Re: [ovirt-users] Active Directory authentication setup
Sorry to reply to myself, but I figured it out. Putting this here for documentation in case anyone ever runs into this as it was absolutely horrible to troubleshoot. I had this set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1 (I think that's by default) That caused the CA to issue certs with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm on them instead of sha256RSA. So I changed that registry value to a 0 as well as my CAPolicy.inf file and reissued my Root and Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub CAs in CentOS and it started working. I actually figured it out from a bug report for Firefox here: https://support.mozilla.org/en-US/questions/986085 Either way it's working now. That drove me nuts for 2+ days. Thank you anyway for your assistance! From: users-boun...@ovirt.org on behalf of Todd Punderson Sent: Monday, July 17, 2017 9:05:12 AM To: Ondra Machacek Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup Hi, Agreed on the certificate issue, I fought with it all weekend! Here's the output of those commands: ldap_url_parse_ext(ldaps://DC3.home.doonga.org) ldap_create ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP DC3.home.doonga.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.10.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has an invalid signature.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8174 TLS: can't connect: TLS error -8174:security library: bad database.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I tried digging into this one. I'm very sure the peer doesn't have an invalid signature, I tested the certificate chain with openssl successfully, I'm guessing that error is related to the "bad database". I couldn't quite figure out that part of the error though. I have an offline root and online issuing CA, here's those certs. I loaded both of these to the system CA trust. [root@ovirt-engine ~]# openssl x509 -in /root/root.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=Doonga.Org Root CA Validity Not Before: Jul 13 01:15:39 2017 GMT Not After : Jul 13 01:25:39 2037 GMT Subject: CN=Doonga.Org Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b: d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5: b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73: e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc: 67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44: 5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d: ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52: 45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49: d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f: 4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88: 4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f: ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5: 72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04: de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3: 05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2: aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb: 6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3: 07:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07 1.3.6.1.4.1.311.21.1: ... X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37
Re: [ovirt-users] Active Directory authentication setup
:bf:2f:84: ee:69:76:cd:b7:34:2c:dd:f9:2d:02:62:4a:0f:8b:1e:42:11: f8:98:ae:07 [root@ovirt-engine ~]# openssl x509 -in /root/sub.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02 Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) Issuer: CN=Doonga.Org Root CA Validity Not Before: Jul 13 02:07:35 2017 GMT Not After : Jul 13 02:17:35 2027 GMT Subject: DC=org, DC=doonga, DC=home, CN=Doonga.Org Issuing CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1: 3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88: 0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67: d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a: 54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06: da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1: e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df: b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b: db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92: 0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52: e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d: 75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64: 8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80: 14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80: 73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12: 70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6: 63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79: fc:89 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.37476.9000.53 User Notice: Explicit Text: CPS: http://www.doonga.org/pki/cps.txt 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07 X509v3 CRL Distribution Points: Full Name: URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl Authority Information Access: CA Issuers - URI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256 Salt Length: 20 Trailer Field: 0xbc (default) 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8: 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f: f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6: 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62: 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55: cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd: 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9: 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c: ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71: 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47: bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad: 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5: 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc: 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52: fa:d8:9c:31 I'm definitely sure that I have the correct CA certs loaded. I tried removing them and I got an invalid CA error. When they are in place I get the error I'm asking about. So I'm sure it's reading the CA certificates properly. Thanks very much for your help! Todd ________ From: Ondra Machacek Sent: Monday, July 17, 2017 3:34:49 AM To: Todd Punderson Cc: users@ovirt.org Subject: Re: [ovirt-users] Active Directory authentication setup This is most probably certificate issue. Can you please share output of following command: $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your
Re: [ovirt-users] Active Directory authentication setup
This is most probably certificate issue.
Can you please share output of following command:
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''
And also the output of following command:
$ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout
Are you sure you added a proper CA cert to your system?
On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson wrote:
> Hi,
>
>I’ve been pulling my hair out over this one. Here’s the
> output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I
> use “plain” but I don’t really want to do that. I searched the error that’s
> shown below and tried several different “fixes” but none of them helped.
> These are Server 2016 DCs. Not too sure where to go next.
>
>
>
> [ INFO ] Stage: Initializing
>
> [ INFO ] Stage: Environment setup
>
> Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>
> Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
>
> Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
>
> [ INFO ] Stage: Environment packages setup
>
> [ INFO ] Stage: Programs detection
>
> [ INFO ] Stage: Environment customization
>
> Welcome to LDAP extension configuration program
>
> Available LDAP implementations:
>
>1 - 389ds
>
>2 - 389ds RFC-2307 Schema
>
>3 - Active Directory
>
>4 - IBM Security Directory Server
>
>5 - IBM Security Directory Server RFC-2307 Schema
>
>6 - IPA
>
>7 - Novell eDirectory RFC-2307 Schema
>
>8 - OpenLDAP RFC-2307 Schema
>
>9 - OpenLDAP Standard Schema
>
> 10 - Oracle Unified Directory RFC-2307 Schema
>
> 11 - RFC-2307 Schema (Generic)
>
> 12 - RHDS
>
> 13 - RHDS RFC-2307 Schema
>
> 14 - iPlanet
>
> Please select: 3
>
> Please enter Active Directory Forest name: home.doonga.org
>
> [ INFO ] Resolving Global Catalog SRV record for home.doonga.org
>
> [ INFO ] Resolving LDAP SRV record for home.doonga.org
>
> NOTE:
>
> It is highly recommended to use secure protocol to access the LDAP
> server.
>
> Protocol startTLS is the standard recommended method to do so.
>
> Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
>
> Use plain for test environments only.
>
> Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> ldaps
>
> Please select method to obtain PEM encoded CA certificate (File,
> URL, Inline, System, Insecure): System
>
> [ INFO ] Resolving SRV record 'home.doonga.org'
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ ERROR ] Cannot connect using any of available options
>
>
>
> Also:
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC2.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
> File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
> File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 WARNING
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:463 Cannot connect using
> 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate
> extension not found.', 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Conn
