Active Directory authentication setup
--_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I've been pulling my hair out over this one. Here's the outp= ut of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I use= "plain" but I don't really want to do that. I searched the error that's sh= own below and tried several different "fixes" but none of them helped. Thes= e are Server 2016 DCs. Not too sure where to go next. [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup= .conf.d/10-packaging.conf'] Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-201707151709= 53-wfo1pk.log Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IBM Security Directory Server 5 - IBM Security Directory Server RFC-2307 Schema 6 - IPA 7 - Novell eDirectory RFC-2307 Schema 8 - OpenLDAP RFC-2307 Schema 9 - OpenLDAP Standard Schema 10 - Oracle Unified Directory RFC-2307 Schema 11 - RFC-2307 Schema (Generic) 12 - RHDS 13 - RHDS RFC-2307 Schema 14 - iPlanet Please select: 3 Please enter Active Directory Forest name: home.doonga.org [ INFO ] Resolving Global Catalog SRV record for home.doonga.org [ INFO ] Resolving LDAP SRV record for home.doonga.org NOTE: It is highly recommended to use secure protocol to access the LDA= P server. Protocol startTLS is the standard recommended method to do so. Only in cases in which the startTLS is not supported, fallback to= non standard ldaps protocol. Use plain for test environments only. Please select protocol to use (startTLS, ldaps, plain) [startTLS]= : ldaps Please select method to obtain PEM encoded CA certificate (File, = URL, Inline, System, Insecure): System [ INFO ] Resolving SRV record 'home.doonga.org' [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636' [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': = 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact = LDAP server"} [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636' [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': = 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact = LDAP server"} [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636' [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': = 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact = LDAP server"} [ ERROR ] Cannot connect using any of available options Also: 2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap= .common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.d= oonga.org:389' 2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap= .common common._connectLDAP:442 Executing startTLS 2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.lda= p.common common._connectLDAP:459 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovi= rt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP c.start_tls_s() File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, i= n start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in= _ldap_call result =3D func(*args,**kwargs) CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',= 'desc': 'Connect error'} 2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.l= dap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.do= onga.org:389': {'info': 'TLS error -8157:Certificate extension not found.',= 'desc': 'Connect error'} 2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap= .common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.d= oonga.org:389' 2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap= .common common._connectLDAP:442 Executing startTLS 2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.lda= p.common common._connectLDAP:459 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovi= rt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP c.start_tls_s() File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, i= n start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in= _ldap_call result =3D func(*args,**kwargs) CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',= 'desc': 'Connect error'} Any help would be appreciated! Thanks --_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
</o:p></p> <p class=3D"MsoNormal">[ INFO ] Stage: Programs detection<o:p></o:p><= /p> <p class=3D"MsoNormal">[ INFO ] Stage: Environment customization<o:p>= </o:p></p> <p class=3D"MsoNormal"> &nbs=
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72"> <div class=3D"WordSection1"> <p class=3D"MsoNormal">Hi,<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; I’ve been pulling my hair out over t= his one. Here’s the output of ovirt-engine-extension-aaa-ldap-setup. = Everything works fine if I use “plain” but I don’t really= want to do that. I searched the error that’s shown below and tried several different “fixes” but none of them helped. These= are Server 2016 DCs. Not too sure where to go next.<o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">[ INFO ] Stage: Initializing<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Stage: Environment setup<o:p></o:p></= p> <p class=3D"MsoNormal"> &nbs= p; Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d= /10-packaging.conf']<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1= pk.log<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Stage: Environment packages setup<o:p= p; Welcome to LDAP extension configuration program<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Available LDAP implementations:<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 1 - 389ds<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 2 - 389ds RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 3 - Active Directory<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 4 - IBM Security Directory Server<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 5 - IBM Security Directory Server RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 6 - IPA<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 7 - Novell eDirectory RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 8 - OpenLDAP RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nb= sp; 9 - OpenLDAP Standard Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 10 - Oracle Unified Directory RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 11 - RFC-2307 Schema (Generic)<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 12 - RHDS<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 13 - RHDS RFC-2307 Schema<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; 14 - iPlanet<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Please select: 3<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Please enter Active Directory Forest name: home.doonga.org<o:p></o:p></p=
</p> <p class=3D"MsoNormal"> &nbs=
<p class=3D"MsoNormal">[ INFO ] Resolving Global Catalog SRV record f= or home.doonga.org<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Resolving LDAP SRV record for home.do= onga.org<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; NOTE:<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; It is highly recommended to use secure protocol to access the LDAP serve= r.<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Protocol startTLS is the standard recommended method to do so.<o:p></o:p= p; Only in cases in which the startTLS is not supported, fallback to non st= andard ldaps protocol.<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Use plain for test environments only.<o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps= <o:p></o:p></p> <p class=3D"MsoNormal"> &nbs= p; Please select method to obtain PEM encoded CA certificate (File, URL, In= line, System, Insecure): System<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Resolving SRV record 'home.doonga.org= '<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Connecting to LDAP using 'ldaps://DC1= .home.doonga.org:636'<o:p></o:p></p> <p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC1.home.doo= nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', = 'desc': "Can't contact LDAP server"}<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Connecting to LDAP using 'ldaps://DC2= .home.doonga.org:636'<o:p></o:p></p> <p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC2.home.doo= nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', = 'desc': "Can't contact LDAP server"}<o:p></o:p></p> <p class=3D"MsoNormal">[ INFO ] Connecting to LDAP using 'ldaps://DC3= .home.doonga.org:636'<o:p></o:p></p> <p class=3D"MsoNormal">[WARNING] Cannot connect using 'ldaps://DC3.home.doo= nga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', = 'desc': "Can't contact LDAP server"}<o:p></o:p></p> <p class=3D"MsoNormal">[ ERROR ] Cannot connect using any of available opti= ons<o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">Also:<o:p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_= extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP u= sing 'ldap://DC2.home.doonga.org:389'<o:p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_= extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS<o= :p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine= _extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception<o:p></o:p=
