Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1514005 - [downstream clone - 4.1.8] ovirt-engine-extension-aaa-ldap AD integration with LDAPS fails at the Login test sequence
Summary: [downstream clone - 4.1.8] ovirt-engine-extension-aaa-ldap AD integration wit...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.1.8
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On: 1383862
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-16 13:26 UTC by rhev-integ
Modified: 2019-04-16 14:49 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1383862
Environment:
Last Closed: 2017-12-12 09:23:10 UTC
oVirt Team: Infra


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3426 normal SHIPPED_LIVE ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.1.8 2017-12-12 14:16:22 UTC
oVirt gerrit 83464 None None None 2017-11-16 13:26:51 UTC
oVirt gerrit 84215 None None None 2017-11-16 14:03:33 UTC

Description rhev-integ 2017-11-16 13:26:03 UTC
+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1383862 +++
======================================================================

Description of problem:

Currently trying to integrate RHEV 3.6 with AD (2008R2) using ovirt-engine-extension-aaa-ldap utility. If the customer decided to select LDAPS option , subsequent test "Login" attempt fails. However "Search" option which is another option in the same level works.


Available LDAP implementations:
           1 - 389ds
           2 - 389ds RFC-2307 Schema
           3 - Active Directory
           4 - IPA
           5 - Novell eDirectory RFC-2307 Schema
           6 - OpenLDAP RFC-2307 Schema
           7 - OpenLDAP Standard Schema
           8 - Oracle Unified Directory RFC-2307 Schema
           9 - RFC-2307 Schema (Generic)
          10 - RHDS
          11 - RHDS RFC-2307 Schema
          12 - iPlanet
          Please select: 3


Please select protocol to use (startTLS, ldaps, plain) [startTLS]: ldaps
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
          File path: /tmp/adcert.pem
[ INFO  ] Resolving SRV record 'rhev.gsslab.bne.redhat.com'
[ INFO  ] Connecting to LDAP using 'ldaps://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:636'
[ INFO  ] Connection succeeded
          Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com'
[ INFO  ] Stage: Setup validation
          The following files are about to be overwritten:
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks
          Continue and overwrite? (Yes, No) [No]: Yes
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Perform at least one Login sequence and one Search sequence.
          Select test sequence to execute (Done, Abort, Login, Search) [Abort]:

*** Login


Login
          Enter user name: rhevm
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:
          2016-10-11 15:37:00 INFO    ========================================================================
          2016-10-11 15:37:00 INFO    ============================ Initialization ============================
          2016-10-11 15:37:00 INFO    ========================================================================
          2016-10-11 15:37:00 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:37:01 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:37:01 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ad-bne.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad-bne.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:37:01 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:37:01 INFO    Start of enabled extensions list
          2016-10-11 15:37:01 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:37:01 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:37:01 INFO    End of enabled extensions list
          2016-10-11 15:37:01 INFO    ========================================================================
          2016-10-11 15:37:01 INFO    ============================== Execution ===============================
          2016-10-11 15:37:01 INFO    ========================================================================
          2016-10-11 15:37:01 INFO    Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null'
          2016-10-11 15:37:01 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='rhevm'
          2016-10-11 15:37:01 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:37:01 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:37:01 SEVERE  An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[ ERROR ] Login sequence failed






However if we select "Search" operation , it works.




Search
          Select entity to search (Principal, Group) [Principal]: 
          Term to search, trailing '*' is allowed: rhevm
          Resolve Groups (Yes, No) [No]: 
[ INFO  ] Executing search sequence...
          Login output:
          2016-10-11 15:38:06 INFO    ========================================================================
          2016-10-11 15:38:06 INFO    ============================ Initialization ============================
          2016-10-11 15:38:06 INFO    ========================================================================
          2016-10-11 15:38:06 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:38:06 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:38:06 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:38:06 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:38:06 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:38:06 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:38:07 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:38:07 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:38:07 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:38:07 WARNING [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389' because an unexpected error was encountered during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          2016-10-11 15:38:07 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:38:07 INFO    Start of enabled extensions list
          2016-10-11 15:38:07 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:38:07 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpxh6Nzs/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:38:07 INFO    End of enabled extensions list
          2016-10-11 15:38:07 INFO    ========================================================================
          2016-10-11 15:38:07 INFO    ============================== Execution ===============================
          2016-10-11 15:38:07 INFO    ========================================================================
          2016-10-11 15:38:07 INFO    --- Begin QueryFilterRecord ---
          2016-10-11 15:38:07 INFO    AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
          2016-10-11 15:38:07 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
          2016-10-11 15:38:07 INFO      --- Begin QueryFilterRecord ---
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_PRINCIPAL_NAME: rhevm
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
          2016-10-11 15:38:07 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
          2016-10-11 15:38:07 INFO      --- End QueryFilterRecord ---
          2016-10-11 15:38:07 INFO    --- End QueryFilterRecord ---
[ INFO  ] Search sequence executed successfully


Will upload the log file : ovirt-engine-extension-aaa-ldap-setup-20161011153553-t654b0.log to the case shortly.

