<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">Sorry to reply to myself, but I figured it out. Putting this here for documentation in case anyone ever runs into this as it was absolutely horrible to troubleshoot.</span></p>
<p><br>
</p>
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">I had this set: </span><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm
= 1 (I think that's by default) That caused the CA to issue certs with </span><span style="color: rgb(72, 72, 72); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">RSASSA-PSS (1.2.840.113549.1.1.10) algorithm on them instead
<span style="font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">
of </span><span style="color: rgb(72, 72, 72); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">sha256RSA</span><span style="font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">.</span> So I changed that registry value
to a 0 as well as my CAPolicy.inf file and reissued my Root and Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub CAs in CentOS and it started working.</span></span></p>
<p><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><br>
</span></span></p>
<p><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">I
actually figured it out from a bug report for Firefox here: </span><a href="https://support.mozilla.org/en-US/questions/986085" class="OWAAutoLink" id="LPlnk343687" previewremoved="true"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt;">https://support.mozilla.org/en-US/questions/986085</span></a></span></span></p>
<p><span style="color: rgb(72, 72, 72); font-family: "Open Sans", Arial, Helvetica, sans-serif; font-size: 14px;"><br>
</span></p>
<p><font color="#484848" face="Open Sans, Arial, Helvetica, sans-serif"><span style="font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">Either way it's working now. That drove me nuts for 2+ days.</span></font></p>
<p><font color="#484848" face="Open Sans, Arial, Helvetica, sans-serif"><span style="font-size: 14px;"><br>
</span></font></p>
<p><font color="#484848" face="Open Sans, Arial, Helvetica, sans-serif"><span style="font-size: 11pt; font-family: Calibri, Arial, Helvetica, sans-serif;">Thank you anyway for your assistance!</span></font></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> users-bounces@ovirt.org <users-bounces@ovirt.org> on behalf of Todd Punderson <todd@doonga.org><br>
<b>Sent:</b> Monday, July 17, 2017 9:05:12 AM<br>
<b>To:</b> Ondra Machacek<br>
<b>Cc:</b> users@ovirt.org<br>
<b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</font>
<div> </div>
</div>
<div>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi,</p>
<p> Agreed on the certificate issue, I fought with it all weekend! Here's the output of those commands:</p>
<p><br>
</p>
<p></p>
<div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org)</div>
<div>ldap_create</div>
<div>ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)</div>
<div>ldap_sasl_bind</div>
<div>ldap_send_initial_request</div>
<div>ldap_new_connection 1 1 0</div>
<div>ldap_int_open_connection</div>
<div>ldap_connect_to_host: TCP DC3.home.doonga.org:636</div>
<div>ldap_new_socket: 3</div>
<div>ldap_prepare_socket: 3</div>
<div>ldap_connect_to_host: Trying 172.16.10.4:636</div>
<div>ldap_pvt_connect: fd: 3 tm: -1 async: 0</div>
<div>attempting to connect:</div>
<div>connect success</div>
<div>TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly</div>
<div>TLS: using moznss security dir /etc/openldap/certs prefix .</div>
<div>TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has an invalid signature..</div>
<div>TLS: error: connect - force handshake failure: errno 21 - moznss error -8174</div>
<div>TLS: can't connect: TLS error -8174:security library: bad database..</div>
<div>ldap_err2string</div>
<div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div>
<div><br>
</div>
I tried digging into this one. I'm very sure the peer doesn't have an invalid signature, I tested the certificate chain with openssl successfully, I'm guessing that error is related to the "bad database". I couldn't quite figure out that part of the error though.