</p> <p class=3D"MsoNormal">Traceback (most recent call last):<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/share/ovirt-engine-extension-= aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.p= y", line 443, in _connectLDAP<o:p></o:p></p> <p class=3D"MsoNormal"> c.start_tls_s()<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/lib64/python2.7/site-packages= /ldap/ldapobject.py", line 564, in start_tls_s<o:p></o:p></p> <p class=3D"MsoNormal"> return self._ldap_call(self._l.st= art_tls_s)<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/lib64/python2.7/site-packages= /ldap/ldapobject.py", line 99, in _ldap_call<o:p></o:p></p> <p class=3D"MsoNormal"> result =3D func(*args,**kwargs)<o= :p></o:p></p> <p class=3D"MsoNormal">CONNECT_ERROR: {'info': 'TLS error -8157:Certificate= extension not found.', 'desc': 'Connect error'}<o:p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engi= ne_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect us= ing 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate= extension not found.', 'desc': 'Connect error'}<o:p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_= extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP u= sing 'ldap://DC3.home.doonga.org:389'<o:p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_= extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS<o= :p></o:p></p> <p class=3D"MsoNormal">2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine= _extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception<o:p></o:p= </p> <p class=3D"MsoNormal">Traceback (most recent call last):<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/share/ovirt-engine-extension-= aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.p= y", line 443, in _connectLDAP<o:p></o:p></p> <p class=3D"MsoNormal"> c.start_tls_s()<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/lib64/python2.7/site-packages= /ldap/ldapobject.py", line 564, in start_tls_s<o:p></o:p></p> <p class=3D"MsoNormal"> return self._ldap_call(self._l.st= art_tls_s)<o:p></o:p></p> <p class=3D"MsoNormal"> File "/usr/lib64/python2.7/site-packages= /ldap/ldapobject.py", line 99, in _ldap_call<o:p></o:p></p> <p class=3D"MsoNormal"> result =3D func(*args,**kwargs)<o= :p></o:p></p> <p class=3D"MsoNormal">CONNECT_ERROR: {'info': 'TLS error -8157:Certificate= extension not found.', 'desc': 'Connect error'}<o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">Any help would be appreciated!<o:p></o:p></p> <p class=3D"MsoNormal">Thanks<o:p></o:p></p> </div> </body> </html>
--_000_ff591869654646c7bc8df4c4af6d898fdoongaorg_--
This is most probably certificate issue. Can you please share output of following command: $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your system? On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wrote:
Hi,
I’ve been pulling my hair out over this one. Here’s the output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I use “plain” but I don’t really want to do that. I searched the error that’s shown below and tried several different “fixes” but none of them helped. These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO ] Resolving LDAP SRV record for home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the LDAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi, Agreed on the certificate issue, I fought with it all weekend! Here's = the output of those commands: ldap_url_parse_ext(ldaps://DC3.home.doonga.org) ldap_create ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP DC3.home.doonga.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.10.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription=3D'l= dap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has= an invalid signature.. TLS: error: connect - force handshake failure: errno 21 - moznss error -817= 4 TLS: can't connect: TLS error -8174:security library: bad database.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't quite fig= ure out that part of the error though. I have an offline root and online issuing CA, here's those certs. I loaded = both of these to the system CA trust. [root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 01:15:39 2017 GMT Not After : Jul 13 01:25:39 2037 GMT Subject: CN=3DDoonga.Org Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b: d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5: b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73: e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc: 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44: 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d: ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52: 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49: d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f: 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88: 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f: ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5: 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04: de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3: 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2: aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb: 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3: 07:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07 1.3.6.1.4.1.311.21.1: ... X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de: 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12: af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce: 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4: 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b: e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65: 94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48: ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e: c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25: ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b: 87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4: e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31: 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84: ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11: f8:98:ae:07 [root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02 Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 02:07:35 2017 GMT Not After : Jul 13 02:17:35 2027 GMT Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome, CN=3DDoonga.Org Issuing = CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1: 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88: 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67: d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a: 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06: da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1: e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df: b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b: db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92: 