--------------------------------------------------

However I tried the same procedure with StartTLS instead of LDAPS and it worked straight away with the same certificate.


~~~~

Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
          File path: /tmp/adcert.pem
[ INFO  ] Resolving SRV record 'rhev.gsslab.bne.redhat.com'
[ INFO  ] Connecting to LDAP using 'ldap://win-nohauqq1iqg.rhev.gsslab.bne.redhat.com:389'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded
          Enter search user DN (empty for anonymous): CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=rhevm,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com'
[ INFO  ] Stage: Setup validation
          The following files are about to be overwritten:
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties
              /etc/ovirt-engine/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.properties
              /etc/ovirt-engine/aaa/rhev.gsslab.bne.redhat.com.jks
          Continue and overwrite? (Yes, No) [No]: Yes













Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Login
          Enter user name: vineet
          Enter user password: 
[ INFO  ] Executing login sequence...
          Login output:
          2016-10-11 15:49:27 INFO    ========================================================================
          2016-10-11 15:49:27 INFO    ============================ Initialization ============================
          2016-10-11 15:49:27 INFO    ========================================================================
          2016-10-11 15:49:27 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:49:27 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' loaded
          2016-10-11 15:49:27 INFO    Loading extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:49:27 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' loaded
          2016-10-11 15:49:27 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authz'
          2016-10-11 15:49:27 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz'
          2016-10-11 15:49:28 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz' information: vendor='null' version='null'
          2016-10-11 15:49:28 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'gc'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'gc' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Creating LDAP pool 'authz@rhev.gsslab.bne.redhat.com'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] LDAP pool 'authz@rhev.gsslab.bne.redhat.com' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authz::rhev.gsslab.bne.redhat.com-authz] Available Namespaces: [DC=microsoft,DC=com, DC=oracle,DC=com, DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com, DC=trusted2,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com]
          2016-10-11 15:49:29 INFO    Extension 'rhev.gsslab.bne.redhat.com-authz' initialized
          2016-10-11 15:49:29 INFO    Initializing extension 'rhev.gsslab.bne.redhat.com-authn'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz' information: vendor='null' version='null'
          2016-10-11 15:49:29 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authn'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authn' information: vendor='null' version='null'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] Creating LDAP pool 'authz@rhev.gsslab.bne.redhat.com'
          2016-10-11 15:49:30 INFO    [ovirt-engine-extension-aaa-ldap.authn::rhev.gsslab.bne.redhat.com-authn] LDAP pool 'authz@rhev.gsslab.bne.redhat.com' information: vendor='null' version='null'
          2016-10-11 15:49:30 INFO    Extension 'rhev.gsslab.bne.redhat.com-authn' initialized
          2016-10-11 15:49:30 INFO    Start of enabled extensions list
          2016-10-11 15:49:30 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authz.properties', Initialized: 'true'
          2016-10-11 15:49:30 INFO    Instance name: 'rhev.gsslab.bne.redhat.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.1.5', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.1.5-1.el6ev', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpdNVcks/extensions.d/rhev.gsslab.bne.redhat.com-authn.properties', Initialized: 'true'
          2016-10-11 15:49:30 INFO    End of enabled extensions list
          2016-10-11 15:49:30 INFO    ========================================================================
          2016-10-11 15:49:30 INFO    ============================== Execution ===============================
          2016-10-11 15:49:30 INFO    ========================================================================
          2016-10-11 15:49:30 INFO    Profile='rhev.gsslab.bne.redhat.com' authn='rhev.gsslab.bne.redhat.com-authn' authz='rhev.gsslab.bne.redhat.com-authz' mapping='null'
          2016-10-11 15:49:30 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='vineet'
          2016-10-11 15:49:30 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
          2016-10-11 15:49:30 INFO    --- Begin AuthRecord ---
