1383862 – ovirt-engine-extension-aaa-ldap AD integration with LDAPS fails at the Login test sequence

Bug 1383862 - ovirt-engine-extension-aaa-ldap AD integration with LDAPS fails at the Login test sequence

Summary: ovirt-engine-extension-aaa-ldap AD integration with LDAPS fails at the Login ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine-extension-aaa-ldap
Classification:	oVirt
Component:	Setup
Sub Component:
Version:	master
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium vote
Target Milestone:	ovirt-4.1.8
Target Release:	1.3.6
Assignee:	Ondra Machacek
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1514005
TreeView+	depends on / blocked

Reported:	2016-10-12 01:46 UTC by fjayalat
Modified:	2017-12-11 16:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-extension-aaa-ldap-1.3.6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1514005 (view as bug list)
Environment:
Last Closed:	2017-12-11 16:29:17 UTC
oVirt Team:	Infra
Flags:	rule-engine: ovirt-4.1+

Attachments	(Terms of Use)
aaa-ldap-setup logs (194.57 KB, text/plain) 2016-10-12 01:48 UTC, fjayalat	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	83464	0	'None'	MERGED	setup: set ldaps DNS SRV protocol in case of ldaps	2021-02-03 11:03:11 UTC
oVirt gerrit	84215	0	'None'	MERGED	setup: set ldaps DNS SRV protocol in case of ldaps	2021-02-03 11:03:11 UTC

Description fjayalat 2016-10-12 01:46:37 UTC

Description of problem:

Currently trying to integrate RHEV 3.6 with AD (2008R2) using ovirt-engine-extension-aaa-ldap utility. If the customer decided to select LDAPS option , subsequent test "Login" attempt fails. However "Search" option which is another option in the same level works.


Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IPA
           5 - Novell eDirectory RFC-2307 Schema
           6 - OpenLDAP RFC-2307 Schema
           7 - OpenLDAP Standard Schema
           8 - Oracle Unified Directory RFC-2307 Schema
           9 - RFC-2307 Schema (Generic)
          10 - RHDS
          11 - RHDS RFC-2307 Schema
          12 - iPlanet
          Please select: 3


Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
          File path: /tmp/adcert.pem
[ INFO  ] Resolving SRV record 'rhev.gsslab.bne.redhat.com'
[ INFO  ] Connecting to LDAP using 'ldaps://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:636'
[ INFO  ] Connection succeeded
          Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com'
[ INFO  ] Stage: Setup validation
          The following files are about to be overwritten:
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks
          Continue and overwrite? (Yes, No) [No]: Yes
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Perform at least one Login sequence and one Search sequence.
          Select test sequence to execute (Done, Abort, Login, Search) [Abort]:

*** Login


Login
          Enter user name: rhevm
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:
          2016-10-11 15:37:00 INFO    ========================================================================
          2016-10-11 15:37:00 INFO    ============================ Initialization ============================
          2016-10-11 15:37:00 INFO    ========================================================================
          2016-10-11 15:37:00 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:37:01 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:37:01 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ad-bne.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:37:01 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:37:01 INFO    Start of enabled extensions list
          2016-10-11 15:37:01 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:37:01 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:37:01 INFO    End of enabled extensions list
          2016-10-11 15:37:01 INFO    ========================================================================
          2016-10-11 15:37:01 INFO    ============================== Execution ===============================
          2016-10-11 15:37:01 INFO    ========================================================================
          2016-10-11 15:37:01 INFO    Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null'
          2016-10-11 15:37:01 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='rhevm'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 SEVERE  An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[ ERROR ] Login sequence failed






However if we select "Search" operation , it works.