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52: e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d: 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64: 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80: 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80: 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12: 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6: 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79: fc:89 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9= :8B:07 X509v3 CRL Distribution Points: Full Name: URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl Authority Information Access: CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Or= g%20Root%20CA.crt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8: 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f: f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6: 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62: 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55: cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd: 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9: 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c: ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71: 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47: bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad: 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5: 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc: 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52: fa:d8:9c:31 I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. Thanks very much for your help! Todd ________________________________ From: Ondra Machacek <omachace@redhat.com> Sent: Monday, July 17, 2017 3:34:49 AM To: Todd Punderson Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup This is most probably certificate issue. Can you please share output of following command: $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your system? On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wrote:
Hi,
I=92ve been pulling my hair out over this one. Here=92s th= e output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if= I use =93plain=94 but I don=92t really want to do that. I searched the erro= r that=92s shown below and tried several different =93fixes=94 but none of them help= ed. These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO ] Resolving LDAP SRV record for home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the L= DAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback = to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTL= S]: ldaps
Please select method to obtain PEM encoded CA certificate (File= , URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> <meta name=3D"Generator" content=3D"Microsoft Exchange Server"> <!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad= ding-left: 4pt; border-left: #800000 2px solid; } --></style> </head> <body> <meta content=3D"text/html; charset=3DUTF-8"> <style type=3D"text/css" style=3D""> <!-- p {margin-top:0; margin-bottom:0} --> </style> <div dir=3D"ltr"> <div id=3D"x_divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size:12pt; col= or:#000000; font-family:Calibri,Arial,Helvetica,sans-serif"> <p>Hi,</p> <p> Agreed on the certificate issue, I fought with it al= l weekend! Here's the output of those commands:</p> <p><br> </p> <p></p> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org)</div> <div>ldap_create</div> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)</div> <div>ldap_sasl_bind</div> <div>ldap_send_initial_request</div> <div>ldap_new_connection 1 1 0</div> <div>ldap_int_open_connection</div> <div>ldap_connect_to_host: TCP DC3.home.doonga.org:636</div> <div>ldap_new_socket: 3</div> <div>ldap_prepare_socket: 3</div> <div>ldap_connect_to_host: Trying 172.16.10.4:636</div> <div>ldap_pvt_connect: fd: 3 tm: -1 async: 0</div> <div>attempting to connect:</div> <div>connect success</div> <div>TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription= =3D'ldap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly</div> <div>TLS: using moznss security dir /etc/openldap/certs prefix .</div> <div>TLS: certificate [(null)] is not valid - error -8182:Peer's certificat= e has an invalid signature..</div> <div>TLS: error: connect - force handshake failure: errno 21 - moznss error= -8174</div> <div>TLS: can't connect: TLS error -8174:security library: bad database..</= div> <div>ldap_err2string</div> <div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div> <div><br> </div> I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't= quite figure out that part of the error though. <p></p> <p><br> </p> <p>I have an offline root and online issuing CA, here's those certs. I load= ed both of these to the system CA trust.</p> <p><br> </p> <p></p> <div>[root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -no= out</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 1a:01:7c:fc:bf:77:9c:95:4e:1= 3:7d:bf:36:a8:be:5b</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 01:15:39 = 2017 GMT</div> <div> Not After : Jul 13 01:25:39 = 2037 GMT</div> <div> Subject: CN=3DDoonga.Org Root CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:</div> <div> = d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:</div> <div> = b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:</div> <div> = e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:</div> <div> = 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:</div> <div> = 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:</div> <div> = ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:</div> <div> = 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:</div> <div> = d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:</div> <div> = 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:</div> <div> = 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:</div> <div> = ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:</div> <div> = 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:</div> <div> = de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:</div> <div> = 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:</div> <div> = aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:</div> <div> = 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:</div> <div> = 07:75</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 72:21:77:3F:D7= :2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:= e0:23:17:56:ac:de:</div> <div> 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:= dd:b7:b7:08:b2:12:</div> <div> af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:= 83:5e:ae:4d:46:ce:</div> <div> 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:= 31:0f:fb:ef:2b:d4:</div> <div> 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:= 5c:94:16:9a:6f:9b:</div> <div> e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:= ca:88:94:5d:bd:65:</div> <div> 94:55:ad:90:72:57:78:8e:88:bc:40:81:= ff:68:d3:5f:63:48:</div> <div> ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:= 97:2c:64:a0:17:5e:</div> <div> c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:= 1d:6b:5a:71:d4:25:</div> <div> ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:= 11:6d:3b:d7:ff:4b:</div> <div> 87:68:14:93:81:bc:64:20:14:3e:f7:99:= c5:5d:fc:b9:3a:b4:</div> <div> e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:= c2:41:54:45:7d:31:</div> <div> 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:= f6:b2:1c:bf:2f:84:</div> <div> ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:= 4a:0f:8b:1e:42:11:</div> <div> f8:98:ae:07</div> <div><br> </div> <div>[root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noo= ut</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 50:00:00:00:02:2e:ac:e2:5e:b= 2:d5:fc:11:00:00:00:00:00:02</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 02:07:35 = 2017 GMT</div> <div> Not After : Jul 13 02:17:35 = 2027 