I have tried to add AD as a LDAP identity source in my VIO3 deployment and got an error when I selected SSL encryption (port 636).
When I switched the encryption to None everything works fine.
Initially I suspect if my AD has not enabled SSL for LDAP but LDAP browser could make a query to my AD through port 636 without issue.
After drilling down to ansible script, I found that when ever the script run to a task "write the LDAP certificate to keystone" no output appeared in the destination directory as specified in the task. As a result the next task "copy the LDAP certificates to keystone and ca-certificates" which trying to copy the output in previous task would failed the deployment.
Anyone has idea on this issue?
Did I missed anything before setting up the LDAP identity source in VIO?
Thanks.
I'm in the same situation, did you resolve it ?
No .. have to use no encryption as a work around temporarily ..
I have tried to import a CA signed certificate to VIO though I got the same result.
I found this :
but i don't know how to do it
Hi,
The server certificates will be picked up when validating the input on the UI.
Could you grep the inventory directory and check what value ldap_certificate was set when you enable SSL?
Regards,
Zhongcheng
Hi,
Which "Inventory" directory are you referring to?
A directory on VIO Manager or controller? And the actual path?
Thanks.
hi,
you must check your request for LDAP that's the problem ( unique name users : DC=..... , DC=.........)
After that the problem will be resolve
Hi,
I'm in the same situation. What do you mean by "check your request for LDAP?" Where exactly must I do that?
Thanks.
Hi, were you able to solve this issue?
I have the same problem. When I deploy with no encryption, it works fine. But using SSL over port 636, the deploy fails.
My ansible log says this:
"2017-03-30 13:28:34,204 p=10290 u=jarvis | failed: [10.7.206.31] => {"changed": true, "cmd": "for d in '/etc/keystone/ssl/certs' '/usr/local/share/ca-certificates'; do ls $d/vio_*.crt; done", "delta": "0:00:00.017267", "end": "2017-03-30 13:28:34.187163", "rc": 2, "start": "2017-03-30 13:28:34.169896", "warnings": []}
2017-03-30 13:28:34,204 p=10290 u=jarvis | stderr: ls: cannot access /etc/keystone/ssl/certs/vio_*.crt: No such file or directory
ls: cannot access /usr/local/share/ca-certificates/vio_*.crt: No such file or directory
2017-03-30 13:28:34,205 p=10290 u=jarvis | ...ignoring
2017-03-30 13:28:36,468 p=10290 u=jarvis | TASK: [keystone | copy the LDAP certificates to keystone and ca-certificates] ***
2017-03-30 13:28:36,698 p=10290 u=jarvis | failed: [10.7.206.30] => (item=/etc/keystone/ssl/certs) => {"changed": true, "cmd": "cp /tmp/certs/* \"/etc/keystone/ssl/certs\"", "delta": "0:00:00.016303", "end": "2017-03-30 13:28:36.685051", "item": "/etc/keystone/ssl/certs", "rc": 1, "start": "2017-03-30 13:28:36.668748", "warnings": []}
2017-03-30 13:28:36,699 p=10290 u=jarvis | stderr: cp: cannot stat ‘/tmp/certs/*’: No such file or directory
2017-03-30 13:28:36,706 p=10290 u=jarvis | failed: [10.7.206.31] => (item=/etc/keystone/ssl/certs) => {"changed": true, "cmd": "cp /tmp/certs/* \"/etc/keystone/ssl/certs\"", "delta": "0:00:00.017540", "end": "2017-03-30 13:28:36.691601", "item": "/etc/keystone/ssl/certs", "rc": 1, "start": "2017-03-30 13:28:36.674061", "warnings": []}
2017-03-30 13:28:36,707 p=10290 u=jarvis | stderr: cp: cannot stat ‘/tmp/certs/*’: No such file or directory
2017-03-30 13:28:36,855 p=10290 u=jarvis | failed: [10.7.206.30] => (item=/usr/local/share/ca-certificates) => {"changed": true, "cmd": "cp /tmp/certs/* \"/usr/local/share/ca-certificates\"", "delta": "0:00:00.016911", "end": "2017-03-30 13:28:36.840453", "item": "/usr/local/share/ca-certificates", "rc": 1, "start": "2017-03-30 13:28:36.823542", "warnings": []}
2017-03-30 13:28:36,855 p=10290 u=jarvis | stderr: cp: cannot stat ‘/tmp/certs/*’: No such file or directory"
Anybody?
Hi,
The problem still there.
I am now using LDAP without SSL as a temporary workaround.
My Ansible log showing the same as you and I have tried to adjust my LDAP filter but problem persists.
Anyone can help?
HI,
i was in the same problem beaucause i used very complexe filter.
the solution is : in filter you have write just domain name for exemple DC=Exemple,DC=com
after that you update domain default, you create new project and you add a user for a project and domain default.
That's all