- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: HPE Oneview openldap
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2017 06:50 AM
09-15-2017 06:50 AM
			
				
					
						
							oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Hello,
I'm trying to configure openldap on oneview but when I insert the server certificate the system says that:
The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.
I'm very confident that the certificate is valid... How to debug this error to find out why I'm receiving this message?
All my settings:
Model HPE OneView VM - VMware vSphere
Firmware Version 3.10.04-0299553
Date Jun 9, 2017
My openldap port is 389 and it uses TLS (Is oneview using TLS too?)
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2017 06:38 PM
09-16-2017 06:38 PM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Have you tried checking your cert on a cert checking website?
A message saying "not valid" isn't particularly helpful, more details would help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2017 05:03 AM
09-18-2017 05:03 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Hello Dennis
The certificate is self-signed
The certificate is OK because others services connect normaly to ldap using TLS.
My ldap-server works on port 389 using TLS, I don't know if Oneview supports TLS.
The only thing that oneview shows is:
The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.
For assistance, contact your administrator.
My ldap certificate is bellow if you wanna test, and it looks ok:
> openssl x509 -in /tmp/ldap-consumer.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1376575537 (0x520ce031)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=UFFS
Validity
Not Before: Aug 15 14:05:37 2013 GMT
Not After : Aug 10 14:05:37 2033 GMT
Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br
....
-----BEGIN CERTIFICATE-----
MIIC6TCCAaGgAwIBAgIEUgzgMTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRV
RkZTMB4XDTEzMDgxNTE0MDUzN1oXDTMzMDgxMDE0MDUzN1owOjENMAsGA1UEChME
VUZGUzEpMCcGA1UEAxMgc3J2LWxkYXAtY29uc3VtZXItMDEudWZmcy5lZHUuYnIw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKPl4hksCzKMvVgh5C9vm2tp3xll
ZUmHumIYCqoqFsDl+30ry+FypTbBWvJRHp4sfK3Q0MgQw8nBL+PzJJ4MnG/A5vuo
KHeQ4rPpAIK8kkI1yrZMMg3SPNUtUyqz+FxtvbFJm0qREEkTYMvPyZ4ZuVlmjTP/
Cq72tTa7PyxuXkO3AgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUDUVQ0MUtmZxmMNA7
B85gS8CC6vQwHwYDVR0jBBgwFoAUhywqJ9iLCh9BvD3THAhmgoaZCVcwDQYJKoZI
hvcNAQELBQADggExAJH6QRyU/gTTc8Xfk87YfFLu4F+HBQUydQ5jiGfsywUO8VO2
7j0LvZ1lDN4xBVa9zOvmBgWs9W13X8MzR/HSSy0AvcncrOZDSl8lTPh7DvylqUQ5
K5QY48QqWfIDn5eTRtsrxDWbjirTg09LRVkiI8Gl8PP2OMqDP7TqHFO+7Poz9OVB
yjhlnDgDmMVjQ3/LOS7e9M/qL48F93YOSiG6ncu9ebk4f43wdUnbSyWYdr9HjhAc
WWjW5+X0XfkXrfTfZnr+NgHglPTzFvb9qA6lZSNW7b9BHJpKVIOPFgGAQqxXRiIB
C5kXEVBKTUrFfEFpTQwW0Lx4+VJUqauSCrFkzGBrOJD/91Mg26dpNzy+CDdkDGIr
JmZVwpCVdYe14zSKi8N8gCtIMtkV4Qus2i6Fy9A=
-----END CERTIFICATE-----
Thanks..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2017 11:38 AM
09-18-2017 11:38 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Yes, OneView does support TLS in many places. I see your cert does have the "Server Authentication" extension set. I will look into this and report back.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
 
