Hi, On 10/1/20 2:53 PM, Martin Perina wrote: > Hi, > > it seems that you are affected by > https://bugzilla.redhat.com/show_bug.cgi?id=1880149 > Could you please try the workaround mentioned there?
bingo! Thanks a lot! It is interesting behavior as my engine has no public ipv6 address (ipv6 is set to ignore in nm). also [root@ovirt ~]# ping6 google.com connect: Network is unreachable but ok, problem is solved :-) Jiri > > Thanks, > Martin > > > On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.sle...@slu.cz > <mailto:jiri.sle...@slu.cz>> wrote: > > Hi, > > I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa > profile anymore. > > We are using Novell/NetIQ E-directory (load ballanced by haproxy, > probably not important...) > > In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol > supported by our edir) from default crypto policies but I was able > revert it by > > update-crypto-policies --set LEGACY > > after upgrade to 4.4.2 the error is > > server_error: An error occurred while attempting to connect to server > ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect > error), errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > > but our ldap server is reachable from ovirt, I tested it via (also ldaps > and startls variants are working) > > ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D > cn=*****,ou=******,o=su -w > '************' -b 'o=su' > > As a workaround I tried to set plain ldap protocol in profile > > cat /etc/ovirt-engine/aaa/CRO.properties > > > include = <rfc2307-edir.properties> > > vars.server = ldap1.slu.cz <http://ldap1.slu.cz> > vars.port = 389 > vars.user = cn=*****,ou=******,o=su > vars.password = ************** > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.serverset.single.port = ${global:vars.port} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > pool.default.ssl.startTLS = false > pool.default.ssl.enable = false > #pool.default.ssl.protocol = TLSv1 > #pool.default.ssl.startTLSProtocol = TLSv1 > #pool.default.ssl.insecure = true > > sequence-init.init.100-my-edir-init-vars = my-edir-init-vars > sequence.my-edir-init-vars.010.description = set baseDN > sequence.my-edir-init-vars.010.type = var-set > sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN > sequence.my-edir-init-vars.010.var-set.value = o=su > > #search.default.search-request.derefPolicy = ALWAYS > > > but the error is the same... > > ovirt-engine-extensions-tool aaa login-user --profile=CRO > --user-name=my_user > > .... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] > TLS/SSL insecure mode > ... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz > <http://auth.CRO.slu.cz>] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to connect to server ldap1.slu.cz:389 > <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect error), > errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > ... > INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS > profile='CRO' user='my_user' > Password: > ... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz > <http://auth.CRO.slu.cz>] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to connect to server ldap1.slu.cz:389 > <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect error), > errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > Oct 01, 2020 10:57:37 AM > org.ovirt.engine.exttool.core.ExtensionsToolExecutor main > SEVERE: An error occurred while attempting to connect to server > ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect > error), errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > > debug with tcpdump reveals only that connection is made and there are > only "bindRequest" and "bindResponse success" messages visible (with > correct tcp handshake and close) and nothing more > > any help would be appreciated > > Cheers, > > Jiri > > _______________________________________________ > Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> > To unsubscribe send an email to users-le...@ovirt.org > <mailto:users-le...@ovirt.org> > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/ > > > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QCPK2AAWTDTKW7AIPM3VJVBJLNUBIPCO/