Search
          Select entity to search (Principal, Group) [Principal]: 
          Term to search, trailing '*' is allowed: rhevm
          Resolve Groups (Yes, No) [No]: 
[ INFO  ] Executing search sequence...
          Login output:
          2016-10-11 15:38:06 INFO    ========================================================================
          2016-10-11 15:38:06 INFO    ============================ Initialization ============================
          2016-10-11 15:38:06 INFO    ========================================================================
          2016-10-11 15:38:06 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:38:06 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:38:06 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:38:06 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:38:06 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:38:06 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:38:07 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:38:07 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:38:07 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:38:07 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:38:07 INFO    Start of enabled extensions list
          2016-10-11 15:38:07 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:38:07 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:38:07 INFO    End of enabled extensions list
          2016-10-11 15:38:07 INFO    ========================================================================
          2016-10-11 15:38:07 INFO    ============================== Execution ===============================
          2016-10-11 15:38:07 INFO    ========================================================================
          2016-10-11 15:38:07 INFO    --- Begin QueryFilterRecord ---
          2016-10-11 15:38:07 INFO    AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
          2016-10-11 15:38:07 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
          2016-10-11 15:38:07 INFO      --- Begin QueryFilterRecord ---
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_PRINCIPAL_NAME: rhevm
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
          2016-10-11 15:38:07 INFO      --- End QueryFilterRecord ---
          2016-10-11 15:38:07 INFO    --- End QueryFilterRecord ---
[ INFO  ] Search sequence executed successfully


Will upload the log file : ovirt-engine-extension-aaa-ldap-setup-20161011153553-t654b0.log to the case shortly.