GMT</div> <div> Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome,= CN=3DDoonga.Org Issuing CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:</div> <div> = 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:</div> <div> = 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:</div> <div> = d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:</div> <div> = 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:</div> <div> = da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:</div> <div> = e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:</div> <div> = b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:</div> <div> = db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:</div> <div> = 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:</div> <div> = e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:</div> <div> = 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:</div> <div> = 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:</div> <div> = 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:</div> <div> = 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:</div> <div> = 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:</div> <div> = 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:</div> <div> = fc:89</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 21:BB:5D:9C:46= :0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> 1.3.6.1.4.1.311.20.2:</div> <div> .</div> <div>.S.u.b.C.A</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Authority Key Identif= ier:</div> <div> keyid:72:21:77= :3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div><br> </div> <div> X509v3 CRL Distribution Poin= ts:</div> <div><br> </div> <div> Full Name:</di= v> <div> URI:htt= p://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl</div> <div><br> </div> <div> Authority Information Access= :</div> <div> CA Issuers - U= RI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 70:f2:32:da:17:22:40:4a:e7:20:12:44:= 99:62:82:d7:97:e8:</div> <div> 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:= 74:9a:81:51:7c:6f:</div> <div> f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:= da:1c:28:26:1c:e6:</div> <div> 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:= 8f:e0:e8:75:99:62:</div> <div> 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:= 61:ff:fc:4c:2b:55:</div> <div> cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:= a5:6a:3d:ad:fe:cd:</div> <div> 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:= 03:4f:e1:36:e1:f9:</div> <div> 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:= 2f:2a:67:43:a3:1c:</div> <div> ce:22:7e:9a:47:49:a6:e9:35:30:77:35:= 9c:01:3a:41:bd:71:</div> <div> 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:= c1:cc:1a:03:d0:47:</div> <div> bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:= dd:de:16:cd:64:ad:</div> <div> 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:= dd:7e:b0:6e:86:f5:</div> <div> 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:= aa:71:5c:ba:4f:cc:</div> <div> 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:= ef:4f:68:86:96:52:</div> <div> fa:d8:9c:31</div> <div><br> </div> I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. <p></p> <p><br> </p> <p>Thanks very much for your help!</p> <p>Todd</p> <p><br> </p> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" = color=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Ondra Machacek <= omachace@redhat.com><br> <b>Sent:</b> Monday, July 17, 2017 3:34:49 AM<br> <b>To:</b> Todd Punderson<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</fo= nt> <div> </div> </div> </div> <font size=3D"2"><span style=3D"font-size:10pt;"> <div class=3D"PlainText">This is most probably certificate issue.<br> <br> Can you please share output of following command:<br> <br> $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''<br> <br> And also the output of following command:<br> <br> $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout<= br> <br> Are you sure you added a proper CA cert to your system?<br> <br> <br> On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wro= te:<br> > Hi,<br> ><br> > = ; I=92ve been pulling my hair out over this one. Here=92s= the<br> > output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine= if I<br> > use =93plain=94 but I don=92t really want to do that. I searched the e= rror that=92s<br> > shown below and tried several different =93fixes=94 but none of them h= elped.<br> > These are Server 2016 DCs. Not too sure where to go next.<br> ><br> ><br> ><br> > [ INFO ] Stage: Initializing<br> ><br> > [ INFO ] Stage: Environment setup<br> ><br> > Configurat= ion files:<br> > ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'= ]<br> ><br> > Log file:<= br> > /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log<b= r> ><br> > Version: o= topi-1.6.2 (otopi-1.6.2-1.el7.centos)<br> ><br> > [ INFO ] Stage: Environment packages setup<br> ><br> > [ INFO ] Stage: Programs detection<br> ><br> > [ INFO ] Stage: Environment customization<br> ><br> > Welcome to= LDAP extension configuration program<br> ><br> > Available = LDAP implementations:<br> ><br> > 1 - = 389ds<br> ><br> > 2 - = 389ds RFC-2307 Schema<br> ><br> > 3 - = Active Directory<br> ><br> > 4 - = IBM Security Directory Server<br> ><br> > 5 - = IBM Security Directory Server RFC-2307 Schema<br> ><br> > 6 - = IPA<br> ><br> > 7 - = Novell eDirectory RFC-2307 Schema<br> ><br> > 8 - = OpenLDAP RFC-2307 Schema<br> ><br> > 9 - = OpenLDAP Standard Schema<br> ><br> > 10 - Oracl= e Unified Directory RFC-2307 Schema<br> ><br> > 11 - RFC-2= 307 Schema (Generic)<br> ><br> > 12 - RHDS<= br> ><br> > 13 - RHDS = RFC-2307 Schema<br> ><br> > 14 - iPlan= et<br> ><br> > Please sel= ect: 3<br> ><br> > Please ent= er Active Directory Forest name: home.doonga.org<br> ><br> > [ INFO ] Resolving Global Catalog SRV record for home.doonga.org= <br> ><br> > [ INFO ] Resolving LDAP SRV record for home.doonga.org<br> ><br> > NOTE:<br> ><br> > It is high= ly recommended to use secure protocol to access the LDAP<br> > server.<br> ><br> > Protocol s= tartTLS is the standard recommended method to do so.<br> ><br> > Only in ca= ses in which the startTLS is not supported, fallback to<br> > non standard ldaps protocol.<br> ><br> > Use plain = for test environments only.<br> ><br> > Please sel= ect protocol to use (startTLS, ldaps, plain) [startTLS]:<br> > ldaps<br> ><br> > Please sel= ect method to obtain PEM encoded CA certificate (File,<br> > URL, Inline, System, Insecure): System<br> ><br> > [ INFO ] Resolving SRV record 'home.doonga.org'<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ ERROR ] Cannot connect using any of available options<br> ><br> ><br> ><br> > Also:<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC2.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 WARNING<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:463 Cannot connect using<br> > 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificat= e<br> > extension not found.', 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC3.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> ><br> ><br> > Any help would be appreciated!<br> ><br> > Thanks<br> ><br> ><br> > _______________________________________________<br> > Users mailing list<br> > Users@ovirt.org<br> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users">http://lists= .ovirt.org/mailman/listinfo/users</a><br> ><br> </div> </span></font> </body> </html> --_000_8b8f40d1079e4721b17ed47847c5e7a8doongaorg_--
