This is most probably certificate issue. Can you please share output of following command:
$ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b '' And also the output of following command: $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout Are you sure you added a proper CA cert to your system? On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <t...@doonga.org> wrote: > Hi, > > I’ve been pulling my hair out over this one. Here’s the > output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I > use “plain” but I don’t really want to do that. I searched the error that’s > shown below and tried several different “fixes” but none of them helped. > These are Server 2016 DCs. Not too sure where to go next. > > > > [ INFO ] Stage: Initializing > > [ INFO ] Stage: Environment setup > > Configuration files: > ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'] > > Log file: > /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log > > Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos) > > [ INFO ] Stage: Environment packages setup > > [ INFO ] Stage: Programs detection > > [ INFO ] Stage: Environment customization > > Welcome to LDAP extension configuration program > > Available LDAP implementations: > > 1 - 389ds > > 2 - 389ds RFC-2307 Schema > > 3 - Active Directory > > 4 - IBM Security Directory Server > > 5 - IBM Security Directory Server RFC-2307 Schema > > 6 - IPA > > 7 - Novell eDirectory RFC-2307 Schema > > 8 - OpenLDAP RFC-2307 Schema > > 9 - OpenLDAP Standard Schema > > 10 - Oracle Unified Directory RFC-2307 Schema > > 11 - RFC-2307 Schema (Generic) > > 12 - RHDS > > 13 - RHDS RFC-2307 Schema > > 14 - iPlanet > > Please select: 3 > > Please enter Active Directory Forest name: home.doonga.org > > [ INFO ] Resolving Global Catalog SRV record for home.doonga.org > > [ INFO ] Resolving LDAP SRV record for home.doonga.org > > NOTE: > > It is highly recommended to use secure protocol to access the LDAP > server. > > Protocol startTLS is the standard recommended method to do so. > > Only in cases in which the startTLS is not supported, fallback to > non standard ldaps protocol. > > Use plain for test environments only. > > Please select protocol to use (startTLS, ldaps, plain) [startTLS]: > ldaps > > Please select method to obtain PEM encoded CA certificate (File, > URL, Inline, System, Insecure): System > > [ INFO ] Resolving SRV record 'home.doonga.org' > > [ INFO ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636' > > [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': > 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact > LDAP server"} > > [ INFO ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636' > > [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': > 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact > LDAP server"} > > [ INFO ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636' > > [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': > 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact > LDAP server"} > > [ ERROR ] Cannot connect using any of available options > > > > Also: > > 2017-07-15 18:18:06 INFO > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:391 Connecting to LDAP using > 'ldap://DC2.home.doonga.org:389' > > 2017-07-15 18:18:06 INFO > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:442 Executing startTLS > > 2017-07-15 18:18:06 DEBUG > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:459 Exception > > Traceback (most recent call last): > > File > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", > line 443, in _connectLDAP > > c.start_tls_s() > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in > start_tls_s > > return self._ldap_call(self._l.start_tls_s) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in > _ldap_call > > result = func(*args,**kwargs) > > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', > 'desc': 'Connect error'} > > 2017-07-15 18:18:06 WARNING > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:463 Cannot connect using > 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate > extension not found.', 'desc': 'Connect error'} > > 2017-07-15 18:18:06 INFO > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:391 Connecting to LDAP using > 'ldap://DC3.home.doonga.org:389' > > 2017-07-15 18:18:06 INFO > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:442 Executing startTLS > > 2017-07-15 18:18:06 DEBUG > otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common > common._connectLDAP:459 Exception > > Traceback (most recent call last): > > File > "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", > line 443, in _connectLDAP > > c.start_tls_s() > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in > start_tls_s > > return self._ldap_call(self._l.start_tls_s) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in > _ldap_call > > result = func(*args,**kwargs) > > CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', > 'desc': 'Connect error'} > > > > Any help would be appreciated! > > Thanks > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users