Hi, I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy, probably not important...) In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol supported by our edir) from default crypto policies but I was able revert it by update-crypto-policies --set LEGACY after upgrade to 4.4.2 the error is server_error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) but our ldap server is reachable from ovirt, I tested it via (also ldaps and startls variants are working) ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w '************' -b 'o=su' As a workaround I tried to set plain ldap protocol in profile cat /etc/ovirt-engine/aaa/CRO.properties include = <rfc2307-edir.properties> vars.server = ldap1.slu.cz vars.port = 389 vars.user = cn=*****,ou=******,o=su vars.password = ************** pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.ssl.startTLS = false pool.default.ssl.enable = false #pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 #pool.default.ssl.insecure = true sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su #search.default.search-request.derefPolicy = ALWAYS but the error is the same... ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=my_user .... WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] TLS/SSL insecure mode ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) ... INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='CRO' user='my_user' Password: ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) Oct 01, 2020 10:57:37 AM org.ovirt.engine.exttool.core.ExtensionsToolExecutor main SEVERE: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) debug with tcpdump reveals only that connection is made and there are only "bindRequest" and "bindResponse success" messages visible (with correct tcp handshake and close) and nothing more any help would be appreciated Cheers, Jiri
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/
