laguest wrote: > I have tried this but get the following error.... > > 008-04-21T21:24:38 ERROR event.LDAPDelegate 'module' object has no attribute > 'OPT_X_TLS_CACERTFILE' > Traceback (most recent call last): > File "/home/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 337, in > search > connection = self.connect(bind_dn=bind_dn, bind_pwd=bind_pwd) > File "/home/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 206, in > connect > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/home/zenoss/etc/ca.pem") > AttributeError: 'module' object has no attribute 'OPT_X_TLS_CACERTFILE'
Are you using zenoss-stack? If so, it may be the same issues we ran into. I spent all day troubleshooting this. The bundled openssl and opeldap version with zenoss-stack had some issues. We're running 2.3.2. We have an internal certificate authority (ca.pem) that signed our ldap server's certificate (server.pem). Firstly we installed the certificate into /usr/local/zenoss/common/openssl/certs. Copy the certs over in pem format and make sure they're owned by the zenoss user. Then get the hash for each. > > openssl x509 -noout -hash -in server.pem > 5432ac1f > openssl x509 -noout -hash -in ca.pem > f1ec8241 Then symlink the hash output to the appropriate file, be sure to put a ".0" on the end of each > ln -s server.pem 5432ac1f.0 > ln -s ca.pem f1ec8241.0 There's more info on this process here: http://rt.openssl.org/Ticket/Display.html?id=977&user=guest&pass=guest Then verify the server cert: > openssl verify -CApath /usr/local/zenoss/common/openssl/certs > /usr/local/zenoss/common/openssl/certs/server.pem > /usr/local/zenoss/common/openssl/certs/server.pem: OK If you don't want to set the CApath at the command line, you can put it in your env "export SSL_CERT_DIR="/usr/local/zenoss/common/openssl/certs". You can put that in your zenoss users's ~/.profile or in the /usr/local/zenoss/common/bin/openssl script. > zen...@vm2:~> openssl verify > /usr/local/zenoss/common/openssl/certs/server.pem > /usr/local/zenoss/common/openssl/certs/server.pem: OK You can also query the ldap server directly using s_client. Either there was a bug in s_client, or it doesn't support the CApath env variable...we had to specify it everytime: > openssl s_client -CApath /usr/local/zenoss/common/openssl/certs -showcerts > -connect ldapserver:636 It should output "Verify return code: 0 (ok)". If it gave you > Verify return code: 21 (unable to verify the first certificate) Then something is wrong and you'll need to troubleshoot. Then we went onto the ldap configuration. We tested the ldap libraries using ldapsearch and found by using strace that it appears openldap was compiled to only look in /bitnami/zenossstack/output/common/etc/openldap/ldap.conf > > open("/bitnami/zenossstack/output/common/etc/openldap/ldap.conf", O_RDONLY) = > -1 ENOENT (No such file or directory) That didn't exist so we created the dir structure /bitnami/zenossstack/output and symlink'd /usr/local/zenoss/common to the output dir: > mkdir -p /bitnami/zenossstack/output > chown zenoss.zenoss -R /bitnami > ln -s /usr/local/zenoss/common /bitnami/zenossstack/output We also edited the ldap file as file as follows: vi /usr/local/zenoss/common/etc/openldap/ldap.conf > > TLS_CACERTDIR /usr/local/zenoss/common/openssl/certs/ > TLS_REQCERT never Then ldapsearches would work: > ldapsearch -x -v -H 'ldaps://ldapserver/' -b 'basedn' -D 'binddn' -W > "uid=whomever" Once you can verify that works, restart zope "zopectl restart" and configure zenoss to use ldap. I hope that saves someone out there some time. -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=29916#29916 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
