Scribd Logo
Carica

Benvenuto in Scribd!

  • Docu78692 Troubleshooting Guide For XtremIO LDAP

    Caricato da

    Rajesh Chowdary Para
    220 visualizzazioni4 pagine
    dc

    Titolo originale

    Docu78692 Troubleshooting Guide for XtremIO LDAP

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    dc

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    220 visualizzazioni4 pagine

    Docu78692 Troubleshooting Guide For XtremIO LDAP

    Caricato da

    Rajesh Chowdary Para
    dc

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    Troubleshooting XtremIO LDAP

    Revised SEP 24, 2015

    Start
    KB: XXXX

    Environment -
    First make sure the user has the
    following information: XtremIO
    Bind DN/password
    Search Base
    Search Filter
    User to DN rule
    Server URLs
    Active directory User Group DN

    Is the server using Is the certification


    No Go to 2A No Check with the AD
    LDAP? correct?
    admin

    Yes Yes

    The server URL is using


    hostname, please make
    Is the server URLs using NO
    sure the DNS setting in
    IP address?
    XMS server is correct
    Example 1
    Yes

    Check with the AD admin


    about the User to DN
    Yes
    rule
    (Refer to: Example 1)

    Customer is using
    openldap as LDAP server, Example 3
    Is the Customer using check the Searchfilter for
    NO openldap
    windows AD as LDAP
    server? (Refer to: Example 3)

    Yes

    Check the Searchfilter for


    windows AD
    (Refer to: Example 2)
    Example 2

    Launch XMS GUI to Login


    No Go to 3A
    and check if login is
    successful?

    Yes

    END

    Page 1 of 4 Copyright EMC Corporation. All rights reserved.


    Troubleshooting XtremIO LDAP
    Revised SEP 24, 2015

    2A

    Reference A1
    Verify if the certification file In the xms server or customers test server, run below command
    valid to establish connection #openssl s_client -connect 10.32.106.38:636
    (Refer to: Reference A1) -showcerts -state -CAfile /etc/openldap/cacerts/xio_test.pem

    The correct response would like:


    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    --------------------------------------------------------------
    Create a hashfile for the cert Key-Arg : None
    (Refer to: Reference A2) Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1407545446
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    --------------------------------------------------------------

    Use ldapsearch to verify the


    ldap server END
    (Refer to: Reference A3)

    Reference A2

    # cacertdir_rehash /etc/openldap/cacerts/

    -rw-r--r-- 1 root root 3658 Aug 9 08:12 xio_test.pem

    lrwxrwxrwx 1 root root 12Aug 9 08:14 d714d83e.0 -> xio_test.pem

    Page 2 of 4 Copyright EMC Corporation. All rights reserved.


    Troubleshooting XtremIO LDAP
    Revised SEP 24, 2015

    3A

    Log into the XMS server:

    For XtremIO TSEs, please log in XMS


    with root name and password
    For XtremIO Users, please find a Linux
    with openldap client installed and log inIs

    Verification step 1:

    Use the login name and password to query if


    this user existed in the search base

    Is the verification step 1 Are the login name and Check with AD admin about the right
    No No
    successful? password correct? login name and password

    Yes
    Yes

    Verification step 2:
    Is the user full name in the Check with AD admin to conform if the
    Yes No
    Use the bind name and password to query if user to DN rule belongs to the user is in the right search base
    this user existed in the user group search base?

    Is the verification step 2 Are the bind name and Check with the AD admin about the right
    NO NO
    successful? password correct? bind name and password

    Yes
    Yes

    Ask the AD admin to add the user to the


    END Yes Is the login user belongs to the No
    user group DN
    user group DN?

    Page 3 of 4 Copyright EMC Corporation. All rights reserved.


    Troubleshooting XtremIO LDAP
    Revised SEP 24, 2015

    Reference A3
    # ldapsearch -x -d 1 -v -H ldaps://xioldapserver.sh.xtremio.com

    ldap_url_parse_ext(ldaps://xioldapserver.sh.xtremio.com) And you will find that we are using hostname in this case instead of IP
    ldap_initialize( ldaps://xioldapserver.sh.xtremio.com:636/??base ) address this is because the common name doesn't match
    ldap_create [root@XIOtest ~]# ldapsearch -x -d 1 -v -H ldaps://10.32.106.38
    ldap_url_parse_ext(ldaps://xioldapserver.sh.xtremio.com:636/??base)
    ldap_sasl_bind
    ldap_send_initial_request TLS: hostname (10.32.106.38) does not match common name in
    ldap_new_connection 1 1 0 certificate (xioldapserver).
    ldap_int_open_connection TLS: can't connect: TLS: hostname does not match CN in peer certificate.
    ldap_connect_to_host: TCP xioldapserver.sh.xtremio.com:636 ldap_err2string
    ldap_new_socket: 3 Ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 10.32.106.38:636
    ldap_pvt_connect: fd: 3 tm: -1 async: 0
    TLS: certdb config: configDir='/etc/openldap/cacerts'
    By this way, we could find the server name is incorrect, then
    tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
    TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
    # openssl x509 -in /etc/openldap/cacerts/d714d83e.0 -noout -text|grep -E
    PKCS #11 error.
    TLS: loaded CA certificate file /etc/openldap/cacerts/xio_host.pem. "Subject:|DNS"
    TLS: skipping 'cert_root.pem' - filename does not have expected format
    (certificate hash with numeric suffix)
    TLS: skipping 'xio_test.pem' - filename does not have expected format Subject: DC=test
    (certificate hash with numeric suffix)
    TLS: skipping 'xio_host.pem' - filename does not have expected format DNS:xioldapserver.sh.xtremio.com
    (certificate hash with numeric suffix)
    TLS: loaded CA certificate file /etc/openldap/cacerts/d714d83e.0 from CA
    certificate directory /etc/openldap/cacerts.
    TLS: certificate [CN=xioldapserver,DC=sh,DC=xtremio,DC=com] is valid
    TLS certificate verification: subject: We can find the hostname by Subject or DNS, in this case, it use DNS,
    CN=xioldapserver,DC=sh,DC=xtremio,DC=com, issuer: then the hostname is xioldapserver.sh.xtremio.comPlease make sure the
    CN=ldapserver,DC=sh,DC=xtremio,DC=com, cipher: RC4, security level: DNS setting is correct in XMS and it could solve the hostname of ldaps
    high, secret key serverWhen the command line succeed, modify the GUI setting and try
    bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not again.
    reusable: 0
    ldap_open_defconn: successful
    ldap_send_server_requestber_scanf fmt ({it) ber:ber_scanf fmt ({i)
    ber:ber_flush2: 14 bytes to sd 3ldap_result ld 0x1e96890 msgid 1
    wait4msg ld 0x1e96890 msgid 1 (infinite timeout)
    wait4msg continue ld 0x1e96890 msgid 1 all 1
    ** ld 0x1e96890 Connections:
    * host: xioldapserver.sh.xtremio.com port: 636 (default)
    refcnt: 2 status: Connected
    last used: Sun Aug 10 04:14:34 2014

    Page 4 of 4 Copyright EMC Corporation. All rights reserved.

    Potrebbero piacerti anche