<p></p>
<p><br>
</p>
<p>I have an offline root and online issuing CA, here's those certs. I loaded both of these to the system CA trust.</p>
<p><br>
</p>
<p></p>
<div>[root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout</div>
<div>Certificate:</div>
<div> Data:</div>
<div> Version: 3 (0x2)</div>
<div> Serial Number:</div>
<div> 1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b</div>
<div> Signature Algorithm: rsassaPss</div>
<div> Hash Algorithm: sha256</div>
<div> Mask Algorithm: mgf1 with sha256</div>
<div> Salt Length: 20</div>
<div> Trailer Field: 0xbc (default)</div>
<div> Issuer: CN=Doonga.Org Root CA</div>
<div> Validity</div>
<div> Not Before: Jul 13 01:15:39 2017 GMT</div>
<div> Not After : Jul 13 01:25:39 2037 GMT</div>
<div> Subject: CN=Doonga.Org Root CA</div>
<div> Subject Public Key Info:</div>
<div> Public Key Algorithm: rsaEncryption</div>
<div> Public-Key: (2048 bit)</div>
<div> Modulus:</div>
<div> 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:</div>
<div> d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:</div>
<div> b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:</div>
<div> e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:</div>
<div> 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:</div>
<div> 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:</div>
<div> ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:</div>
<div> 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:</div>
<div> d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:</div>
<div> 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:</div>
<div> 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:</div>
<div> ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:</div>
<div> 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:</div>
<div> de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:</div>
<div> 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:</div>
<div> aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:</div>
<div> 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:</div>
<div> 07:75</div>
<div> Exponent: 65537 (0x10001)</div>
<div> X509v3 extensions:</div>
<div> X509v3 Key Usage:</div>
<div> Digital Signature, Certificate Sign, CRL Sign</div>
<div> X509v3 Basic Constraints: critical</div>
<div> CA:TRUE</div>
<div> X509v3 Subject Key Identifier:</div>
<div> 72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div>
<div> 1.3.6.1.4.1.311.21.1:</div>
<div> ...</div>
<div> X509v3 Certificate Policies:</div>
<div> Policy: 1.3.6.1.4.1.37476.9000.53</div>
<div> User Notice:</div>
<div> Explicit Text:</div>
<div> CPS: http://www.doonga.org/pki/cps.txt</div>
<div><br>
</div>
<div> Signature Algorithm: rsassaPss</div>
<div> Hash Algorithm: sha256</div>
<div> Mask Algorithm: mgf1 with sha256</div>
<div> Salt Length: 20</div>
<div> Trailer Field: 0xbc (default)</div>
<div><br>
</div>
<div> 56:06:7e:bb:f4:c1:29:a1:05:27:8b:66:e0:23:17:56:ac:de:</div>
<div> 4c:65:0d:1e:97:d4:c6:71:75:a8:79:80:dd:b7:b7:08:b2:12:</div>
<div> af:d7:cb:c9:99:80:7b:47:02:9e:6c:fc:83:5e:ae:4d:46:ce:</div>
<div> 3b:3c:f4:fe:e6:4c:66:d7:6d:2e:de:6a:31:0f:fb:ef:2b:d4:</div>
<div> 5a:3c:3c:a9:1e:c1:39:a4:0f:3d:9b:23:5c:94:16:9a:6f:9b:</div>
<div> e0:01:33:49:f8:d3:f1:b5:9c:33:f4:23:ca:88:94:5d:bd:65:</div>
<div> 94:55:ad:90:72:57:78:8e:88:bc:40:81:ff:68:d3:5f:63:48:</div>
<div> ae:d9:96:b4:44:b0:ed:51:e2:01:36:ad:97:2c:64:a0:17:5e:</div>
<div> c5:47:e1:2f:60:f5:5a:fd:09:21:08:be:1d:6b:5a:71:d4:25:</div>
<div> ea:e1:2b:1a:95:2e:aa:03:a8:91:7f:cf:11:6d:3b:d7:ff:4b:</div>
<div> 87:68:14:93:81:bc:64:20:14:3e:f7:99:c5:5d:fc:b9:3a:b4:</div>
<div> e9:78:2a:1c:35:22:86:5c:13:c6:1a:75:c2:41:54:45:7d:31:</div>
<div> 4f:f5:a2:0f:c6:de:8f:bf:a6:ea:b9:a0:f6:b2:1c:bf:2f:84:</div>
<div> ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11:</div>
<div> f8:98:ae:07</div>
<div><br>
</div>
<div>[root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout</div>
<div>Certificate:</div>
<div> Data:</div>
<div> Version: 3 (0x2)</div>
<div> Serial Number:</div>
<div> 50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02</div>
<div> Signature Algorithm: rsassaPss</div>
<div> Hash Algorithm: sha256</div>
<div> Mask Algorithm: mgf1 with sha256</div>
<div> Salt Length: 20</div>
<div> Trailer Field: 0xbc (default)</div>
<div> Issuer: CN=Doonga.Org Root CA</div>
<div> Validity</div>
<div> Not Before: Jul 13 02:07:35 2017 GMT</div>
<div> Not After : Jul 13 02:17:35 2027 GMT</div>
<div> Subject: DC=org, DC=doonga, DC=home, CN=Doonga.Org Issuing CA</div>
<div> Subject Public Key Info:</div>
<div> Public Key Algorithm: rsaEncryption</div>
<div> Public-Key: (2048 bit)</div>
<div> Modulus:</div>
<div> 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:</div>
<div> 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:</div>
<div> 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:</div>
