[ovirt-users] Adding users through LDAP fails on "external_id"

Zach La Celle lacelle at roboticresearch.com
Mon Jun 15 21:38:21 UTC 2015 

I understand we were using the incorrect driver, and I've switched to
the RFC2307-compatible driver.  However, now the TLS sessions won't start.

I've verified that I can do ldapsearch from the oVirt machine without
issue, complete with STARTTLS.  So, it seems to be an issue solely in
our oVirt configuration.

Error message and config are below, with your changes.  I cannot seem to
get a configuration of the truststore that functions.

Here's the current error message, the SSLPeerUnverifiedException:

2015-06-15 17:32:49,252 DEBUG
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-6) Ignoring Exception: LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred\
 while attempting to connect to server
directory.roboticresearch.com:389:  java.io.IOException: Unable to
verify an attempt to to establish a secure connection to
'directory.roboticresearch.com:389' becau\
se an unexpected error was encountered during validation processing: 
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')

The config file is below.  Notably, I changed it to use the already
installed java cacerts keystore (which I verified opens with the
changeit password).

include = <rfc2307-openldap.properties>

pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 389

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /etc/pki/java/cacerts
pool.default.ssl.truststore.password = changeit

pool.default.ssl.enable = true
pool.default.ssl.host-name-verify.enable = true
pool.default.ssl.host-name-verify.wildcards = false
pool.default.ssl.insecure = false
pool.default.ssl.protocol = TLSv1
pool.default.ssl.startTLSProtocol = TLSv1
pool.default.auth.type = none

