[ovirt-users] Adding users through LDAP fails on "external_id"

Zach La Celle lacelle at roboticresearch.com
Mon Jun 15 20:25:25 UTC 2015 

I have tried the following combinations of certificates added to the
keystore:

* PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
SSL certificates
* All CA certificates from the LDAP machine
* All CA certificates from the LDAP machine plus the machine's own
certificate
* The machine's own certificate only

None fix the issue.  As I understand it, adding just the CA bundle from
PositiveSSL should work.  Or, adding the CA bundles offered by Ubuntu
should also work.

Previously (when using port 636 and TLS/SSL), to fix
SSLPeerUnverifiedException, I added all of the CA certificates from the
LDAP machine, plus its own certificate (this last part fixed it).

In the mean time, to try and fix the original issue of "external_id", is
there any way to disable certificate verification for STARTTLS?

On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> You should add *ONLY* the ca certificate top level to the keystore.
>
> ----- Original Message -----
>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Sent: Monday, June 15, 2015 10:54:02 PM
>> Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
>>
>> OK, started using the STARTTLS protocol.  Tested working using
>> ldapsearch, but now ovirt-engine's engine.log complains:
>>
>> java.io.IOException: Unable to verify an attempt to to establish a
>> secure connection to 'directory.roboticresearch.com:389' becau\
>> se an unexpected error was encountered during validation processing:
>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>
>> Not sure what is wrong.  We fixed this before by adding the
>> ca-certificates from the LDAP server as well as the LDAP server
>> certificate into the .jks keystore.
>>
>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> Sent: Monday, June 15, 2015 10:14:34 PM
>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>>> "external_id"
>>>>
>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
>>>>
>>>> The full configuration files are as follows (I removed commented-out
>>>> lines for brevity).  Communications with the LDAP server seem to work
>>>> correctly now.
>>>>
>>>> __profile1.properties__
>>>>
>>>> #
>>>>
>>>> # Select
>>>> one
>>>>
>>>> #
>>>>
>>>> include = <openldap.properties>
>>> reading bellow, you may want to try rfc2307-openldap as your schema seems
>>> to be rfc2307 compatible.
>>>
>>> <snip>
>>>
>>>> pool.default.serverset.type = single
>>>> pool.default.serverset.single.server = ${global:vars.server}
>>>> pool.default.serverset.single.port = 636
>>> why do you modify port? please use startTLS on default port.
>>>
>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
>>>> #pool.default.auth.simple.password = ${global:vars.password}
>>> why did you comment this, do you allow anonymous access?
>>>
>>>> # Create keystore, import certificate chain and uncomment
>>>> # if using ssl/tls.
>>>> #pool.default.ssl.startTLS = true
>>> please uncomment this^
>>>
>>>> pool.default.ssl.truststore.file =
>>>> ${local:_basedir}/${global:vars.server}.jks
>>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
>>>>
>>>> # TLS settings and authentication
>>>> pool.default.ssl.enable = true
>>> please do not use ssl unless startTLS is not supported, and it is in
>>> openldap.
>>>
>>>> pool.default.ssl.startTLS = false
>>> please set this to true.
>>>
>>>> pool.default.ssl.host-name-verify.enable = true
>>>> pool.default.ssl.host-name-verify.wildcards = false
>>>> pool.default.ssl.insecure = false
>>>> pool.default.ssl.protocol = TLSv1
>>>> #pool.default.ssl.startTLSProtocol = TLSv1
>>> these are the default, you do not need to add these.
>>>
>>>> pool.default.auth.type = none
>>> why have you set this explicitly?
>>>  
>>>> # Mapping
>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>> please remove mapping, it should work without.
>>>
>>>> # Variables
>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>> givenName, sn, Email
>>>> sequence.openldap-init-vars.040.var-set.value =
>>>> (objectClass=posixAccount)(uid=*)
>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>> sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>> why have you added these? maybe you have rfc2307 compatible schema?
>>>
>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
>>>>> This probably state that you do not use the correct driver.
>>>>>
>>>>> You did not mention what LDAP server do you use, and you pasted only
>>>>> partial profile.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>>>>>> To: users at ovirt.org
>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
>>>>>> Subject: [ovirt-users] Adding users through LDAP fails on "external_id"
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> We have a small oVirt cluster set up, and are trying to get it
>>>>>> integrated with our LDAP server.
>>>>>>
>>>>>> I've changed some configuration values in order to try and make it
>>>>>> function, and it seems to communicate correctly with the LDAP server.
>>>>>> However, when trying to add the user, I get the following error upon SQL
>>>>>> entry add:
>>>>>>
>>>>>> 2015-06-15 14:44:49,439 ERROR
>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand] (ajp--127.0.0.1-8702-6)
>>>>>> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand throw
>>>>>> exception: org.springframework.da\
>>>>>> o.DataIntegrityViolationException: CallableStatementCallback; SQL [{call
>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null
>>>>>> value in column "external_id" violates not-null constraint
>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
>>>>>> groups, name, note, role, active, surname, user_id, username, group_ids,
>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
>>>>>> PL/pgSQL function "insertuser" line 2 at SQL statement; nested exception
>>>>>> is org.postgresql.util.PSQLException: ERROR: null value in column
>>>>>> "external_id" violates not-null constraint
>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
>>>>>> groups, name, note, role, active, surname, user_id, username, group_ids,
>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
>>>>>>
>>>>>> I can't figure out what maps from the LDAP user to "external_id" for the
>>>>>> SQL table entry.
>>>>>>
>>>>>> Here are the changes I made to profile1.properties:
>>>>>>
>>>>>> #Mapping changes
>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>>>>
>>>>>> #LDAP value changes
>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>>>> givenName, sn, Email
>>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>>> (objectClass=posixAccount)(uid=*)
>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>>> sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>>>
>>>>>> Any help is appreciated!
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>

More information about the Users mailing list