--_000_6b7a2162f38f487282f45d66bb344368doongaorg_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Sorry to reply to myself, but I figured it out. Putting this here for docu= mentation in case anyone ever runs into this as it was absolutely horrible = to troubleshoot. I had this set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSv= c\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm =3D 1 (I think th= at's by default) That caused the CA to issue certs with RSASSA-PSS (1.2.840= .113549.1.1.10) algorithm on them instead of sha256RSA. So I changed that r= egistry value to a 0 as well as my CAPolicy.inf file and reissued my Root a= nd Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub CAs i= n CentOS and it started working. I actually figured it out from a bug report for Firefox here: https://suppo= rt.mozilla.org/en-US/questions/986085 Either way it's working now. That drove me nuts for 2+ days. Thank you anyway for your assistance! ________________________________ From: users-bounces@ovirt.org <users-bounces@ovirt.org> on behalf of Todd P= underson <todd@doonga.org> Sent: Monday, July 17, 2017 9:05:12 AM To: Ondra Machacek Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup Hi, Agreed on the certificate issue, I fought with it all weekend! Here's = the output of those commands: ldap_url_parse_ext(ldaps://DC3.home.doonga.org) ldap_create ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP DC3.home.doonga.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.10.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription=3D'l= dap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has= an invalid signature.. TLS: error: connect - force handshake failure: errno 21 - moznss error -817= 4 TLS: can't connect: TLS error -8174:security library: bad database.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't quite fig= ure out that part of the error though. I have an offline root and online issuing CA, here's those certs. I loaded = both of these to the system CA trust. [root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 01:15:39 2017 GMT Not After : Jul 13 01:25:39 2037 GMT Subject: CN=3DDoonga.Org Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b: d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5: b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73: e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc: 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44: 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d: ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52: 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49: d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f: 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88: 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f: ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5: 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04: de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3: 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2: aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb: 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3: 07:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07 1.3.6.1.4.1.311.21.1: ... X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de: 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12: af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce: 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4: 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b: e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65: 94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48: ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e: c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25: ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b: 87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4: e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31: 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84: ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11: f8:98:ae:07 [root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02 Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=3DDoonga.Org Root CA Validity Not Before: Jul 13 02:07:35 2017 GMT Not After : Jul 13 02:17:35 2027 GMT Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome, CN=3DDoonga.Org Issuing = CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1: 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88: 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67: d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a: 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06: da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1: e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df: b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b: db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92: 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52: e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d: 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64: 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80: 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80: 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12: 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6: 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79: fc:89 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9= :8B:07 X509v3 CRL Distribution Points: Full Name: URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl Authority Information Access: CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Or= g%20Root%20CA.crt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8: 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f: f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6: 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62: 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55: cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd: 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9: 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c: ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71: 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47: bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad: 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5: 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc: 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52: fa:d8:9c:31 I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. Thanks very much for your help! Todd ________________________________ From: Ondra Machacek <omachace@redhat.com> Sent: Monday, July 17, 2017 3:34:49 AM To: Todd Punderson Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup This is most probably certificate issue. Can you please share output of following command: $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your system? On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wrote:
Hi,
I=92ve been pulling my hair out over this one. Here=92s th= e output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if= I use =93plain=94 but I don=92t really want to do that. I searched the erro= r that=92s shown below and tried several different =93fixes=94 but none of them help= ed. These are Server 2016 DCs. Not too sure where to go next.
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 3
Please enter Active Directory Forest name: home.doonga.org
[ INFO ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO ] Resolving LDAP SRV record for home.doonga.org
NOTE:
It is highly recommended to use secure protocol to access the L= DAP server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback = to non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTL= S]: ldaps
Please select method to obtain PEM encoded CA certificate (File= , URL, Inline, System, Insecure): System
[ INFO ] Resolving SRV record 'home.doonga.org'
[ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info'= : 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contac= t LDAP server"}
[ ERROR ] Cannot connect using any of available options
Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-en= gine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
c.start_tls_s()
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564,= in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, = in _ldap_call
result =3D func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.= ', 'desc': 'Connect error'}
Any help would be appreciated!
