[ovirt-users] Active Directory authentication setup
Ondra Machacek
omachace at redhat.com
Mon Jul 17 07:34:49 UTC 2017
This is most probably certificate issue.
Can you please share output of following command:
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''
And also the output of following command:
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout
Are you sure you added a proper CA cert to your system?
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd at doonga.org> wrote:
> Hi,
>
> I’ve been pulling my hair out over this one. Here’s the
> output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I
> use “plain” but I don’t really want to do that. I searched the error that’s
> shown below and tried several different “fixes” but none of them helped.
> These are Server 2016 DCs. Not too sure where to go next.
>
>
>
> [ INFO ] Stage: Initializing
>
> [ INFO ] Stage: Environment setup
>
> Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>
> Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
>
> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
>
> [ INFO ] Stage: Environment packages setup
>
> [ INFO ] Stage: Programs detection
>
> [ INFO ] Stage: Environment customization
>
> Welcome to LDAP extension configuration program
>
> Available LDAP implementations:
>
> 1 - 389ds
>
> 2 - 389ds RFC-2307 Schema
>
> 3 - Active Directory
>
> 4 - IBM Security Directory Server
>
> 5 - IBM Security Directory Server RFC-2307 Schema
>
> 6 - IPA
>
> 7 - Novell eDirectory RFC-2307 Schema
>
> 8 - OpenLDAP RFC-2307 Schema
>
> 9 - OpenLDAP Standard Schema
>
> 10 - Oracle Unified Directory RFC-2307 Schema
>
> 11 - RFC-2307 Schema (Generic)
>
> 12 - RHDS
>
> 13 - RHDS RFC-2307 Schema
>
> 14 - iPlanet
>
> Please select: 3
>
> Please enter Active Directory Forest name: home.doonga.org
>
> [ INFO ] Resolving Global Catalog SRV record for home.doonga.org
>
> [ INFO ] Resolving LDAP SRV record for home.doonga.org
>
> NOTE:
>
> It is highly recommended to use secure protocol to access the LDAP
> server.
>
> Protocol startTLS is the standard recommended method to do so.
>
> Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
>
> Use plain for test environments only.
>
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> ldaps
>
> Please select method to obtain PEM encoded CA certificate (File,
> URL, Inline, System, Insecure): System
>
> [ INFO ] Resolving SRV record 'home.doonga.org'
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ ERROR ] Cannot connect using any of available options
>
>
>
> Also:
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC2.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
> File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 WARNING
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:463 Cannot connect using
> 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate
> extension not found.', 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC3.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
> File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
>
>
> Any help would be appreciated!
>
> Thanks
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list