LDAP: error code 32 - 0000208D: NameErr: DSID-0310020E, problem 2001 (NO_OBJECT)
search cancel

LDAP: error code 32 - 0000208D: NameErr: DSID-0310020E, problem 2001 (NO_OBJECT)

book

Article ID: 321743

calendar_today

Updated On: 11-01-2024

Products

VMware Integrated OpenStack

Issue/Introduction

  • End-users cannot login to Openstack dashboard using AD accounts after changing certificates on LDAPS servers
  • You see LDAP error in valid-keystone.log
Jul 28 15:43:12 vioad.eng.vmware.com valid-keystone[539]: vioad.eng.vmware.com to ldaps://vioad.eng.vmware.com:636.\n15:43:11.472 [main] WARN  com.vmware.openstack.validation.IdentityProviderValidator - Unable to fetch AD root certificates. Deployment will use server certificates as trust list.\njavax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020E, problem 2001 (NO_OBJECT)



Environment

7.x

Resolution

  1. Connect to your LDAP server on secure port from VIO manager using netcat:

nc <ldap server> 636 -v -w 60

Note: By default the secure port is 636

  1. Connect to your directory server with ldapsearch tool: 

Get the LDAP server certificate
echo -n | openssl s_client -connect vioad.eng.vmware.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/test-cert.crt

Export these variables
export LDAPTLS_REQCERT=ALLOW
export LDAPTLD_CERT=/tmp/test-cert.crt

Check if it returns results that match search criteria you specify.
ldapsearch -o nettimeout=5 -x -w ${ldap_pwd} -D ${ldap_user} -H ${url} -b ${user_tree_dn} ${user_filter}

  1. Open /tmp-cert.crt file from above and find the root certificate in the list of certificates.

Note: To decode certificate you can use online SSL checker websites or openssl utility:

openssl x509 -text -noout -in ldap_1.crt  | grep -E "Subject:|Not After"

  1. Update keystone CR by adding root certificate to ldap_cert section:

viocli update keystone keystone1
conf:
  keystone:
    identity:
      domain_config_dir: /etc/keystonedomains
      domain_specific_drivers_enabled: "True"
  ks_domains:
    testad2:
      identity:
        driver: ldap
      ldap:
        chase_referrals: false
...
ldap_cert:
- |-
  -----BEGIN CERTIFICATE-----
  ################################################################
  ################################################################
  #####################################################=
  -----END CERTIFICATE-----
- |-
 -----BEGIN CERTIFICATE-----
/* Insert your root certificate here */
 -----END CERTIFICATE-----

Note:  After saving file the keystone pods will be terminated and recreated.  Wait until this completes.

  1. Check that  keystone works as expected with the ldap setup using Openstack CLI:
openstack user list --domain <ldap_keystone_domain>



Additional Information