[ovirt-users] Adding users through LDAP fails on "external_id"

Alon Bar-Lev alonbl at redhat.com
Mon Jun 15 21:45:11 UTC 2015



----- Original Message -----
> From: "Zach La Celle" <lacelle at roboticresearch.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Tuesday, June 16, 2015 12:38:21 AM
> Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
> 
> I understand we were using the incorrect driver, and I've switched to
> the RFC2307-compatible driver.  However, now the TLS sessions won't start.
> 
> I've verified that I can do ldapsearch from the oVirt machine without
> issue, complete with STARTTLS.  So, it seems to be an issue solely in
> our oVirt configuration.
> 
> Error message and config are below, with your changes.  I cannot seem to
> get a configuration of the truststore that functions.
> 
> Here's the current error message, the SSLPeerUnverifiedException:
> 
> 2015-06-15 17:32:49,252 DEBUG
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> 1-6) Ignoring Exception: LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred\
>  while attempting to connect to server
> directory.roboticresearch.com:389:  java.io.IOException: Unable to
> verify an attempt to to establish a secure connection to
> 'directory.roboticresearch.com:389' becau\
> se an unexpected error was encountered during validation processing:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')
> 
> The config file is below.  Notably, I changed it to use the already
> installed java cacerts keystore (which I verified opens with the
> changeit password).
> 
> include = <rfc2307-openldap.properties>
> 
> pool.default.serverset.type = single
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = 389

please remove this port settings ^ as this is the default.

> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file = /etc/pki/java/cacerts
> pool.default.ssl.truststore.password = changeit

can you please create your own keystore with only top level certificate[1]?

[1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l155

> pool.default.ssl.enable = true

please remove this ^

> pool.default.ssl.host-name-verify.enable = true
> pool.default.ssl.host-name-verify.wildcards = false

please remove these ^

> pool.default.ssl.insecure = false
> pool.default.ssl.protocol = TLSv1
> pool.default.ssl.startTLSProtocol = TLSv1

please remove these ^

> pool.default.auth.type = none

please remove this ^ not sure why you added it.

