changed that r= egistry value to a 0 as well as my CAPolicy.inf file and reissued my Root a= nd Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub CAs i= n CentOS and it started working. I actually figured it out from a bug report for Firefox here: https://suppo= rt.mozilla.org/en-US/questions/986085 Either way it's working now. That drove me nuts for 2+ days. Thank you anyway for your assistance! ________________________________ From: users-bounces@ovirt.org <users-bounces@ovirt.org> on behalf of Todd P= underson <todd@doonga.org> Sent: Monday, July 17, 2017 9:05:12 AM To: Ondra Machacek Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup Hi, Agreed on the certificate issue, I fought with it all weekend! Here's = the output of those commands: ldap_url_parse_ext(ldaps://DC3.home.doonga.org) ldap_create ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP DC3.home.doonga.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.10.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription=3D'l= dap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has= an invalid signature.. TLS: error: connect - force handshake failure: errno 21 - moznss error -817= 4 TLS: can't connect: TLS error -8174:security library: bad database.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't quite fig= ure out that part of the error though. I have an offline root and online issuing CA, here's those certs. I loaded = both of these to the system CA trust. [root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 01:15:39 2017 GMT Not After : Jul 13 01:25:39 2037 GMT Subject: CN=3DDoonga.Org Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b: d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5: b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73: e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc: 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44: 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d: ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52: 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49: d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f: 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88: 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f: ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5: 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04: de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3: 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2: aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb: 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3: 07:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07 1.3.6.1.4.1.311.21.1: ... X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de: 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12: af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce: 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4: 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b: e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65: 94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48: ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e: c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25: ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b: 87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4: e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31: 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84: ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11: f8:98:ae:07 [root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02 Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 02:07:35 2017 GMT Not After : Jul 13 02:17:35 2027 GMT Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome, CN=3DDoonga.Org Issuing = CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1: 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88: 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67: d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a: 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06: da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1: e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df: b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b: db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92: 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52: e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d: 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64: 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80: 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80: 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12: 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6: 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79: fc:89 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9= :8B:07 X509v3 CRL Distribution Points: Full Name: URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl Authority Information Access: CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Or= g%20Root%20CA.crt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8: 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f: f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6: 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62: 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55: cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd: 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9: 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c: ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71: 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47: bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad: 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5: 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc: 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52: fa:d8:9c:31 I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. Thanks very much for your help! Todd ________________________________ From: Ondra Machacek <omachace@redhat.com> Sent: Monday, July 17, 2017 3:34:49 AM To: Todd Punderson Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup This is most probably certificate issue. Can you please share output of following command: $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your system? On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wrote:
Hi,
I=92ve been pulling my hair out over this one. Here=92s th= e output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if= I use =93plain=94 but I don=92t really want to do that. I searched the erro= r that=92s shown below and tried several different =93fixes=94 but none of them help= ed. These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO ] Resolving LDAP SRV record for home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the L= DAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback = to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTL= S]: ldaps
Please select method to obtain PEM encoded CA certificate (File= , URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
<span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sa= ns-serif;">Either way it's working now. That drove me nuts for 2+ days.= </span></font></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= <span style=3D"font-size: 14px;"><br> </span></font></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= <span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sa= ns-serif;">Thank you anyway for your assistance!</span></font></p> </div> <hr style=3D"display:inline-block;width:98%" tabindex=3D"-1"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st= yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> users-bounces@ovirt.o= rg <users-bounces@ovirt.org> on behalf of Todd Punderson <todd@doo= nga.org><br> <b>Sent:</b> Monday, July 17, 2017 9:05:12 AM<br> <b>To:</b> Ondra Machacek<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</fo= nt> <div> </div> </div> <div> <meta content=3D"text/html; charset=3DUTF-8"> <style type=3D"text/css" style=3D""> <!--
--_000_6b7a2162f38f487282f45d66bb344368doongaorg_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> <meta name=3D"Generator" content=3D"Microsoft Exchange Server"> <!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad= ding-left: 4pt; border-left: #800000 2px solid; } --></style> </head> <body> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font= -family:Calibri,Arial,Helvetica,sans-serif;" dir=3D"ltr"> <p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-= size: 11pt;">Sorry to reply to myself, but I figured it out. Putting = this here for documentation in case anyone ever runs into this as it was ab= solutely horrible to troubleshoot.</span></p> <p><br> </p> <p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-= size: 11pt;">I had this set: </span><span style=3D"color: rgb(72, 72, = 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font= -size: 14px;"><span style=3D"font-family: Calibri, Arial, Helvetica, sans-s= erif; font-size: 11pt;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\service= s\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm =3D 1 (I think that's by default) That caused the CA to issue certs with&n= bsp;</span><span style=3D"color: rgb(72, 72, 72); font-family: Calibri, Ari= al, Helvetica, sans-serif; font-size: 11pt;">RSASSA-PSS (1.2.840.113549.1.1= .10) algorithm on them instead <span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, san= s-serif;"> of </span><span style=3D"color: rgb(72, 72, 72); font-family: Calibri,= Arial, Helvetica, sans-serif; font-size: 11pt;">sha256RSA</span><span styl= e=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">= .</span> So I changed that registry value to a 0 as well as my CAPolicy.inf file and reissued my Root and Sub C= A certs. Then refreshed the DC certs, loaded the new Root/Sub CAs in CentOS= and it started working.</span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><span style=3D"color: rg= b(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-s= erif; font-size: 14px;"><br> </span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><span style=3D"color: rg= b(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-s= erif; font-size: 14px;"><span style=3D"font-family: Calibri, Arial, Helveti= ca, sans-serif; font-size: 11pt;">I actually figured it out from a bug report for Firefox here: </span><a= href=3D"https://support.mozilla.org/en-US/questions/986085" class=3D"OWAAu= toLink" id=3D"LPlnk343687" previewremoved=3D"true"><span style=3D"font-fami= ly: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">https://suppor= t.mozilla.org/en-US/questions/986085</span></a></span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><br> </span></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= p {margin-top:0; margin-bottom:0} --> </style> <div dir=3D"ltr"> <div id=3D"x_divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size:12pt; col= or:#000000; font-family:Calibri,Arial,Helvetica,sans-serif"> <p>Hi,</p> <p> Agreed on the certificate issue, I fought with it al= l weekend! Here's the output of those commands:</p> <p><br> </p> <p></p> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org)</div> <div>ldap_create</div> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)</div> <div>ldap_sasl_bind</div> <div>ldap_send_initial_request</div> <div>ldap_new_connection 1 1 0</div> <div>ldap_int_open_connection</div> <div>ldap_connect_to_host: TCP DC3.home.doonga.org:636</div> <div>ldap_new_socket: 3</div> <div>ldap_prepare_socket: 3</div> <div>ldap_connect_to_host: Trying 172.16.10.4:636</div> <div>ldap_pvt_connect: fd: 3 tm: -1 async: 0</div> <div>attempting to connect:</div> <div>connect success</div> <div>TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription= =3D'ldap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly</div> <div>TLS: using moznss security dir /etc/openldap/certs prefix .