Hide Forgot
Description of problem: Currently trying to integrate RHEV 3.6 with AD (2008R2) using ovirt-engine-extension-aaa-ldap utility. If the customer decided to select LDAPS option , subsequent test "Login" attempt fails. However "Search" option which is another option in the same level works. Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IPA 5 - Novell eDirectory RFC-2307 Schema 6 - OpenLDAP RFC-2307 Schema 7 - OpenLDAP Standard Schema 8 - Oracle Unified Directory RFC-2307 Schema 9 - RFC-2307 Schema (Generic) 10 - RHDS 11 - RHDS RFC-2307 Schema 12 - iPlanet Please select: 3 Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File File path: /tmp/adcert.pem [ INFO ] Resolving SRV record 'rhev.gsslab.bne.redhat.com' [ INFO ] Connecting to LDAP using 'ldaps://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:636' [ INFO ] Connection succeeded Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com Enter search user password: [ INFO ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com' [ INFO ] Stage: Setup validation The following files are about to be overwritten: /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks Continue and overwrite? (Yes, No) [No]: Yes NOTE: It is highly recommended to test drive the configuration before applying it into engine. Perform at least one Login sequence and one Search sequence. Select test sequence to execute (Done, Abort, Login, Search) [Abort]: *** Login Login Enter user name: rhevm Enter user password: [ INFO ] Executing login sequence... Login output: 2016-10-11 15:37:00 INFO ======================================================================== 2016-10-11 15:37:00 INFO ============================ Initialization ============================ 2016-10-11 15:37:00 INFO ======================================================================== 2016-10-11 15:37:00 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:37:01 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' loaded 2016-10-11 15:37:01 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:37:01 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' loaded 2016-10-11 15:37:01 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:37:01 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz' 2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ad-bne.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2016-10-11 15:37:01 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' initialized 2016-10-11 15:37:01 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:37:01 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz' 2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2016-10-11 15:37:01 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' initialized 2016-10-11 15:37:01 INFO Start of enabled extensions list 2016-10-11 15:37:01 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true' 2016-10-11 15:37:01 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true' 2016-10-11 15:37:01 INFO End of enabled extensions list 2016-10-11 15:37:01 INFO ======================================================================== 2016-10-11 15:37:01 INFO ============================== Execution =============================== 2016-10-11 15:37:01 INFO ======================================================================== 2016-10-11 15:37:01 INFO Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null' 2016-10-11 15:37:01 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='rhevm' 2016-10-11 15:37:01 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz' 2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2016-10-11 15:37:01 SEVERE An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated [ ERROR ] Login sequence failed However if we select "Search" operation , it works. Search Select entity to search (Principal, Group) [Principal]: Term to search, trailing '*' is allowed: rhevm Resolve Groups (Yes, No) [No]: [ INFO ] Executing search sequence... Login output: 2016-10-11 15:38:06 INFO ======================================================================== 2016-10-11 15:38:06 INFO ============================ Initialization ============================ 2016-10-11 15:38:06 INFO ======================================================================== 2016-10-11 15:38:06 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:38:06 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' loaded 2016-10-11 15:38:06 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:38:06 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' loaded 2016-10-11 15:38:06 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:38:06 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz' 2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2016-10-11 15:38:07 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' initialized 2016-10-11 15:38:07 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:38:07 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz' 2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 2016-10-11 15:38:07 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' initialized 2016-10-11 15:38:07 INFO Start of enabled extensions list 2016-10-11 15:38:07 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true' 2016-10-11 15:38:07 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true' 2016-10-11 15:38:07 INFO End of enabled extensions list 2016-10-11 15:38:07 INFO ======================================================================== 2016-10-11 15:38:07 INFO ============================== Execution =============================== 2016-10-11 15:38:07 INFO ======================================================================== 2016-10-11 15:38:07 INFO --- Begin QueryFilterRecord --- 2016-10-11 15:38:07 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4] 2016-10-11 15:38:07 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102 2016-10-11 15:38:07 INFO --- Begin QueryFilterRecord --- 2016-10-11 15:38:07 INFO AAA_AUTHZ_PRINCIPAL_NAME: rhevm 2016-10-11 15:38:07 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];] 2016-10-11 15:38:07 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0 2016-10-11 15:38:07 INFO --- End QueryFilterRecord --- 2016-10-11 15:38:07 INFO --- End QueryFilterRecord --- [ INFO ] Search sequence executed successfully Will upload the log file : ovirt-engine-extension-aaa-ldap-setup-20161011153553-t654b0.log to the case shortly. -------------------------------------------------- However I tried the same procedure with StartTLS instead of LDAPS and it worked straight away with the same certificate. ~~~~ Please select protocol to use (startTLS, ldaps, plain) [startTLS]: Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File File path: /tmp/adcert.pem [ INFO ] Resolving SRV record 'rhev.gsslab.bne.redhat.com' [ INFO ] Connecting to LDAP using 'ldap://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' [ INFO ] Executing startTLS [ INFO ] Connection succeeded Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com Enter search user password: [ INFO ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com' [ INFO ] Stage: Setup validation The following files are about to be overwritten: /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks Continue and overwrite? (Yes, No) [No]: Yes Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login Enter user name: vineet Enter user password: [ INFO ] Executing login sequence... Login output: 2016-10-11 15:49:27 INFO ======================================================================== 2016-10-11 15:49:27 INFO ============================ Initialization ============================ 2016-10-11 15:49:27 INFO ======================================================================== 2016-10-11 15:49:27 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:49:27 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' loaded 2016-10-11 15:49:27 INFO Loading extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:49:27 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' loaded 2016-10-11 15:49:27 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authz' 2016-10-11 15:49:27 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz' 2016-10-11 15:49:28 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz' information: vendor='null' version='null' 2016-10-11 15:49:28 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'gc' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'gc' information: vendor='null' version='null' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz.bne.redhat.com' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz.bne.redhat.com' information: vendor='null' version='null' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Available Namespaces: [DC=microsoft,DC=com, DC=oracle,DC=com, DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted2,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com] 2016-10-11 15:49:29 INFO Extension 'rhev.gsslab.bne.redhat.com-authz' initialized 2016-10-11 15:49:29 INFO Initializing extension 'rhev.gsslab.bne.redhat.com-authn' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz' information: vendor='null' version='null' 2016-10-11 15:49:29 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authn' 2016-10-11 15:49:30 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authn' information: vendor='null' version='null' 2016-10-11 15:49:30 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz.bne.redhat.com' 2016-10-11 15:49:30 INFO [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz.bne.redhat.com' information: vendor='null' version='null' 2016-10-11 15:49:30 INFO Extension 'rhev.gsslab.bne.redhat.com-authn' initialized 2016-10-11 15:49:30 INFO Start of enabled extensions list 2016-10-11 15:49:30 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true' 2016-10-11 15:49:30 INFO Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true' 2016-10-11 15:49:30 INFO End of enabled extensions list 2016-10-11 15:49:30 INFO ======================================================================== 2016-10-11 15:49:30 INFO ============================== Execution =============================== 2016-10-11 15:49:30 INFO ======================================================================== 2016-10-11 15:49:30 INFO Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null' 2016-10-11 15:49:30 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='vineet' 2016-10-11 15:49:30 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS 2016-10-11 15:49:30 INFO --- Begin AuthRecord --- 2016-10-11 15:49:30 INFO AAA_AUTHN_AUTH_RECORD_PRINCIPAL: vineet.bne.redhat.com 2016-10-11 15:49:30 INFO --- End AuthRecord --- 2016-10-11 15:49:30 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='vineet.bne.redhat.com' 2016-10-11 15:49:30 INFO API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS 2016-10-11 15:49:30 INFO --- Begin PrincipalRecord --- 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Vineet Sinha 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Sinha 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vineet.bne.redhat.com 2016-10-11 15:49:30 INFO AAA_LDAP_UNBOUNDID_DN: CN=Vineet Sinha,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_ID: R3bpw5wCpU+tUcmoCHUzYQ== 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_NAME: Vineet Sinha 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: Vineet 2016-10-11 15:49:30 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com 2016-10-11 15:49:30 INFO --- End PrincipalRecord --- [ INFO ] Login sequence executed successfully With the StartTLS , I managed to complete the integration successfully. We have another customer wo ran in to the same issue. After selecting StartTLS , it worked like a charm. SFDC #01703647 One of the steps suggest the following : Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Login option would not work when you use LDAPS in ovirt-engine-extension-aaa-ldap utility Same option would work when we use StartTLS Expected results: Additional info:
Created attachment 1209408 [details] aaa-ldap-setup logs aaa-ldap-setup logs
The problem is as you can see that aaa-ldap tries to use ldaps with 389 port, but you have it enabled on 636. Srvrecord server type takes the port from the following request: dig _ldap._tcp.gc._msdcs.rhev.gsslab.bne.redhat.com SRV And it returns: win-nohauqq1iqg.rhev.gsslab.bne.redhat.com and ad-bne.rhev.gsslab.bne.redhat.com with port 389. If you would like to use ldaps with 636, I would use: pool.default.serverset.srvrecord.service = ldaps and add to your DNS ldaps SRV record with port 636.
Hi Frank, does your aaa-ldap configuration work properly after changing DNS SRV records as suggested by Ondra?
Closing as NOTABUG, feel free to reopen if information provided by Ondra in Comment 2 don't fix your issue.
I would like to reopen this bug as "ovirt-engine-extension-aaa-ldap-setup" script is supposed to configure the extension in the right way. If the Windows AD has the correct DNS entries then the setup script should just work, now it doesn't because "pool.default.serverset.srvrecord.service" property is not set by the setup script to the correct value. In the other hand, Active Directory does not setup ldaps SRV DNS entries by default so I guess we need to document it somewhere or the script should warn the user once the 'ldaps' option was selected and optionally print the required SRV DNS entries. A workaround to make it work without ldaps SRV DNS entries would be changing the following properties instead pool.default.serverset.srvrecord.service': ~~~ pool.gc.serverset.single.port = 3269 pool.default.serverset.srvrecord.port= 636 ~~~ It should work in most of the cases where the Active Directory server is using the standard ports. Either way I think we need to fix this because it always fails when the user try to use 'ldaps' connections to access AD
OK, so let's set pool.default.serverset.srvrecord.service = ldaps when user selects ldaps. But it should be noted that ldaps is not preferred nor recommended protocol by Microsoft (that's why it not set up on AD by default) and it's recommended to use StartTLS instead. Anyway since ovirt-engine-extension-aaa-ldap 1.3.3 examples how to setup AD with LDAPS is provided, more information in [1], which is also included within aaa-ldap package. [1] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/tree/master/examples#active-directory-with-server-defined-in-dns-srv-records-using-ldaps
Verified with: ovirt-engine-4.1.8.1-0.1.el7.noarch ovirt-engine-extension-aaa-ldap-1.3.6-1.el7ev.noarch [ INFO ] Login sequence executed successfully