Thanks a bunch Josh.. It seems to be working now with ldaps. I tried running vifs --listdc --server server.internal.ncf.edu and i get the error listed in the url below. Not sure if that has anything to do with my image capture problems I'm getting. It goes away if I perform the workaround listed in the link. FYI I installed the 5.1 version of vsphere sdk . anyhow, thanks for helping me with the ldap.
http://probably.co.uk/vmware-perl-sdk-error-server-version-unavailable.html David DeMizio *Academic Systems Coordinator* Office of Information Technology New College of Florida Phone: 941-487-4222 | Fax: 941-487-4356 www.ncf.edu On Wed, Nov 13, 2013 at 1:27 PM, Josh Thompson <[email protected]>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David, > > If you passed "-inform pem" to openssl, then the file is in PEM format. If > you just run "cat RootCA.pem", you should see the BEGIN/END lines. > Assuming > you see the BEGIN/END lines, you can add the contents of the file to > /etc/pki/tls/certs/ca-bundle.crt (you must include the BEGIN/END lines). > After doing so, the openssl s_client command should work successfully. > You'll > need to restart httpd so the ca-bundle.crt file is read again. If the > openssl > command is working, but the test script is not, you may need to add > "TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt" to /etc/openldap/ldap.conf. > > Josh > > On Wednesday, November 13, 2013 1:19:07 PM David DeMizio wrote: > > Hello Josh, > > > > The server cert is is self signed and I beleive it's in DER format., I > > tried running a command sort of like this but I don't see a BEGIN > > CERTIFICATE and END. > > > > openssl x509 -inform pem -in RootCA.pem -noout -text > > > > > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 79:ea:98:8c:f8:36:fe:88:45:76:fb:fe:4a:c7:e7:02 > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA > > Validity > > Not Before: Jun 1 06:24:07 2012 GMT > > Not After : Jun 1 06:34:05 2017 GMT > > Subject: DC=edu, DC=ncf, DC=internal, CN=internal-MSADCS1-CA > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > 00:99:41:a8:c8:ee:fb:87:d7:b9:5e:3f:02:c3:9d: > > 53:7c:f9:23:10:0a:2a:af:6d:5c:9a:10:d9:ab:e8: > > cc:56:e2:05:5e:00:a5:74:bf:54:df:f3:29:b4:d1: > > cc:04:dc:39:93:07:d8:51:fc:62:fe:e5:c5:91:9e: > > 67:02:4b:d2:fc:cc:ba:f3:fc:61:76:aa:c9:17:13: > > a8:c4:26:78:cc:7c:ad:a9:09:e9:41:b1:e4:0b:58: > > 72:3c:17:71:6c:c8:fc:7e:4e:35:4b:2d:cd:03:f6: > > 6e:bd:38:ed:93:17:68:87:14:28:dc:b5:79:6a:d4: > > a6:cc:ea:39:f9:cc:b4:95:10:2d:f2:03:c2:4e:06: > > c5:4f:06:ee:50:d5:12:5f:3a:37:1a:6d:c8:35:65: > > f0:a0:81:87:ec:5e:0b:63:d4:a2:71:76:b1:92:a7: > > 52:dc:da:38:8b:76:f6:40:41:8d:0d:fd:55:ee:76: > > 50:c4:57:b7:12:d0:56:a1:5d:b4:38:05:8e:63:5c: > > cf:b6:f9:ff:84:8a:f5:e0:ef:6e:30:cd:3a:4c:5d: > > c3:57:c5:ce:ab:77:a0:13:04:f6:7e:e0:e4:a1:e5: > > af:fa:7d:d7:77:15:b9:17:59:21:4f:fd:30:37:97: > > bf:ef:e9:b8:74:47:3b:6b:38:94:66:e2:46:ac:bb: > > 30:fb > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > 1.3.6.1.4.1.311.20.2: > > ...C.A > > X509v3 Key Usage: > > Digital Signature, Certificate Sign, CRL Sign > > X509v3 Basic Constraints: critical > > CA:TRUE > > X509v3 Subject Key Identifier: > > > EC:A5:DB:79:15:97:AC:B0:E9:00:FC:F4:9D:CF:8B:C5:9F:94:2B:A4 > > 1.3.6.1.4.1.311.21.1: > > ... > > Signature Algorithm: sha1WithRSAEncryption > > 25:bf:ac:bd:84:7e:90:99:25:87:dc:3b:7e:2f:cf:27:2c:cd: > > 5c:15:e2:28:5f:f8:bf:d0:ef:4f:95:a1:41:52:40:be:4f:db: > > 3e:16:df:cf:c9:be:1d:d9:fb:6f:24:58:fd:0c:b7:6a:fa:5d: > > aa:0c:94:05:c4:a9:c0:f4:cd:78:ae:01:ec:1e:00:ec:5e:9a: > > 55:75:e9:d4:fd:b4:fd:00:34:d6:c4:6b:47:fd:30:05:df:a7: > > f3:c1:c8:b2:03:46:e7:7f:02:ad:23:0b:9b:df:ac:40:d6:2d: > > e5:ff:b3:5a:25:b2:c0:c1:d0:fc:7f:b1:aa:68:b0:6f:72:ac: > > 63:3e:99:e5:e3:17:8b:7c:fb:9c:36:81:ba:43:89:3b:d0:b8: > > 37:d3:0e:ed:d9:5f:8c:dc:11:49:95:9d:02:ec:85:f5:a6:22: > > 73:cf:bf:91:f4:8e:7d:b2:8f:c5:fc:86:37:4d:3f:5e:96:f2: > > 0e:fd:7e:d7:da:53:43:4f:0e:50:0b:d6:7f:62:a8:16:e4:7b: > > 2f:ff:8c:7d:6c:f0:de:af:de:f9:9e:10:df:4c:36:8a:93:a1: > > 40:af:3b:56:5a:ae:32:a6:6e:40:c8:68:b5:79:93:46:41:e2: > > 44:00:1e:0f:a9:74:0a:b1:24:f0:bb:63:f2:f5:ca:c0:7c:da: > > 18:a1:b0:65 > > > > > > I don't get what I'm suppose to install that and as I