</div> <div>TLS: certificate [(null)] is not valid - error -8182:Peer's certificat= e has an invalid signature..</div> <div>TLS: error: connect - force handshake failure: errno 21 - moznss error= -8174</div> <div>TLS: can't connect: TLS error -8174:security library: bad database..</= div> <div>ldap_err2string</div> <div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div> <div><br> </div> I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't= quite figure out that part of the error though. <p></p> <p><br> </p> <p>I have an offline root and online issuing CA, here's those certs. I load= ed both of these to the system CA trust.</p> <p><br> </p> <p></p> <div>[root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -no= out</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 1a:01:7c:fc:bf:77:9c:95:4e:1= 3:7d:bf:36:a8:be:5b</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 01:15:39 = 2017 GMT</div> <div> Not After : Jul 13 01:25:39 = 2037 GMT</div> <div> Subject: CN=3DDoonga.Org Root CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:</div> <div> = d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:</div> <div> = b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:</div> <div> = e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:</div> <div> = 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:</div> <div> = 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:</div> <div> = ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:</div> <div> = 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:</div> <div> = d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:</div> <div> = 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:</div> <div> = 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:</div> <div> = ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:</div> <div> = 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:</div> <div> = de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:</div> <div> = 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:</div> <div> = aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:</div> <div> = 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:</div> <div> = 07:75</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 72:21:77:3F:D7= :2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:= e0:23:17:56:ac:de:</div> <div> 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:= dd:b7:b7:08:b2:12:</div> <div> af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:= 83:5e:ae:4d:46:ce:</div> <div> 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:= 31:0f:fb:ef:2b:d4:</div> <div> 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:= 5c:94:16:9a:6f:9b:</div> <div> e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:= ca:88:94:5d:bd:65:</div> <div> 94:55:ad:90:72:57:78:8e:88:bc:40:81:= ff:68:d3:5f:63:48:</div> <div> ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:= 97:2c:64:a0:17:5e:</div> <div> c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:= 1d:6b:5a:71:d4:25:</div> <div> ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:= 11:6d:3b:d7:ff:4b:</div> <div> 87:68:14:93:81:bc:64:20:14:3e:f7:99:= c5:5d:fc:b9:3a:b4:</div> <div> e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:= c2:41:54:45:7d:31:</div> <div> 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:= f6:b2:1c:bf:2f:84:</div> <div> ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:= 4a:0f:8b:1e:42:11:</div> <div> f8:98:ae:07</div> <div><br> </div> <div>[root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noo= ut</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 50:00:00:00:02:2e:ac:e2:5e:b= 2:d5:fc:11:00:00:00:00:00:02</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 02:07:35 = 2017 GMT</div> <div> Not After : Jul 13 02:17:35 = 2027 GMT</div> <div> Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome,= CN=3DDoonga.Org Issuing CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:</div> <div> = 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:</div> <div> = 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:</div> <div> = d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:</div> <div> = 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:</div> <div> = da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:</div> <div> = e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:</div> <div> = b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:</div> <div> = db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:</div> <div> = 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:</div> <div> = e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:</div> <div> = 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:</div> <div> = 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:</div> <div> = 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:</div> <div> = 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:</div> <div> = 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:</div> <div> = 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:</div> <div> = fc:89</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 21:BB:5D:9C:46= :0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> 1.3.6.1.4.1.311.20.2:</div> <div> .