<div> d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:</div>
<div> 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:</div>
<div> da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:</div>
<div> e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:</div>
<div> b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:</div>
<div> db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:</div>
<div> 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:</div>
<div> e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:</div>
<div> 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:</div>
<div> 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:</div>
<div> 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:</div>
<div> 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:</div>
<div> 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:</div>
<div> 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:</div>
<div> fc:89</div>
<div> Exponent: 65537 (0x10001)</div>
<div> X509v3 extensions:</div>
<div> 1.3.6.1.4.1.311.21.1:</div>
<div> ...</div>
<div> X509v3 Subject Key Identifier:</div>
<div> 21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD</div>
<div> X509v3 Certificate Policies:</div>
<div> Policy: 1.3.6.1.4.1.37476.9000.53</div>
<div> User Notice:</div>
<div> Explicit Text:</div>
<div> CPS: http://www.doonga.org/pki/cps.txt</div>
<div><br>
</div>
<div> 1.3.6.1.4.1.311.20.2:</div>
<div> .</div>
<div>.S.u.b.C.A</div>
<div> X509v3 Key Usage:</div>
<div> Digital Signature, Certificate Sign, CRL Sign</div>
<div> X509v3 Basic Constraints: critical</div>
<div> CA:TRUE</div>
<div> X509v3 Authority Key Identifier:</div>
<div> keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07</div>
<div><br>
</div>
<div> X509v3 CRL Distribution Points:</div>
<div><br>
</div>
<div> Full Name:</div>
<div> URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl</div>
<div><br>
</div>
<div> Authority Information Access:</div>
<div> CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt</div>
<div><br>
</div>
<div> Signature Algorithm: rsassaPss</div>
<div> Hash Algorithm: sha256</div>
<div> Mask Algorithm: mgf1 with sha256</div>
<div> Salt Length: 20</div>
<div> Trailer Field: 0xbc (default)</div>
<div><br>
</div>
<div> 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8:</div>
<div> 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f:</div>
<div> f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6:</div>
<div> 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62:</div>
<div> 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55:</div>
<div> cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd:</div>
<div> 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9:</div>
<div> 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c:</div>
<div> ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71:</div>
<div> 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47:</div>
<div> bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad:</div>
<div> 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5:</div>
<div> 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc:</div>
<div> 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52:</div>
<div> fa:d8:9c:31</div>
<div><br>
</div>
I'm definitely sure that I have the correct CA certs loaded. I tried removing them and I got an invalid CA error. When they are in place I get the error I'm asking about. So I'm sure it's reading the CA certificates properly.
<p></p>
<p><br>
</p>
<p>Thanks very much for your help!</p>
<p>Todd</p>
<p><br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Ondra Machacek <omachace@redhat.com><br>
<b>Sent:</b> Monday, July 17, 2017 3:34:49 AM<br>
<b>To:</b> Todd Punderson<br>
<b>Cc:</b> users@ovirt.org<br>
<b>Subject:</b> Re: [ovirt-users] Active Directory authentication setup</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">This is most probably certificate issue.<br>
<br>
Can you please share output of following command:<br>
<br>
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''<br>
<br>
And also the output of following command:<br>
<br>
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout<br>
<br>
Are you sure you added a proper CA cert to your system?<br>
<br>
<br>
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <todd@doonga.org> wrote:<br>
> Hi,<br>
><br>
> I’ve been pulling my hair out over this one. Here’s the<br>
> output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I<br>
> use “plain” but I don’t really want to do that. I searched the error that’s<br>
> shown below and tried several different “fixes” but none of them helped.<br>
> These are Server 2016 DCs. Not too sure where to go next.<br>
><br>
><br>
><br>
> [ INFO ] Stage: Initializing<br>
><br>
> [ INFO ] Stage: Environment setup<br>
><br>
> Configuration files:<br>
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']<br>
><br>
