[ovirt-users] Active Directory authentication setup

Todd Punderson todd at doonga.org
Sat Jul 15 23:04:40 UTC 2017 

Hi,
               I've been pulling my hair out over this one. Here's the output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I use "plain" but I don't really want to do that. I searched the error that's shown below and tried several different "fixes" but none of them helped. These are Server 2016 DCs. Not too sure where to go next.

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
          Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IBM Security Directory Server
           5 - IBM Security Directory Server RFC-2307 Schema
           6 - IPA
           7 - Novell eDirectory RFC-2307 Schema
           8 - OpenLDAP RFC-2307 Schema
           9 - OpenLDAP Standard Schema
          10 - Oracle Unified Directory RFC-2307 Schema
          11 - RFC-2307 Schema (Generic)
          12 - RHDS
          13 - RHDS RFC-2307 Schema
          14 - iPlanet
          Please select: 3
          Please enter Active Directory Forest name: home.doonga.org
[ INFO  ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO  ] Resolving LDAP SRV record for home.doonga.org
          NOTE:
          It is highly recommended to use secure protocol to access the LDAP server.
          Protocol startTLS is the standard recommended method to do so.
          Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
          Use plain for test environments only.
          Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): System
[ INFO  ] Resolving SRV record 'home.doonga.org'
[ INFO  ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server"}
[ ERROR ] Cannot connect using any of available options

Also:
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
    c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception
Traceback (most recent call last):
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 443, in _connectLDAP
    c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect error'}

Any help would be appreciated!
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170715/51b86fd6/attachment.html>

More information about the Users mailing list