Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Start
KB: XXXX
Environment -
First make sure the user has the
following information: XtremIO
Bind DN/password
Search Base
Search Filter
User to DN rule
Server URLs
Active directory User Group DN
Yes Yes
Customer is using
openldap as LDAP server, Example 3
Is the Customer using check the Searchfilter for
NO openldap
windows AD as LDAP
server? (Refer to: Example 3)
Yes
Yes
END
2A
Reference A1
Verify if the certification file In the xms server or customers test server, run below command
valid to establish connection #openssl s_client -connect 10.32.106.38:636
(Refer to: Reference A1) -showcerts -state -CAfile /etc/openldap/cacerts/xio_test.pem
Reference A2
# cacertdir_rehash /etc/openldap/cacerts/
3A
Verification step 1:
Is the verification step 1 Are the login name and Check with AD admin about the right
No No
successful? password correct? login name and password
Yes
Yes
Verification step 2:
Is the user full name in the Check with AD admin to conform if the
Yes No
Use the bind name and password to query if user to DN rule belongs to the user is in the right search base
this user existed in the user group search base?
Is the verification step 2 Are the bind name and Check with the AD admin about the right
NO NO
successful? password correct? bind name and password
Yes
Yes
Reference A3
# ldapsearch -x -d 1 -v -H ldaps://xioldapserver.sh.xtremio.com
ldap_url_parse_ext(ldaps://xioldapserver.sh.xtremio.com) And you will find that we are using hostname in this case instead of IP
ldap_initialize( ldaps://xioldapserver.sh.xtremio.com:636/??base ) address this is because the common name doesn't match
ldap_create [root@XIOtest ~]# ldapsearch -x -d 1 -v -H ldaps://10.32.106.38
ldap_url_parse_ext(ldaps://xioldapserver.sh.xtremio.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request TLS: hostname (10.32.106.38) does not match common name in
ldap_new_connection 1 1 0 certificate (xioldapserver).
ldap_int_open_connection TLS: can't connect: TLS: hostname does not match CN in peer certificate.
ldap_connect_to_host: TCP xioldapserver.sh.xtremio.com:636 ldap_err2string
ldap_new_socket: 3 Ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.32.106.38:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts'
By this way, we could find the server name is incorrect, then
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
# openssl x509 -in /etc/openldap/cacerts/d714d83e.0 -noout -text|grep -E
PKCS #11 error.
TLS: loaded CA certificate file /etc/openldap/cacerts/xio_host.pem. "Subject:|DNS"
TLS: skipping 'cert_root.pem' - filename does not have expected format
(certificate hash with numeric suffix)
TLS: skipping 'xio_test.pem' - filename does not have expected format Subject: DC=test
(certificate hash with numeric suffix)
TLS: skipping 'xio_host.pem' - filename does not have expected format DNS:xioldapserver.sh.xtremio.com
(certificate hash with numeric suffix)
TLS: loaded CA certificate file /etc/openldap/cacerts/d714d83e.0 from CA
certificate directory /etc/openldap/cacerts.
TLS: certificate [CN=xioldapserver,DC=sh,DC=xtremio,DC=com] is valid
TLS certificate verification: subject: We can find the hostname by Subject or DNS, in this case, it use DNS,
CN=xioldapserver,DC=sh,DC=xtremio,DC=com, issuer: then the hostname is xioldapserver.sh.xtremio.comPlease make sure the
CN=ldapserver,DC=sh,DC=xtremio,DC=com, cipher: RC4, security level: DNS setting is correct in XMS and it could solve the hostname of ldaps
high, secret key serverWhen the command line succeed, modify the GUI setting and try
bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not again.
reusable: 0
ldap_open_defconn: successful
ldap_send_server_requestber_scanf fmt ({it) ber:ber_scanf fmt ({i)
ber:ber_flush2: 14 bytes to sd 3ldap_result ld 0x1e96890 msgid 1
wait4msg ld 0x1e96890 msgid 1 (infinite timeout)
wait4msg continue ld 0x1e96890 msgid 1 all 1
** ld 0x1e96890 Connections:
* host: xioldapserver.sh.xtremio.com port: 636 (default)
refcnt: 2 status: Connected
last used: Sun Aug 10 04:14:34 2014