> Log file:<br>
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log<br>
><br>
> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)<br>
><br>
> [ INFO ] Stage: Environment packages setup<br>
><br>
> [ INFO ] Stage: Programs detection<br>
><br>
> [ INFO ] Stage: Environment customization<br>
><br>
> Welcome to LDAP extension configuration program<br>
><br>
> Available LDAP implementations:<br>
><br>
> 1 - 389ds<br>
><br>
> 2 - 389ds RFC-2307 Schema<br>
><br>
> 3 - Active Directory<br>
><br>
> 4 - IBM Security Directory Server<br>
><br>
> 5 - IBM Security Directory Server RFC-2307 Schema<br>
><br>
> 6 - IPA<br>
><br>
> 7 - Novell eDirectory RFC-2307 Schema<br>
><br>
> 8 - OpenLDAP RFC-2307 Schema<br>
><br>
> 9 - OpenLDAP Standard Schema<br>
><br>
> 10 - Oracle Unified Directory RFC-2307 Schema<br>
><br>
> 11 - RFC-2307 Schema (Generic)<br>
><br>
> 12 - RHDS<br>
><br>
> 13 - RHDS RFC-2307 Schema<br>
><br>
> 14 - iPlanet<br>
><br>
> Please select: 3<br>
><br>
> Please enter Active Directory Forest name: home.doonga.org<br>
><br>
> [ INFO ] Resolving Global Catalog SRV record for home.doonga.org<br>
><br>
> [ INFO ] Resolving LDAP SRV record for home.doonga.org<br>
><br>
> NOTE:<br>
><br>
> It is highly recommended to use secure protocol to access the LDAP<br>
> server.<br>
><br>
> Protocol startTLS is the standard recommended method to do so.<br>
><br>
> Only in cases in which the startTLS is not supported, fallback to<br>
> non standard ldaps protocol.<br>
><br>
> Use plain for test environments only.<br>
><br>
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:<br>
> ldaps<br>
><br>
> Please select method to obtain PEM encoded CA certificate (File,<br>
> URL, Inline, System, Insecure): System<br>
><br>
> [ INFO ] Resolving SRV record 'home.doonga.org'<br>
><br>
> [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'<br>
><br>
> [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info':<br>
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact<br>
> LDAP server"}<br>
><br>
> [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'<br>
><br>
> [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info':<br>
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact<br>
> LDAP server"}<br>
><br>
> [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'<br>
><br>
> [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info':<br>
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact<br>
> LDAP server"}<br>
><br>
> [ ERROR ] Cannot connect using any of available options<br>
><br>
><br>
><br>
> Also:<br>
><br>
> 2017-07-15 18:18:06 INFO<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:391 Connecting to LDAP using<br>
> 'ldap://DC2.home.doonga.org:389'<br>
><br>
> 2017-07-15 18:18:06 INFO<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:442 Executing startTLS<br>
><br>
> 2017-07-15 18:18:06 DEBUG<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:459 Exception<br>
><br>
> Traceback (most recent call last):<br>
><br>
> File<br>
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",<br>
> line 443, in _connectLDAP<br>
><br>
> c.start_tls_s()<br>
><br>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in<br>
> start_tls_s<br>
><br>
> return self._ldap_call(self._l.start_tls_s)<br>
><br>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in<br>
> _ldap_call<br>
><br>
> result = func(*args,**kwargs)<br>
><br>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',<br>
> 'desc': 'Connect error'}<br>
><br>
> 2017-07-15 18:18:06 WARNING<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:463 Cannot connect using<br>
> 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate<br>
> extension not found.', 'desc': 'Connect error'}<br>
><br>
> 2017-07-15 18:18:06 INFO<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:391 Connecting to LDAP using<br>
> 'ldap://DC3.home.doonga.org:389'<br>
><br>
> 2017-07-15 18:18:06 INFO<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:442 Executing startTLS<br>
><br>
> 2017-07-15 18:18:06 DEBUG<br>
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common<br>
> common._connectLDAP:459 Exception<br>
><br>
> Traceback (most recent call last):<br>
><br>
> File<br>
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",<br>
> line 443, in _connectLDAP<br>
><br>
> c.start_tls_s()<br>
><br>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in<br>
> start_tls_s<br>
><br>
> return self._ldap_call(self._l.start_tls_s)<br>
><br>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in<br>
> _ldap_call<br>
><br>
> result = func(*args,**kwargs)<br>
><br>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',<br>
> 'desc': 'Connect error'}<br>
><br>
><br>
><br>
> Any help would be appreciated!<br>
><br>
> Thanks<br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> Users@ovirt.org<br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</div>
</span></font></div>
</body>
</html>