Thanks
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
<span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sa= ns-serif;">Either way it's working now. That drove me nuts for 2+ days.= </span></font></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= <span style=3D"font-size: 14px;"><br> </span></font></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= <span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sa= ns-serif;">Thank you anyway for your assistance!</span></font></p> </div> <hr style=3D"display:inline-block;width:98%" tabindex=3D"-1"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st= yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> users-bounces@ovirt.o= rg <users-bounces@ovirt.org> on behalf of Todd Punderson <todd@doo= nga.org><br> <b>Sent:</b> Monday, July 17, 2017 9:05:12 AM<br> <b>To:</b> Ondra Machacek<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</fo= nt> <div> </div> </div> <div> <meta content=3D"text/html; charset=3DUTF-8"> <style type=3D"text/css" style=3D""> <!--
--_000_6b7a2162f38f487282f45d66bb344368doongaorg_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> <meta name=3D"Generator" content=3D"Microsoft Exchange Server"> <!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad= ding-left: 4pt; border-left: #800000 2px solid; } --></style> </head> <body> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font= -family:Calibri,Arial,Helvetica,sans-serif;" dir=3D"ltr"> <p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-= size: 11pt;">Sorry to reply to myself, but I figured it out. Putting = this here for documentation in case anyone ever runs into this as it was ab= solutely horrible to troubleshoot.</span></p> <p><br> </p> <p><span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-= size: 11pt;">I had this set: </span><span style=3D"color: rgb(72, 72, = 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font= -size: 14px;"><span style=3D"font-family: Calibri, Arial, Helvetica, sans-s= erif; font-size: 11pt;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\service= s\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm =3D 1 (I think that's by default) That caused the CA to issue certs with&n= bsp;</span><span style=3D"color: rgb(72, 72, 72); font-family: Calibri, Ari= al, Helvetica, sans-serif; font-size: 11pt;">RSASSA-PSS (1.2.840.113549.1.1= .10) algorithm on them instead <span style=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, san= s-serif;"> of </span><span style=3D"color: rgb(72, 72, 72); font-family: Calibri,= Arial, Helvetica, sans-serif; font-size: 11pt;">sha256RSA</span><span styl= e=3D"font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">= .</span> So I changed that registry value to a 0 as well as my CAPolicy.inf file and reissued my Root and Sub C= A certs. Then refreshed the DC certs, loaded the new Root/Sub CAs in CentOS= and it started working.</span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><span style=3D"color: rg= b(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-s= erif; font-size: 14px;"><br> </span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><span style=3D"color: rg= b(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-s= erif; font-size: 14px;"><span style=3D"font-family: Calibri, Arial, Helveti= ca, sans-serif; font-size: 11pt;">I actually figured it out from a bug report for Firefox here: </span><a= href=3D"https://support.mozilla.org/en-US/questions/986085" class=3D"OWAAu= toLink" id=3D"LPlnk343687" previewremoved=3D"true"><span style=3D"font-fami= ly: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">https://suppor= t.mozilla.org/en-US/questions/986085</span></a></span></span></p> <p><span style=3D"color: rgb(72, 72, 72); font-family: "Open Sans"= ;, Arial, Helvetica, sans-serif; font-size: 14px;"><br> </span></p> <p><font color=3D"#484848" face=3D"Open Sans, Arial, Helvetica, sans-serif"= p {margin-top:0; margin-bottom:0} --> </style> <div dir=3D"ltr"> <div id=3D"x_divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size:12pt; col= or:#000000; font-family:Calibri,Arial,Helvetica,sans-serif"> <p>Hi,</p> <p> Agreed on the certificate issue, I fought with it al= l weekend! Here's the output of those commands:</p> <p><br> </p> <p></p> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org)</div> <div>ldap_create</div> <div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)</div> <div>ldap_sasl_bind</div> <div>ldap_send_initial_request</div> <div>ldap_new_connection 1 1 0</div> <div>ldap_int_open_connection</div> <div>ldap_connect_to_host: TCP DC3.home.doonga.org:636</div> <div>ldap_new_socket: 3</div> <div>ldap_prepare_socket: 3</div> <div>ldap_connect_to_host: Trying 172.16.10.4:636</div> <div>ldap_pvt_connect: fd: 3 tm: -1 async: 0</div> <div>attempting to connect:</div> <div>connect success</div> <div>TLS: certdb config: configDir=3D'/etc/openldap/certs' tokenDescription= =3D'ldap(0)' certPrefix=3D'' keyPrefix=3D'' flags=3DreadOnly</div> <div>TLS: using moznss security dir /etc/openldap/certs prefix .</div> <div>TLS: certificate [(null)] is not valid - error -8182:Peer's certificat= e has an invalid signature..</div> <div>TLS: error: connect - force handshake failure: errno 21 - moznss error= -8174</div> <div>TLS: can't connect: TLS error -8174:security library: bad database..</= div> <div>ldap_err2string</div> <div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div> <div><br> </div> I tried digging into this one. I'm very sure the peer doesn't have an inval= id signature, I tested the certificate chain with openssl successfully, I'm= guessing that error is related to the "bad database". I couldn't= quite figure out that part of the error though. <p></p> <p><br> </p> <p>I have an offline root and online issuing CA, here's those certs. I load= ed both of these to the system CA trust.