> 
> On 06/15/2015 04:29 PM, Alon Bar-Lev wrote:
> > There are two issues.
> >
> > 1. Trust store issue, which is common to both startTLS and SSL, the same
> > trust store is being used and should work in both cases, unless for some
> > reason your server present a different certificate for each channel, which
> > is very odd configuration, are you sure your
> > pool.default.ssl.truststore.file is uncommented and reference to a valid
> > trust store?
> >
> > 2. Incorrect ldap driver, which should probably be rfc2307-openldap.
> >
> > ----- Original Message -----
> >> From: "Zach La Celle" <lacelle at roboticresearch.com>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>, users at ovirt.org
> >> Sent: Monday, June 15, 2015 11:25:25 PM
> >> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >> "external_id"
> >>
> >> I have tried the following combinations of certificates added to the
> >> keystore:
> >>
> >> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
> >> SSL certificates
> >> * All CA certificates from the LDAP machine
> >> * All CA certificates from the LDAP machine plus the machine's own
> >> certificate
> >> * The machine's own certificate only
> >>
> >> None fix the issue.  As I understand it, adding just the CA bundle from
> >> PositiveSSL should work.  Or, adding the CA bundles offered by Ubuntu
> >> should also work.
> >>
> >> Previously (when using port 636 and TLS/SSL), to fix
> >> SSLPeerUnverifiedException, I added all of the CA certificates from the
> >> LDAP machine, plus its own certificate (this last part fixed it).
> >>
> >> In the mean time, to try and fix the original issue of "external_id", is
> >> there any way to disable certificate verification for STARTTLS?
> >>
> >> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> >>> You should add *ONLY* the ca certificate top level to the keystore.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
> >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> Sent: Monday, June 15, 2015 10:54:02 PM
> >>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >>>> "external_id"
> >>>>
> >>>> OK, started using the STARTTLS protocol.  Tested working using
> >>>> ldapsearch, but now ovirt-engine's engine.log complains:
> >>>>
> >>>> java.io.IOException: Unable to verify an attempt to to establish a
> >>>> secure connection to 'directory.roboticresearch.com:389' becau\
> >>>> se an unexpected error was encountered during validation processing:
> >>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >>>>
> >>>> Not sure what is wrong.  We fixed this before by adding the
> >>>> ca-certificates from the LDAP server as well as the LDAP server
> >>>> certificate into the .jks keystore.
> >>>>
> >>>> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>> Sent: Monday, June 15, 2015 10:14:34 PM
> >>>>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >>>>>> "external_id"
> >>>>>>
> >>>>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
> >>>>>>
> >>>>>> The full configuration files are as follows (I removed commented-out
> >>>>>> lines for brevity).  Communications with the LDAP server seem to work
> >>>>>> correctly now.
> >>>>>>
> >>>>>> __profile1.properties__
> >>>>>>
> >>>>>> #
> >>>>>>
> >>>>>> # Select
> >>>>>> one
> >>>>>>
> >>>>>> #
> >>>>>>
> >>>>>> include = <openldap.properties>
> >>>>> reading bellow, you may want to try rfc2307-openldap as your schema
> >>>>> seems
> >>>>> to be rfc2307 compatible.
> >>>>>
> >>>>> <snip>
> >>>>>
> >>>>>> pool.default.serverset.type = single
> >>>>>> pool.default.serverset.single.server = ${global:vars.server}
> >>>>>> pool.default.serverset.single.port = 636
> >>>>> why do you modify port? please use startTLS on default port.
> >>>>>
> >>>>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
> >>>>>> #pool.default.auth.simple.password = ${global:vars.password}
> >>>>> why did you comment this, do you allow anonymous access?
> >>>>>
> >>>>>> # Create keystore, import certificate chain and uncomment
> >>>>>> # if using ssl/tls.
> >>>>>> #pool.default.ssl.startTLS = true
> >>>>> please uncomment this^
> >>>>>
> >>>>>> pool.default.ssl.truststore.file =
> >>>>>> ${local:_basedir}/${global:vars.server}.jks
> >>>>>> pool.default.ssl.truststore.password = sdfnliwneponalsdinosaivnewal
> >>>>>>
> >>>>>> # TLS settings and authentication
> >>>>>> pool.default.ssl.enable = true
> >>>>> please do not use ssl unless startTLS is not supported, and it is in
> >>>>> openldap.
> >>>>>
> >>>>>> pool.default.ssl.startTLS = false
> >>>>> please set this to true.
> >>>>>
> >>>>>> pool.default.ssl.host-name-verify.enable = true
> >>>>>> pool.default.ssl.host-name-verify.wildcards = false
> >>>>>> pool.default.ssl.insecure = false
> >>>>>> pool.default.ssl.protocol = TLSv1
> >>>>>> #pool.default.ssl.startTLSProtocol = TLSv1
> >>>>> these are the default, you do not need to add these.
> >>>>>
> >>>>>> pool.default.auth.type = none
> >>>>> why have you set this explicitly?
> >>>>>  
> >>>>>> # Mapping
> >>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
> >>>>>> cn
> >>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
> >>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
> >>>>> please remove mapping, it should work without.
> >>>>>
> >>>>>> # Variables
> >>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
> >>>>>> givenName, sn, Email
> >>>>>> sequence.openldap-init-vars.040.var-set.value =
> >>>>>> (objectClass=posixAccount)(uid=*)
> >>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
> >>>>>> sequence.openldap-init-vars.060.var-set.value =
> >>>>>> (objectClass=posixGroup)
> >>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
> >>>>> why have you added these? maybe you have rfc2307 compatible schema?
> >>>>>
> >>>>>> On 06/15/2015 03:07 PM, Alon Bar-Lev wrote:
> >>>>>>> This probably state that you do not use the correct driver.
> >>>>>>>
> >>>>>>> You did not mention what LDAP server do you use, and you pasted only
> >>>>>>> partial profile.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Zach La Celle" <lacelle at roboticresearch.com>
> >>>>>>>> To: users at ovirt.org
> >>>>>>>> Sent: Monday, June 15, 2015 10:04:47 PM
> >>>>>>>> Subject: [ovirt-users] Adding users through LDAP fails on
> >>>>>>>> "external_id"
> >>>>>>>>
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> We have a small oVirt cluster set up, and are trying to get it
> >>>>>>>> integrated with our LDAP server.
> >>>>>>>>
> >>>>>>>> I've changed some configuration values in order to try and make it
> >>>>>>>> function, and it seems to communicate correctly with the LDAP
> >>>>>>>> server.
> >>>>>>>> However, when trying to add the user, I get the following error upon
> >>>>>>>> SQL
> >>>>>>>> entry add:
> >>>>>>>>
> >>>>>>>> 2015-06-15 14:44:49,439 ERROR
> >>>>>>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
> >>>>>>>> (ajp--127.0.0.1-8702-6)
> >>>>>>>> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand
> >>>>>>>> throw
> >>>>>>>> exception: org.springframework.da\
> >>>>>>>> o.DataIntegrityViolationException: CallableStatementCallback; SQL
> >>>>>>>> [{call
> >>>>>>>> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null
> >>>>>>>> value in column "external_id" violates not-null constraint
> >>>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
> >>>>>>>> groups, name, note, role, active, surname, user_id, username,
> >>>>>>>> group_ids,
> >>>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
> >>>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
> >>>>>>>> PL/pgSQL function "insertuser" line 2 at SQL statement; nested
> >>>>>>>> exception
> >>>>>>>> is org.postgresql.util.PSQLException: ERROR: null value in column
> >>>>>>>> "external_id" violates not-null constraint
> >>>>>>>>   Where: SQL statement "INSERT INTO users(department, domain, email,
> >>>>>>>> groups, name, note, role, active, surname, user_id, username,
> >>>>>>>> group_ids,
> >>>>>>>> external_id,namespace) VALUES( $1 ,  $2 ,  $3 ,  $4 ,  $5 ,  $\
> >>>>>>>> 6 ,  $7 ,  $8 ,  $9 ,  $10 ,  $11 ,  $12 ,  $13 ,  $14 )"
> >>>>>>>>
> >>>>>>>> I can't figure out what maps from the LDAP user to "external_id" for
> >>>>>>>> the
> >>>>>>>> SQL table entry.
> >>>>>>>>
> >>>>>>>> Here are the changes I made to profile1.properties:
> >>>>>>>>
> >>>>>>>> #Mapping changes
> >>>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map =
> >>>>>>>> cn
> >>>>>>>> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
> >>>>>>>> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
> >>>>>>>>
> >>>>>>>> #LDAP value changes
> >>>>>>>> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
> >>>>>>>> givenName, sn, Email
> >>>>>>>> sequence.openldap-init-vars.040.var-set.value =
> >>>>>>>> (objectClass=posixAccount)(uid=*)
> >>>>>>>> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
> >>>>>>>> sequence.openldap-init-vars.060.var-set.value =
> >>>>>>>> (objectClass=posixGroup)
> >>>>>>>> sequence.openldap-init-vars.070.var-set.value = memberUid
> >>>>>>>>
> >>>>>>>> Any help is appreciated!
> >>>>>>>> _______________________________________________
> >>>>>>>> Users mailing list
> >>>>>>>> Users at ovirt.org
> >>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>
> >>
> 
> 



More information about the Users mailing list