mentioned above , I > > don't see any BEGIN CERTIFICATE and END CERTIFICATE > > > > On Wed, Nov 13, 2013 at 12:53 PM, Josh Thompson > <[email protected]>wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > David, > > > > > > First, a little certificate background. With SSL, you have a > Certificate > > > Authority (CA) that has a certificate known as a "CA cert" (Certificate > > > Authority Certificate) which is used to sign certificates that are > > > installed > > > on servers. These certificates are known as "server certs". The idea > is > > > that > > > you have public certificate authorities (i.e. Versign) who publish > their > > > CA > > > certs. Then, when you bring up a server that needs to use SSL, you > have > > > them > > > sign your server certificate. When people access your server, they see > > > that > > > your server certificate is signed by a known and trusted CA, and > therefore > > > they trust you. > > > > > > Things get more complicated when you have a self-signed certificate. > This > > > is > > > when you create your own CA cert that you use to sign a server cert. > When > > > someone accesses your server, they do not have a copy of the CA cert to > > > verify > > > that your server cert is valid. Most systems (such as web browsers) > allow > > > you > > > accept and trust a server cert when you don't have the CA cert that was > > > used > > > to sign it. Unfortunately, the underlying libraries used by php for > ldaps > > > do > > > not allow you to just accept the server cert. > > > > > > So, you need the PEM encoded CA cert that was used to sign the server > cert > > > that is installed on the ldap server. A PEM encoded file will be plain > > > text > > > with a "BEGIN CERTIFICATE" line at the top and an "END CERTIFICATE" > line > > > at > > > the bottom. I've worked with several ldap server admins that aren't > > > really > > > sure which certificate I need. This can end up being tricky. The best > > > clue > > > I've been able to give them is to look at the issuer of the server > cert. > > > > > > To > > > > > > find that, you need to run the openssl command you listed. Somewhere > in > > > the > > > output, you should see a line with "Server certificate". Following it > > > will be > > > a "subject=" line and an "issuer=" line. The issuer= line will contain > > > something kind of like the hostname of the CA in reverse order. > > > > > > I hope that helps. > > > > > > Josh > > > > > > On Wednesday, November 13, 2013 8:53:49 AM David DeMizio wrote: > > > > Hello, I have ldap set up and going but I can't seem to get ldaps > > > > > > working. > > > > > > > I get the following error message below when running > > > > > > > > > > > > openssl s_client -showcerts -CAfile > > > > /etc/pki/tls/certs/ca-bundle.crt-connect your. > > > > ldap.server.here:636 > > > > > > > > > > > > I would like to fix this issue so I can rule out any other issues I > am > > > > having. I also tried running > > > > > > > > vifs --listdc --server my vcenter server and it fails with the > message > > > > > > > displayed at the following URL: > > > > http://probably.co.uk/vmware-perl-sdk-error-server-version-unavailable.htm > > > l > > > > > > > if it set export PERL_LWP_SSL_VERIFY_HOSTNAME=0 then the vifs > > > > --listdccommand works. Could someone assist with how the > > > > certitifcate needs to be installed? I have a certificate from the > > > > > > sysadmin > > > > > > > but I keep gettting the error below. I'm not to sure on the steps > > > > > > outlined > > > > > > > in the configuring the web front end for ldap authentication. > > > > > > > > f your LDAP server's SSL certificate is self-signed, your VCL web > server > > > > needs to have the root CA certificate that was used to sign the LDAP > > > > > > server > > > > > > > certificate installed. The PEM formatted certificate needs to be > added > > > > to > > > > the ca-bundle.crt file. On CentOS, the file is located at > /etc/pki/tls > > > > /certs/ca-bundle.crt. The hostname in the certificate must match the > > > > hostname entered in the conf.php file further down. If your > certificate > > > > does not have the correct hostname in it, you can put an entry in > > > > /etc/hosts for the hostname in the certificate. > > > > can