12-02-2015 08:17 AM - edited 12-02-2015 08:18 AM
I am having some cert management issues specifically relating to command line (SSH) use. I have a couple of different requirements, but the main requirement right now is to use Active Directory for authentication and authorization and I think my issue right now has to do with the fact that I am having issues installing the LDAP CA Cert.
First a little about my environment. I have a mixed mode AD 2008R2/2012R2 environment. My main domain controllers are Windows 2012 R2 based and currently where my aaacfg setup points to. I have a primary and a subordinate MSCA and therefore I have a certificate chain that is necessary for my environment. I have a premade *.pem file that I have used elsewhere in my environment that contains the intermediate and the primary CA servers' certificates.
I have tried several times to import the ldapcacert but to no avail.
Brocade300E:admin> seccertutil import -ldapcacert -certname cachain.pem -protocol SCP -ipaddr 192.168.1.13 -remotedir /cert -login scpuser email@example.com's password: error: Certificate import failed. Please check the certificate location and user credentials. ATL0FSW01:admin> seccertutil show -ldapcacert List of ldap ca certificate files: cachain.pem Brocade300E:admin>
If I login with the root account and navigate to /etc/fabos/certs/ldap and do an LS I see the cachain.pem file. If I run a CAT on the cachain.pem, the pem file looks fine.
Any ideas on why I am getting "Certificate import failed. Please check the certificate location and user credientials," message? I believe this is also preventing me from properly configuring my LDAP AAA.
12-04-2015 06:06 AM
I just wanted to touch base on this and inform people that I figured out the first issue. So basically the installation issue is related to some sort of incapatibility with SCP or at least the SCP server I was using. I was using the Solarwinds SCP/SFTP server software from my Windows 7 workstation. I was using exclusively the SCP protocol using SSH2. Upon Brocade's recommendation, I tried an FTP server and once I started using an FTP server everything started installing correctly.
This moves me on to my second problem. I am trying to authenticate against a Server 2012 based Active Directory system and I am still having issues. For most systems that I have in my environment that require authentication against AD, I typically just have to install my environments subordinate and root ca certificate chain in a PEM file. Once the certificate chain is installed, the system that is attempting to authenticate against the LDAP directory can do so. I believe that upon installation of the certificate chain, it then enables the system attempting to authenticate to use TLS over port 389.
Has anyone else attempted to gain access to authenticate with a Server 2012 based AD Domin Controller? If so, were you required to use an LDAP CA cert? In your CA cert, did you include the certificate to just the AD server or did you use a seperate stand alone CA? Does your CA have a CA chain?
Any input would be appreciated.
12-07-2015 06:00 AM
Just keeping this post up to date. I got tired of trying to troubleshoot things against my production enironment so I brought one of my 300Es into my development environment and attempted to hook it up to my AD 2012 R2 native infrastructure. I imported the LDAP CA Cert (the chain cert containing my intermediate and root MS CAs) and attempted to authenticate again. Authentication fails with the following messages:
TLS channel failed Connect error pam_sm_authenticate(1001): Return value ldw_validate_user = -2 pam_sm_authenticate(1065): Server not reachable pam_sm_authenticate(1086): authentication failed
I then recalled that Brocade support mentioned that they did not think that LDAP CA Certs were necessary for the connection. I removed the cert (which by the way is not easy to do based on the command help).
pam_sm_authenticate(1001): Return value ldw_validate_user = 0 pam_sm_authenticate(1050): Role=admin pam_sm_authenticate(1051): Ad List= role_to_user(337): VF_Enabled:0 role_to_user(338): User: firstname.lastname@example.org Role: admin role_to_user(369): check role admin returns 0 pam_sm_authenticate(1086): authentication succeeded
Authentication worked successfully! It is important to note, that I passed "testuser" and not "email@example.com" upon login. Now that I had a successful example, I went ahead and repeated the same setup in production. Unfortunately I am still getting errors. I now have to compare my production evironment to my dev environment and try to figure out what's different.