--------------------------------------------------

However I tried the same procedure with StartTLS instead of LDAPS and it worked straight away with the same certificate.


~~~~

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
          File path: /tmp/adcert.pem
[ INFO  ] Resolving SRV record 'rhev.gsslab.bne.redhat.com'
[ INFO  ] Connecting to LDAP using 'ldap://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded
          Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com'
[ INFO  ] Stage: Setup validation
          The following files are about to be overwritten:
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks
          Continue and overwrite? (Yes, No) [No]: Yes













Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
          Enter user name: vineet
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:
          2016-10-11 15:49:27 INFO    ========================================================================
          2016-10-11 15:49:27 INFO    ============================ Initialization ============================
          2016-10-11 15:49:27 INFO    ========================================================================
          2016-10-11 15:49:27 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:49:27 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:49:27 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:49:27 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:49:27 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:49:27 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:49:28 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz' information: vendor='null' version='null'
          2016-10-11 15:49:28 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'gc'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'gc' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz.bne.redhat.com'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz.bne.redhat.com' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Available Namespaces: [DC=microsoft,DC=com, DC=oracle,DC=com, DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted2,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com]
          2016-10-11 15:49:29 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:49:29 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authn'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authn' information: vendor='null' version='null'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz.bne.redhat.com'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz.bne.redhat.com' information: vendor='null' version='null'
          2016-10-11 15:49:30 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:49:30 INFO    Start of enabled extensions list
          2016-10-11 15:49:30 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:49:30 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:49:30 INFO    End of enabled extensions list
          2016-10-11 15:49:30 INFO    ========================================================================
          2016-10-11 15:49:30 INFO    ============================== Execution ===============================
          2016-10-11 15:49:30 INFO    ========================================================================
          2016-10-11 15:49:30 INFO    Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null'
          2016-10-11 15:49:30 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='vineet'
          2016-10-11 15:49:30 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
          2016-10-11 15:49:30 INFO    --- Begin AuthRecord ---
          2016-10-11 15:49:30 INFO    AAA_AUTHN_AUTH_RECORD_PRINCIPAL: vineet.bne.redhat.com
          2016-10-11 15:49:30 INFO    --- End   AuthRecord ---
          2016-10-11 15:49:30 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='vineet.bne.redhat.com'
          2016-10-11 15:49:30 INFO    API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
          2016-10-11 15:49:30 INFO    --- Begin PrincipalRecord ---
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Vineet Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vineet.bne.redhat.com
          2016-10-11 15:49:30 INFO    AAA_LDAP_UNBOUNDID_DN: CN=Vineet Sinha,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_ID: R3bpw5wCpU+tUcmoCHUzYQ==
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_NAME: Vineet Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: Vineet
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          2016-10-11 15:49:30 INFO    --- End   PrincipalRecord ---
[ INFO  ] Login sequence executed successfully



With the StartTLS , I managed to complete the integration successfully.


We have another customer wo ran in to the same issue. After selecting StartTLS , it worked like a charm. SFDC #01703647













 

One of the steps suggest the following :




Version-Release number of selected component (if applicable):



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

Login option would not work when you use LDAPS in ovirt-engine-extension-aaa-ldap utility

Same option would work when we use StartTLS



Expected results:


Additional info:

Comment 1 fjayalat 2016-10-12 01:48:01 UTC

Created attachment 1209408 [details]
aaa-ldap-setup logs

aaa-ldap-setup logs

Comment 2 Ondra Machacek 2016-10-12 06:09:32 UTC

The problem is as you can see that aaa-ldap tries to use ldaps with 389 port, but 
you have it enabled on 636.

Srvrecord server type takes the port from the following request:

  dig _ldap._tcp.gc._msdcs.rhev.gsslab.bne.redhat.com SRV

And it returns: win-nohauqq1iqg.rhev.gsslab.bne.redhat.com and ad-bne.rhev.gsslab.bne.redhat.com with port 389.

If you would like to use ldaps with 636, I would use:

 pool.default.serverset.srvrecord.service = ldaps

and add to your DNS ldaps SRV record with port 636.

Comment 3 Martin Perina 2016-10-17 11:30:20 UTC

Hi Frank, does your aaa-ldap configuration work properly after changing DNS SRV records as suggested by Ondra?

Comment 4 Martin Perina 2016-10-24 11:02:26 UTC

Closing as NOTABUG, feel free to reopen if information provided by Ondra in Comment 2 don't fix your issue.

Comment 5 Miguel Martin 2017-10-06 11:58:43 UTC

I would like to reopen this bug as "ovirt-engine-extension-aaa-ldap-setup" script is supposed to configure the extension in the right way.

If the Windows AD has the correct DNS entries then the setup script should just work, now it doesn't because "pool.default.serverset.srvrecord.service" property is not set by the setup script to the correct value.

In the other hand, Active Directory does not setup ldaps SRV DNS entries by default so I guess we need to document it somewhere or the script should warn the user once the 'ldaps' option was selected and optionally print the required SRV DNS entries.

A workaround to make it work without ldaps SRV DNS entries would be changing the following properties instead pool.default.serverset.srvrecord.service':
~~~
pool.gc.serverset.single.port = 3269
pool.default.serverset.srvrecord.port= 636
~~~

It should work in most of the cases where the Active Directory server is using the standard ports.

Either way I think we need to fix this because it always fails when the user try to use 'ldaps' connections to access AD

Comment 6 Martin Perina 2017-10-13 12:12:43 UTC

OK, so let's set pool.default.serverset.srvrecord.service = ldaps when user selects ldaps. But it should be noted that ldaps is not preferred nor recommended protocol by Microsoft (that's why it not set up on AD by default) and it's recommended to use StartTLS instead.

Anyway since ovirt-engine-extension-aaa-ldap 1.3.3 examples how to setup AD with LDAPS is provided, more information in [1], which is also included within aaa-ldap package.

[1] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/tree/master/examples#active-directory-with-server-defined-in-dns-srv-records-using-ldaps

Comment 8 Gonza 2017-11-27 09:51:24 UTC

Verified with:
ovirt-engine-4.1.8.1-0.1.el7.noarch
ovirt-engine-extension-aaa-ldap-1.3.6-1.el7ev.noarch

[ INFO  ] Login sequence executed successfully

Note You need to log in before you can comment on or make changes to this bug.