</p> <p><br> </p> <p></p> <div>[root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -no= out</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 1a:01:7c:fc:bf:77:9c:95:4e:1= 3:7d:bf:36:a8:be:5b</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 01:15:39 = 2017 GMT</div> <div> Not After : Jul 13 01:25:39 = 2037 GMT</div> <div> Subject: CN=3DDoonga.Org Root CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:</div> <div> = d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:</div> <div> = b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:</div> <div> = e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:</div> <div> = 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:</div> <div> = 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:</div> <div> = ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:</div> <div> = 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:</div> <div> = d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:</div> <div> = 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:</div> <div> = 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:</div> <div> = ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:</div> <div> = 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:</div> <div> = de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:</div> <div> = 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:</div> <div> = aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:</div> <div> = 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:</div> <div> = 07:75</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 72:21:77:3F:D7= :2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:= e0:23:17:56:ac:de:</div> <div> 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:= dd:b7:b7:08:b2:12:</div> <div> af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:= 83:5e:ae:4d:46:ce:</div> <div> 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:= 31:0f:fb:ef:2b:d4:</div> <div> 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:= 5c:94:16:9a:6f:9b:</div> <div> e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:= ca:88:94:5d:bd:65:</div> <div> 94:55:ad:90:72:57:78:8e:88:bc:40:81:= ff:68:d3:5f:63:48:</div> <div> ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:= 97:2c:64:a0:17:5e:</div> <div> c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:= 1d:6b:5a:71:d4:25:</div> <div> ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:= 11:6d:3b:d7:ff:4b:</div> <div> 87:68:14:93:81:bc:64:20:14:3e:f7:99:= c5:5d:fc:b9:3a:b4:</div> <div> e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:= c2:41:54:45:7d:31:</div> <div> 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:= f6:b2:1c:bf:2f:84:</div> <div> ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:= 4a:0f:8b:1e:42:11:</div> <div> f8:98:ae:07</div> <div><br> </div> <div>[root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noo= ut</div> <div>Certificate:</div> <div> Data:</div> <div> Version: 3 (0x2)</div> <div> Serial Number:</div> <div> 50:00:00:00:02:2e:ac:e2:5e:b= 2:d5:fc:11:00:00:00:00:00:02</div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div> Issuer: CN=3DDoonga.Org Root CA</div> <div> Validity</div> <div> Not Before: Jul 13 02:07:35 = 2017 GMT</div> <div> Not After : Jul 13 02:17:35 = 2027 GMT</div> <div> Subject: DC=3Dorg, DC=3Ddoonga, DC=3Dhome,= CN=3DDoonga.Org Issuing CA</div> <div> Subject Public Key Info:</div> <div> Public Key Algorithm: rsaEnc= ryption</div> <div> Public-Key: (2= 048 bit)</div> <div> Modulus:</div> <div> = 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:</div> <div> = 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:</div> <div> = 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:</div> <div> = d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:</div> <div> = 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:</div> <div> = da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:</div> <div> = e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:</div> <div> = b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:</div> <div> = db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:</div> <div> = 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:</div> <div> = e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:</div> <div> = 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:</div> <div> = 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:</div> <div> = 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:</div> <div> = 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:</div> <div> = 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:</div> <div> = 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:</div> <div> = fc:89</div> <div> Exponent: 6553= 7 (0x10001)</div> <div> X509v3 extensions:</div> <div> 1.3.6.1.4.1.311.21.1:</div> <div> ...</div> <div> X509v3 Subject Key Identifie= r:</div> <div> 21:BB:5D:9C:46= :0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD</div> <div> X509v3 Certificate Policies:= </div> <div> Policy: 1.3.6.= 1.4.1.37476.9000.53</div> <div> User No= tice:</div> <div> = Explicit Text:</div> <div> CPS: ht= tp://www.doonga.org/pki/cps.txt</div> <div><br> </div> <div> 1.3.6.1.4.1.311.20.2:</div> <div> .</div> <div>.S.u.b.C.A</div> <div> X509v3 Key Usage:</div> <div> Digital Signat= ure, Certificate Sign, CRL Sign</div> <div> X509v3 Basic Constraints: cr= itical</div> <div> CA:TRUE</div> <div> X509v3 Authority Key Identif= ier:</div> <div> keyid:72:21:77= :3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div> <div><br> </div> <div> X509v3 CRL Distribution Poin= ts:</div> <div><br> </div> <div> Full Name:</di= v> <div> URI:htt= p://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl</div> <div><br> </div> <div> Authority Information Access= :</div> <div> CA Issuers - U= RI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt</div> <div><br> </div> <div> Signature Algorithm: rsassaPss</div> <div> Hash Algorithm: sha256</div> <div> Mask Algorithm: mgf1 with sha256</di= v> <div> Salt Length: 20</div> <div> Trailer Field: 0xbc (default)</div> <div><br> </div> <div> 70:f2:32:da:17:22:40:4a:e7:20:12:44:= 99:62:82:d7:97:e8:</div> <div> 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:= 74:9a:81:51:7c:6f:</div> <div> f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:= da:1c:28:26:1c:e6:</div> <div> 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:= 8f:e0:e8:75:99:62:</div> <div> 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:= 61:ff:fc:4c:2b:55:</div> <div> cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:= a5:6a:3d:ad:fe:cd:</div> <div> 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:= 03:4f:e1:36:e1:f9:</div> <div> 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:= 2f:2a:67:43:a3:1c:</div> <div> ce:22:7e:9a:47:49:a6:e9:35:30:77:35:= 9c:01:3a:41:bd:71:</div> <div> 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:= c1:cc:1a:03:d0:47:</div> <div> bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:= dd:de:16:cd:64:ad:</div> <div> 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:= dd:7e:b0:6e:86:f5:</div> <div> 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:= aa:71:5c:ba:4f:cc:</div> <div> 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:= ef:4f:68:86:96:52:</div> <div> fa:d8:9c:31</div> <div><br> </div> I'm definitely sure that I have the correct CA certs loaded. I tried removi= ng them and I got an invalid CA error. When they are in place I get the err= or I'm asking about. So I'm sure it's reading the CA certificates properly. <p></p> <p><br> </p> <p>Thanks very much for your help!