topic Re: HPE Oneview openldap in HPE OneView

oneview openldap

ditidiapl — Fri, 15 Sep 2017 13:50:15 GMT

Hello,

I'm trying to configure openldap on oneview but when I insert the server certificate the system says that:

The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.

I'm very confident that the certificate is valid... How to debug this error to find out why I'm receiving this message?

All my settings:

Model HPE OneView VM - VMware vSphere
Firmware Version 3.10.04-0299553
Date Jun 9, 2017

My openldap port is 389 and it uses TLS (Is oneview using TLS too?)

Thanks

Re: HPE Oneview openldap

Dennis Handly — Sun, 17 Sep 2017 01:38:19 GMT

Have you tried checking your cert on a cert checking website?

A message saying "not valid" isn't particularly helpful, more details would help.

Re: HPE Oneview openldap

ditidiapl — Mon, 18 Sep 2017 12:03:06 GMT

Hello Dennis

The certificate is self-signed

The certificate is OK because others services connect normaly to ldap using TLS.

My ldap-server works on port 389 using TLS, I don't know if Oneview supports TLS.

The only thing that oneview shows is:

The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.
For assistance, contact your administrator.

My ldap certificate is bellow if you wanna test, and it looks ok:

> openssl x509 -in /tmp/ldap-consumer.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1376575537 (0x520ce031)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=UFFS
Validity
Not Before: Aug 15 14:05:37 2013 GMT
Not After : Aug 10 14:05:37 2033 GMT
Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br

....

Thanks..

Re: HPE Oneview openldap

ChrisLynch — Mon, 18 Sep 2017 18:38:27 GMT

Yes, OneView does support TLS in many places. I see your cert does have the "Server Authentication" extension set. I will look into this and report back.

Re: HPE Oneview openldap

Dennis Handly — Mon, 25 Sep 2017 03:27:14 GMT

>The certificate is self-signed

It's not self-signed. I.e. the Issuer and Subject don't match:

Issuer: CN=UFFS

Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br

You didn't post your CA so I can't verify it.

As Chris says you have these extensions:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                0D:45:50:D0:C5:2D:99:9C:66:30:D0:3B:07:CE:60:4B:C0:82:EA:F4
            X509v3 Authority Key Identifier:
                keyid:87:2C:2A:27:D8:8B:0A:1F:41:BC:3D:D3:1C:08:66:82:86:99:09:57

Re: HPE Oneview openldap

ditidiapl — Fri, 29 Sep 2017 17:35:38 GMT

Hello

The first certificate that I have posted is not actually our main ldap server. But I have tested with our ldap main server and it gives the same error.

This is the certificate of our main ldap server

This certificate is used by various systems and they connect successfully to our ldap server using tls on the port 389

But it is not working with oneview:

The certificate entered for server 192.168.252.154:389 does not appear to be a valid certificate.

This certificate is valid:

# openssl verify cacert.pem

cacert.pem: CN = UFFS
error 18 at 0 depth lookup:self signed certificate
OK

How to find out more information why oneview is not accepting this certificate?

Thanks

Re: HPE Oneview openldap

ChrisLynch — Fri, 29 Sep 2017 20:18:50 GMT

So, why are you using 389 for secure LDAP? The proper port is 636.

Sent from my Windows 10 phone

Re: HPE Oneview openldap

ditidiapl — Mon, 02 Oct 2017 11:42:53 GMT

Our server is LDAPv3 and uses StartTLS on port 389.

More information: http://www.openldap.org/faq/data/cache/605.html

Re: HPE Oneview openldap

ChrisLynch — Mon, 02 Oct 2017 14:59:26 GMT

Yes, I am aware of that. The docs you linked to state:

It requires use of separate port, commonly 636.

So, trying to understand why you are using the unsecure port (389/tcp) for secure traffic.

Sent from my Windows 10 phone

Re: HPE Oneview openldap

ditidiapl — Tue, 03 Oct 2017 11:49:03 GMT

Using TLS the comunication is encrypted so it is Secure.

But the server allows comunication without TLS (that is insecure) because some information is not sensitive like consulting the user catalog by an e-mail client or who is calling by our telephone system.

Systems that consult sensitive information like autentication we configure them to use TLS...

Re: HPE Oneview openldap

ChrisLynch — Fri, 06 Oct 2017 12:47:47 GMT

Apologies for the late reply. StartTLS is not the same as Secure OpenLDAP, and unfortunately, HPE OneView does not support today.

Re: HPE Oneview openldap

Dennis Handly — Mon, 09 Oct 2017 03:13:40 GMT

> This is the certificate of our main ldap server

Yes, that's the CA for your other cert. openssl likes them.

But this seems odd: Public-Key: (2432 bit)

Hmm, I thought they only came in powers of two? I.e. 2048.

But I see google finds a few mentions.

Re: HPE Oneview openldap

ditidiapl — Mon, 09 Oct 2017 11:21:10 GMT

Thanks for you support

Since starttls is not currently supported by oneview we will create users manually in the server.

I hope someday oneview will be updated to recognize starttls because ldaps is deprecated

ldaps:// is deprecated in favor of Start TLS [RFC2830]. reference