On 06/15/2015 04:29 PM, Alon Bar-Lev wrote:
> There are two issues.
>
> 1. Trust store issue, which is common to both startTLS and SSL, the same trust store is being used and should work in both cases, unless for some reason your server present a different certificate for each channel, which is very odd configuration, are you sure your pool.default.ssl.truststore.file is uncommented and reference to a valid trust store?
>
> 2. Incorrect ldap driver, which should probably be rfc2307-openldap.
>
> ----- Original Message -----
>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>, users at ovirt.org
>> Sent: Monday, June 15, 2015 11:25:25 PM
>> Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
>>
>> I have tried the following combinations of certificates added to the
>> keystore:
>>
>> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
>> SSL certificates
>> * All CA certificates from the LDAP machine
>> * All CA certificates from the LDAP machine plus the machine's own
>> certificate
>> * The machine's own certificate only
>>
>> None fix the issue.  As I understand it, adding just the CA bundle from
>> PositiveSSL should work.  Or, adding the CA bundles offered by Ubuntu
>> should also work.
>>
>> Previously (when using port 636 and TLS/SSL), to fix
>> SSLPeerUnverifiedException, I added all of the CA certificates from the
>> LDAP machine, plus its own certificate (this last part fixed it).
>>
>> In the mean time, to try and fix the original issue of "external_id", is
>> there any way to disable certificate verification for STARTTLS?
>>
>> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
>>> You should add *ONLY* the ca certificate top level to the keystore.
>>>
>>> ----- Original Message -----
>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> Sent: Monday, June 15, 2015 10:54:02 PM
>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>>> "external_id"
>>>>
>>>> OK, started using the STARTTLS protocol.  Tested working using
>>>> ldapsearch, but now ovirt-engine's engine.log complains:
>>>>
>>>> java.io.IOException: Unable to verify an attempt to to establish a
>>>> secure connection to 'directory.roboticresearch.com:389' becau\
>>>> se an unexpected error was encountered during validation processing:
>>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>
>>>> Not sure what is wrong.  We fixed this before by adding the
>>>> ca-certificates from the LDAP server as well as the LDAP server
>>>> certificate into the .jks keystore.
>>>>
>>>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>>> Sent: Monday, June 15, 2015 10:14:34 PM
>>>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
>>>>>> "external_id"
>>>>>>
>>>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
>>>>>>
>>>>>> The full configuration files are as follows (I removed commented-out
>>>>>> lines for brevity).  Communications with the LDAP server seem to work
>>>>>> correctly now.
>>>>>>
>>>>>> __profile1.properties__
>>>>>>
>>>>>> #
>>>>>>
>>>>>> # Select
>>>>>> one
>>>>>>
>>>>>> #
>>>>>>
>>>>>> include = <openldap.properties>
>>>>> reading bellow, you may want to try rfc2307-openldap as your schema seems
>>>>> to be rfc2307 compatible.
>>>>>
>>>>> <snip>
>>>>>
>>>>>> pool.default.serverset.type = single
>>>>>> pool.default.serverset.single.server = ${global:vars.server}
>>>>>> pool.default.serverset.single.port = 636
>>>>> why do you modify port? please use startTLS on default port.
>>>>>
>>>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
>>>>>> #pool.default.auth.simple.password = ${global:vars.password}
>>>>> why did you comment this, do you allow anonymous access?
>>>>>
>>>>>> # Create keystore, import certificate chain and uncomment
>>>>>> # if using ssl/tls.
>>>>>> #pool.default.ssl.startTLS = true
>>>>> please uncomment this^
>>>>>
>>>>>> pool.default.ssl.truststore.file =
>>>>>> ${local:_basedir}/${global:vars.server}.jks
>>>>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
>>>>>>
>>>>>> # TLS settings and authentication
>>>>>> pool.default.ssl.enable = true
>>>>> please do not use ssl unless startTLS is not supported, and it is in
>>>>> openldap.
>>>>>
>>>>>> pool.default.ssl.startTLS = false
>>>>> please set this to true.
>>>>>
>>>>>> pool.default.ssl.host-name-verify.enable = true
>>>>>> pool.default.ssl.host-name-verify.wildcards = false
>>>>>> pool.default.ssl.insecure = false
>>>>>> pool.default.ssl.protocol = TLSv1
>>>>>> #pool.default.ssl.startTLSProtocol = TLSv1
>>>>> these are the default, you do not need to add these.
>>>>>
>>>>>> pool.default.auth.type = none
>>>>> why have you set this explicitly?
>>>>>  
>>>>>> # Mapping
>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>>> please remove mapping, it should work without.
>>>>>
>>>>>> # Variables
>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>>>> givenName, sn, Email
>>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>>> (objectClass=posixAccount)(uid=*)
>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>>> sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>> why have you added these? maybe you have rfc2307 compatible schema?
>>>>>
>>>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
>>>>>>> This probably state that you do not use the correct driver.
>>>>>>>
>>>>>>> You did not mention what LDAP server do you use, and you pasted only
>>>>>>> partial profile.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
>>>>>>>> To: users at ovirt.org
>>>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
>>>>>>>> Subject: [ovirt-users] Adding users through LDAP fails on
>>>>>>>> "external_id"
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> We have a small oVirt cluster set up, and are trying to get it
>>>>>>>> integrated with our LDAP server.
>>>>>>>>
>>>>>>>> I've changed some configuration values in order to try and make it
>>>>>>>> function, and it seems to communicate correctly with the LDAP server.
>>>>>>>> However, when trying to add the user, I get the following error upon
>>>>>>>> SQL
>>>>>>>> entry add:
>>>>>>>>
>>>>>>>> 2015-06-15 14:44:49,439 ERROR
>>>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand] (ajp--127.0.0.1-8702-6)
>>>>>>>> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand throw
>>>>>>>> exception: org.springframework.da\
>>>>>>>> o.DataIntegrityViolationException: CallableStatementCallback; SQL
>>>>>>>> [{call
>>>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null
>>>>>>>> value in column "external_id" violates not-null constraint
>>>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
>>>>>>>> groups, name, note, role, active, surname, user_id, username,
>>>>>>>> group_ids,
>>>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
>>>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
>>>>>>>> PL/pgSQL function "insertuser" line 2 at SQL statement; nested
>>>>>>>> exception
>>>>>>>> is org.postgresql.util.PSQLException: ERROR: null value in column
>>>>>>>> "external_id" violates not-null constraint
>>>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
>>>>>>>> groups, name, note, role, active, surname, user_id, username,
>>>>>>>> group_ids,
>>>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
>>>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
>>>>>>>>
>>>>>>>> I can't figure out what maps from the LDAP user to "external_id" for
>>>>>>>> the
>>>>>>>> SQL table entry.
>>>>>>>>
>>>>>>>> Here are the changes I made to profile1.properties:
>>>>>>>>
>>>>>>>> #Mapping changes
>>>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
>>>>>>>> cn
>>>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
>>>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>>>>>>>>
>>>>>>>> #LDAP value changes
>>>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
>>>>>>>> givenName, sn, Email
>>>>>>>> sequence.openldap-init-vars.040.var-set.value =
>>>>>>>> (objectClass=posixAccount)(uid=*)
>>>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
>>>>>>>> sequence.openldap-init-vars.060.var-set.value =
>>>>>>>> (objectClass=posixGroup)
>>>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
>>>>>>>>
>>>>>>>> Any help is appreciated!
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>>

More information about the Users mailing list