</p> <p>Todd</p> <p><br> </p> </div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"x_divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" = color=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Ondra Machacek <= omachace@redhat.com><br> <b>Sent:</b> Monday, July 17, 2017 3:34:49 AM<br> <b>To:</b> Todd Punderson<br> <b>Cc:</b> users@ovirt.org<br> <b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</fo= nt> <div> </div> </div> </div> <font size=3D"2"><span style=3D"font-size:10pt;"> <div class=3D"PlainText">This is most probably certificate issue.<br> <br> Can you please share output of following command:<br> <br> $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''<br> <br> And also the output of following command:<br> <br> $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout<= br> <br> Are you sure you added a proper CA cert to your system?<br> <br> <br> On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wro= te:<br> > Hi,<br> ><br> > = ; I=92ve been pulling my hair out over this one. Here=92s= the<br> > output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine= if I<br> > use =93plain=94 but I don=92t really want to do that. I searched the e= rror that=92s<br> > shown below and tried several different =93fixes=94 but none of them h= elped.<br> > These are Server 2016 DCs. Not too sure where to go next.<br> ><br> ><br> ><br> > [ INFO ] Stage: Initializing<br> ><br> > [ INFO ] Stage: Environment setup<br> ><br> > Configurat= ion files:<br> > ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'= ]<br> ><br> > Log file:<= br> > /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log<b= r> ><br> > Version: o= topi-1.6.2 (otopi-1.6.2-1.el7.centos)<br> ><br> > [ INFO ] Stage: Environment packages setup<br> ><br> > [ INFO ] Stage: Programs detection<br> ><br> > [ INFO ] Stage: Environment customization<br> ><br> > Welcome to= LDAP extension configuration program<br> ><br> > Available = LDAP implementations:<br> ><br> > 1 - = 389ds<br> ><br> > 2 - = 389ds RFC-2307 Schema<br> ><br> > 3 - = Active Directory<br> ><br> > 4 - = IBM Security Directory Server<br> ><br> > 5 - = IBM Security Directory Server RFC-2307 Schema<br> ><br> > 6 - = IPA<br> ><br> > 7 - = Novell eDirectory RFC-2307 Schema<br> ><br> > 8 - = OpenLDAP RFC-2307 Schema<br> ><br> > 9 - = OpenLDAP Standard Schema<br> ><br> > 10 - Oracl= e Unified Directory RFC-2307 Schema<br> ><br> > 11 - RFC-2= 307 Schema (Generic)<br> ><br> > 12 - RHDS<= br> ><br> > 13 - RHDS = RFC-2307 Schema<br> ><br> > 14 - iPlan= et<br> ><br> > Please sel= ect: 3<br> ><br> > Please ent= er Active Directory Forest name: home.doonga.org<br> ><br> > [ INFO ] Resolving Global Catalog SRV record for home.doonga.org= <br> ><br> > [ INFO ] Resolving LDAP SRV record for home.doonga.org<br> ><br> > NOTE:<br> ><br> > It is high= ly recommended to use secure protocol to access the LDAP<br> > server.<br> ><br> > Protocol s= tartTLS is the standard recommended method to do so.<br> ><br> > Only in ca= ses in which the startTLS is not supported, fallback to<br> > non standard ldaps protocol.<br> ><br> > Use plain = for test environments only.<br> ><br> > Please sel= ect protocol to use (startTLS, ldaps, plain) [startTLS]:<br> > ldaps<br> ><br> > Please sel= ect method to obtain PEM encoded CA certificate (File,<br> > URL, Inline, System, Insecure): System<br> ><br> > [ INFO ] Resolving SRV record 'home.doonga.org'<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:6= 36'<br> ><br> > [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'in= fo':<br> > 'TLS error -8157:Certificate extension not found.', 'desc': "Can'= t contact<br> > LDAP server"}<br> ><br> > [ ERROR ] Cannot connect using any of available options<br> ><br> ><br> ><br> > Also:<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC2.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 WARNING<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:463 Cannot connect using<br> > 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificat= e<br> > extension not found.', 'desc': 'Connect error'}<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:391 Connecting to LDAP using<br> > 'ldap://DC3.home.doonga.org:389'<br> ><br> > 2017-07-15 18:18:06 INFO<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:442 Executing startTLS<br> ><br> > 2017-07-15 18:18:06 DEBUG<br> > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br> > common._connectLDAP:459 Exception<br> ><br> > Traceback (most recent call last):<br> ><br> > File<br> > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/= ovirt-engine-extension-aaa-ldap/ldap/common.py",<br> > line 443, in _connectLDAP<br> ><br> > c.start_tls_s()<br> ><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 564, in<br> > start_tls_s<br> ><br> > return self._ldap_call(self._l.start_tls_s)<br=
><br> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobj= ect.py", line 99, in<br> > _ldap_call<br> ><br> > result =3D func(*args,**kwargs)<br> ><br> > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not fou= nd.',<br> > 'desc': 'Connect error'}<br> ><br> ><br> ><br> > Any help would be appreciated!<br> ><br> > Thanks<br> ><br> ><br> > _______________________________________________<br> > Users mailing list<br> > Users@ovirt.org<br> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users">http://lists= .ovirt.org/mailman/listinfo/users</a><br> ><br> </div> </span></font></div> </body> </html> --_000_6b7a2162f38f487282f45d66bb344368doongaorg_--
participants (2)
-
Ondra Machacek -
Todd Punderson