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2017 08:27 PM
09-24-2017 08:27 PM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
>The certificate is self-signed
It's not self-signed. I.e. the Issuer and Subject don't match:
Issuer: CN=UFFS
Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br
You didn't post your CA so I can't verify it.
As Chris says you have these extensions:
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                0D:45:50:D0:C5:2D:99:9C:66:30:D0:3B:07:CE:60:4B:C0:82:EA:F4
            X509v3 Authority Key Identifier:
                keyid:87:2C:2A:27:D8:8B:0A:1F:41:BC:3D:D3:1C:08:66:82:86:99:09:57
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2017 10:35 AM
09-29-2017 10:35 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Hello
The first certificate that I have posted is not actually our main ldap server. But I have tested with our ldap main server and it gives the same error.
This is the certificate of our main ldap server
-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEU+4I3zANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRV
RkZTMB4XDTE0MDgxNTEzMTkyN1oXDTQyMTAyNzEzMTkyN1owDzENMAsGA1UEAxME
VUZGUzCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExAODy5VlhB525BJCy
HD49mw8k9nljW/C0Z9wbwAa7BaYidU6WseezwsW0XKgB1cxKRCEfFt5TvAUxLUmk
rqR4FlDj23zGkQN9jIuKIvTuX6xhmDcoJdzbKhE6WYbEbYZTWPBQB3rumhqqrZk1
yQGeGWDQ97ki+tbaY2RBLpSUoI8r3FHzXMfDm8ncrKA7nIl71JUSib6YSkoMePix
A9CtLRc6NBmFZ9gPVv3MC/AbZIUzSKmVpfGXlkYXWao49cmOngMJppZOiKL16TAM
hPZ9vEctCcaHY1oFJQTSZFmgRqhxM+MHNDePnxZrCalSo5EyLfLRfMqEBfgv6Zw4
HbdlrqR6qDB3fdNBKSSEGD2UUuNJdFCr3FjSbvzqYOgMTYtGuwJYjTMJzxc/9pN1
QMyRwXMCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBSHLCon2IsKH0G8PdMcCGaChpkJVzANBgkqhkiG9w0BAQsFAAOC
ATEAQan3jtFsOobn+HqOtQUxSyN4Fw+pmYTSCqeF3NfQnsqQnbaby/sO2QQl2kMF
Csv0jyOa3H1+1OnSqqB5Di8G1gs6JxFWpawDSvdu8MrfiOMkOjFvWFOAK+OX1vox
5aVKOFsMvPosjQo88YjnVCXCBtOrr+wsaXcKzDEWYEO01uVBcfV9+pzeYSBXVq7t
VwPLCNEfu/1wgeEtqvkTC8hxXEh4r28X28Hop6WhlIC5YBfmateXkXFfia0wKkW3
mhzm4iQlAmLZIgTpjadDcMljHKJeB7EOGERtytG0a18DQW6W19rxy3L+ius5eQNX
8evSty0kL7GX64swCgi/jWJGkY/d6c7kgceLDZmpAP1vXOzuTNMQDp9jPFIV91iJ
45tQjJC38VVXLEct3c9lRxW1bg==
-----END CERTIFICATE-----
This certificate is used by various systems and they connect successfully to our ldap server using tls on the port 389
But it is not working with oneview:
The certificate entered for server 192.168.252.154:389 does not appear to be a valid certificate.
This certificate is valid:
# openssl verify cacert.pem
cacert.pem: CN = UFFS
error 18 at 0 depth lookup:self signed certificate
OK
How to find out more information why oneview is not accepting this certificate?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2017 01:18 PM
09-29-2017 01:18 PM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Sent from my Windows 10 phone
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
 
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2017 04:42 AM
10-02-2017 04:42 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Our server is LDAPv3 and uses StartTLS on port 389.
More information: http://www.openldap.org/faq/data/cache/605.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2017 07:59 AM
10-02-2017 07:59 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
It requires use of separate port, commonly 636.
So, trying to understand why you are using the unsecure port (389/tcp) for secure traffic.
Sent from my Windows 10 phone
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
 
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2017 04:44 AM - edited 10-03-2017 04:49 AM
10-03-2017 04:44 AM - edited 10-03-2017 04:49 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Using TLS the comunication is encrypted so it is Secure.
But the server allows comunication without TLS (that is insecure) because some information is not sensitive like consulting the user catalog by an e-mail client or who is calling by our telephone system.
Systems that consult sensitive information like autentication we configure them to use TLS...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2017 05:47 AM
10-06-2017 05:47 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Apologies for the late reply. StartTLS is not the same as Secure OpenLDAP, and unfortunately, HPE OneView does not support today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
 
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2017 08:13 PM
10-08-2017 08:13 PM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
> This is the certificate of our main ldap server
Yes, that's the CA for your other cert. openssl likes them.
But this seems odd: Public-Key: (2432 bit)
Hmm, I thought they only came in powers of two? I.e. 2048.
But I see google finds a few mentions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2017 04:21 AM
10-09-2017 04:21 AM
			
				
					
						
							Re: HPE Oneview openldap
						
					
					
				
			
		
	
			
	
	
	
	
	
Thanks for you support
Since starttls is not currently supported by oneview we will create users manually in the server.
I hope someday oneview will be updated to recognize starttls because ldaps is deprecated
ldaps:// is deprecated in favor of Start TLS [RFC2830]. reference