</div> <div>.S.u.b.C.A</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Authority Key Identif= ier:</div> <div> keyid:72:21:77= :3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div><br> </div> <div> X509v3 CRL Distribution Poin= ts:</div> <div><br> </div> <div> Full Name:</di= v> <div> URI:htt= p://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl</div> <div><br> </div> <div> Authority Information Access= :</div> <div> CA Issuers - U= RI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 70:f2:32:da:17:22:40:4a:e7:20:12:44:= 99:62:82:d7:97:e8:</div> <div> 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:= 74:9a:81:51:7c:6f:</div> <div> f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:= da:1c:28:26:1c:e6:</div> <div> 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:= 8f:e0:e8:75:99:62:</div> <div> 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:= 61:ff:fc:4c:2b:55:</div> <div> cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:= a5:6a:3d:ad:fe:cd:</div> <div> 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:= 03:4f:e1:36:e1:f9:</div> <div> 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:= 2f:2a:67:43:a3:1c:</div> <div> ce:22:7e:9a:47:49:a6:e9:35:30:77:35:= 9c:01:3a:41:bd:71:</div> <div> 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:= c1:cc:1a:03:d0:47:</div> <div> bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:= dd:de:16:cd:64:ad:</div> <div> 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:= dd:7e:b0:6e:86:f5:</div> <div> 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:= aa:71:5c:ba:4f:cc:</div> <div> 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:= ef:4f:68:86:96:52:</div> <div> fa:d8:9c:31</div> <div><br> </div> I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. <p></p> <p><br> </p> <p>Thanks very much for your help!</p> <p>Todd</p> <p><br> </p> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" = color=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Ondra Machacek <= omachace@redhat.com><br> <b>Sent:</b> Monday, July 17, 2017 3:34:49 AM<br> <b>To:</b> Todd Punderson<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</fo= nt> <div> </div> </div> </div> <font size=3D"2"><span style=3D"font-size:10pt;"> <div class=3D"PlainText">This is most probably certificate issue.<br> <br> Can you please share output of following command:<br> <br> $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''<br> <br> And also the output of following command:<br> <br> $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout<= br> <br> Are you sure you added a proper CA cert to your system?<br> <br> <br> On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wro= te:<br> > Hi,<br> ><br> > = ; I=92ve been pulling my hair out over this one. Here=92s= the<br> > output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine= if I<br> > use =93plain=94 but I don=92t really want to do that. I searched the e= rror that=92s<br> > shown below and tried several different =93fixes=94 but none of them h= elped.<br> > These are Server 2016 DCs. Not too sure where to go next.<br> ><br> ><br> ><br> > [ INFO ] Stage: Initializing<br> ><br> > [ INFO ] Stage: Environment setup<br> ><br> > Configurat= ion files:<br> > ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'= ]<br> ><br> > Log file:<= br> > /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log<b= r> ><br> > Version: o= topi-1.6.2 (otopi-1.6.2-1.el7.centos)<br> ><br> > [ INFO ] Stage: Environment packages setup<br> ><br> > [ INFO ] Stage: Programs detection<br> ><br> > [ INFO ] Stage: Environment customization<br> ><br> > Welcome to= LDAP extension configuration program<br> ><br> > Available = LDAP implementations:<br> ><br> > 1 - = 389ds<br> ><br> > 2 - = 389ds RFC-2307 Schema<br> ><br> > 3 - = Active Directory<br> ><br> > 4 - = IBM Security Directory Server<br> ><br> > 5 - = IBM Security Directory Server RFC-2307 Schema<br> ><br> > 6 - = IPA<br> ><br> > 7 - = Novell eDirectory RFC-2307 Schema<br> ><br> > 8 - = OpenLDAP RFC-2307 Schema<br> ><br> > 9 - = OpenLDAP Standard Schema<br> ><br> > 10 - Oracl= e Unified Directory RFC-2307 Schema<br> ><br> > 11 - RFC-2= 307 Schema (Generic)<br> ><br> > 12 - RHDS<= br> ><br> > 13 - RHDS = RFC-2307 Schema<br> ><br> > 14 - iPlan= et<br> ><br> > Please sel= ect: 3<br> ><br> > Please ent= er Active Directory Forest name: home.doonga.org<br> ><br> > [ INFO ] Resolving Global Catalog SRV record for home.doonga.org= <br> ><br> > [ INFO ] Resolving LDAP SRV record for home.doonga.org<br> ><br> > NOTE:<br> ><br> > It is high= ly recommended to use secure protocol to access the LDAP<br> > server.<br> ><br> > Protocol s= tartTLS is the standard recommended method to do so.<br> ><br> > Only in ca= ses in which the startTLS is not supported, fallback to<br> > non standard ldaps protocol.<br> ><br> > Use plain = for test environments only.<br> ><br> > Please sel= ect protocol to use (startTLS, ldaps, plain) [startTLS]:<br> > ldaps<br> ><br> > Please sel= ect method to obtain PEM encoded CA certificate (File,<br> > URL, Inline, System, Insecure): System<br> ><br> > [ INFO ] Resolving SRV record 'home.doonga.org'<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ ERROR ] Cannot connect using any of available options<br> ><br> ><br> ><br> > Also:<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC2.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 WARNING<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:463 Cannot connect using<br> > 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificat= e<br> > extension not found.', 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC3.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> ><br> ><br> > Any help would be appreciated!<br> ><br> > Thanks<br> ><br> ><br> > _______________________________________________<br> > Users mailing list<br> > Users@ovirt.org<br> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users">http://lists= .ovirt.org/mailman/listinfo/users</a><br> ><br> </div> </span></font></div> </body> </html> --_000_6b7a2162f38f487282f45d66bb344368doongaorg_--