someone please clarify how this needs to get configured? Thank > You > > > > Error message when running the openssl command above: > > > > > > > > Expansion: NO > > > > NE > > > > > > > > SSL-Session: > > > > Protocol : TLSv1 > > > > Cipher : AES128-SHA > > > > > > > > Session-ID: > > > > 683800009905729E42D39C584A91E4B72F4468392FB72A71FAA5AA630DF88439 > > > > > > > > Session-ID-ctx: > > > > > > > Master-Key: > > > > E24AE8C7F770D863C92D9EEF81F11A76AABB54FBAF27F19328790913C3D08291909824D7FC > > > A0> > > > > 372CE2DE4CA971BFB3C4 Key-Arg : None > > > > > > > > Krb5 Principal: None > > > > PSK identity: None > > > > PSK identity hint: None > > > > Start Time: 1384349719 > > > > Timeout : 300 (sec) > > > > Verify return code: 21 (unable to verify the first certificate) > > > > > > > > David DeMizio > > > > *Academic Systems Coordinator* > > > > Office of Information Technology > > > > New College of Florida > > > > Phone: 941-487-4222 | Fax: 941-487-4356 > > > > www.ncf.edu > > > > > > > > On Thu, Nov 7, 2013 at 4:53 PM, David DeMizio <[email protected]> > wrote: > > > > > Hello, > > > > > > > > > > I'm having a difficult time configuring ldap authentication for the > > > > > web > > > > > login.I used the test script found on this mailing list and it > seems > > > > > to > > > > > work with the following parameters. > > > > > > > > > > $server = 'serverA.internal.ncf.edu'; # ldap server hostname > > > > > $masteracct = 'CN=VCL User,OU=Admin,DC=internal,DC=ncf,DC=edu'; # > full > > > > > DNof account with which to log in to ldap server > > > > > $masterpass = 'mypassword'; # password for account > > > > > > > > > > $res = ldap_bind($ds, $masteracct, $masterpass); > > > > > The above works fine in the test script which is also where it's > > > > > > failing > > > > > > > > in vcl/.ht-inc/authentication.php line 413. by the way, I modified > > > > > ldapauth and authentication.php to use ldap:// instead of ldaps:// > > > > > for > > > > > the time being because ldaps is not working at all. I get invalid > > > > > credentials line 413 of authentication.php is > > > > > > > > > > $res = ldap_bind($ds, $ldapuser, $passwd); > > > > > > > > > > my conf.php looks like this which might be the issue, I may need to > > > > > put it in a different format. > > > > > "server" => "serverA.internal.ncf.edu", > > > > > > > > > > "binddn" => "dc=internal,dc=ncf,dc=edu", > > > > > "userid" => "uid=%s,dc=internal,dc=ncf,dc=edu", > [email protected]' > > > > > "unityid" => "samAccountName", # ldap field that contains the > > > > > > user's > > > > > > > > login id > > > > > > > > > > "firstname" => "givenname", # ldap field that contains the > > > > > > user's > > > > > > > > first name > > > > > > > > > > "lastname" => "sn", # ldap field that contains the > > > > > > user's > > > > > > > > last name > > > > > > > > > > "email" => "mail", # ldap field that contains the > > > > > > > > > > user's email address > > > > > > > > > > "defaultemail" => "@example.com", # if for some reason an email > > > > > > > > > > address may not be returned for a user, this is what > > > > > > > > > > # can be added to the user's login id to send mail > > > > > > > > > > "masterlogin" => "vcluser", # privileged login id for ldap > > > > > > server > > > > > > > > "masterpwd" => "mypassword", # privileged login password > for > > > > > ldapserver> > > > > > > > > > > Thanks > > > > > > - -- > > > - ------------------------------- > > > Josh Thompson > > > VCL Developer > > > North Carolina State University > > > > > > my GPG/PGP key can be found at pgp.mit.edu > > > > > > All electronic mail messages in connection with State business which > > > are sent to or received by this account are subject to the NC Public > > > Records Law and may be disclosed to third parties. > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v2.0.19 (GNU/Linux) > > > > > > iEYEARECAAYFAlKDvK8ACgkQV/LQcNdtPQMr6ACeNx1u3/phmfC5VfaUbT5gfXmb > > > FR8AnRtlPqysXQrLXTCrz1umPEYYRPIK > > > =c3FQ > > > -----END PGP SIGNATURE----- > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (GNU/Linux) > > iEYEARECAAYFAlKDxJ4ACgkQV/LQcNdtPQMfMACbB8No6+n8LiWnkiJZ3s2vnxCb > En0An1HEDkKz3nB/kB71geHDCtMFa1h6 > =rkau > -----END PGP SIGNATURE----- > >