          2016-10-11 15:49:30 INFO    AAA_AUTHN_AUTH_RECORD_PRINCIPAL: vineet@rhev.gsslab.bne.redhat.com
          2016-10-11 15:49:30 INFO    --- End   AuthRecord ---
          2016-10-11 15:49:30 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='vineet@rhev.gsslab.bne.redhat.com'
          2016-10-11 15:49:30 INFO    API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
          2016-10-11 15:49:30 INFO    --- Begin PrincipalRecord ---
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Vineet Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: vineet@rhev.gsslab.bne.redhat.com
          2016-10-11 15:49:30 INFO    AAA_LDAP_UNBOUNDID_DN: CN=Vineet Sinha,CN=Users,DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_ID: R3bpw5wCpU+tUcmoCHUzYQ==
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_NAME: Vineet Sinha
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: Vineet
          2016-10-11 15:49:30 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=rhev,DC=gsslab,DC=bne,DC=redhat,DC=com
          2016-10-11 15:49:30 INFO    --- End   PrincipalRecord ---
[ INFO  ] Login sequence executed successfully



With the StartTLS , I managed to complete the integration successfully.


We have another customer wo ran in to the same issue. After selecting StartTLS , it worked like a charm. SFDC #01703647













 

One of the steps suggest the following :




Version-Release number of selected component (if applicable):



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

Login option would not work when you use LDAPS in ovirt-engine-extension-aaa-ldap utility

Same option would work when we use StartTLS



Expected results:


Additional info:

(Originally by Frank Jayalath)

Comment 1 rhev-integ 2017-11-16 13:26:12 UTC
Created attachment 1209408 [details]
aaa-ldap-setup logs

aaa-ldap-setup logs

(Originally by Frank Jayalath)

Comment 3 rhev-integ 2017-11-16 13:26:18 UTC
The problem is as you can see that aaa-ldap tries to use ldaps with 389 port, but 
you have it enabled on 636.

Srvrecord server type takes the port from the following request:

  dig _ldap._tcp.gc._msdcs.rhev.gsslab.bne.redhat.com SRV

And it returns: win-nohauqq1iqg.rhev.gsslab.bne.redhat.com and ad-bne.rhev.gsslab.bne.redhat.com with port 389.

If you would like to use ldaps with 636, I would use:

 pool.default.serverset.srvrecord.service = ldaps

and add to your DNS ldaps SRV record with port 636.

(Originally by Ondra Machacek)

Comment 4 rhev-integ 2017-11-16 13:26:23 UTC
Hi Frank, does your aaa-ldap configuration work properly after changing DNS SRV records as suggested by Ondra?

(Originally by Martin Perina)

Comment 5 rhev-integ 2017-11-16 13:26:30 UTC
Closing as NOTABUG, feel free to reopen if information provided by Ondra in Comment 2 don't fix your issue.

(Originally by Martin Perina)

Comment 6 rhev-integ 2017-11-16 13:26:36 UTC
I would like to reopen this bug as "ovirt-engine-extension-aaa-ldap-setup" script is supposed to configure the extension in the right way.

If the Windows AD has the correct DNS entries then the setup script should just work, now it doesn't because "pool.default.serverset.srvrecord.service" property is not set by the setup script to the correct value.

In the other hand, Active Directory does not setup ldaps SRV DNS entries by default so I guess we need to document it somewhere or the script should warn the user once the 'ldaps' option was selected and optionally print the required SRV DNS entries.

A workaround to make it work without ldaps SRV DNS entries would be changing the following properties instead pool.default.serverset.srvrecord.service':
~~~
pool.gc.serverset.single.port = 3269
pool.default.serverset.srvrecord.port= 636
~~~

It should work in most of the cases where the Active Directory server is using the standard ports.

Either way I think we need to fix this because it always fails when the user try to use 'ldaps' connections to access AD

(Originally by Miguel Martin Villamuelas)

Comment 7 rhev-integ 2017-11-16 13:26:42 UTC
OK, so let's set pool.default.serverset.srvrecord.service = ldaps when user selects ldaps. But it should be noted that ldaps is not preferred nor recommended protocol by Microsoft (that's why it not set up on AD by default) and it's recommended to use StartTLS instead.

Anyway since ovirt-engine-extension-aaa-ldap 1.3.3 examples how to setup AD with LDAPS is provided, more information in [1], which is also included within aaa-ldap package.

[1] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/tree/master/examples#active-directory-with-server-defined-in-dns-srv-records-using-ldaps

(Originally by Martin Perina)

Comment 10 Gonza 2017-11-27 09:52:40 UTC
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.6-1.el7ev.noarch

[ INFO  ] Login sequence executed successfully

Comment 13 errata-xmlrpc 2017-12-12 09:23:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3426


Note You need to log in before you can comment on or make changes to this bug.