Hello!
We're started the upgrade one of our oVirt clusters to the recent
4.4 minor version (4.4.8.5-1.el8) and we found a bug in the recent
change of the aaa-ldap plugin.
This bug came along after the IPv4/IPv6 selection introduced in
ovirt-engine-extension-aaa-ldap 1.4.4
We've dig down in the rabbit hole, and it looks like, our DNS
solution is just not compatible with the plugin after this commit:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/commit/4c0f2e72df88ce653ce552057554465fb901820f
I don't know, how the industry actually use CNAME records, but we
have a rule, that we use independet DNS names for services, and
machines itself. This become handy, when you migrate/upgrade
services, like LDAP to another machine, and I think, this should be
supported.
Our LDAP server service domain is actually
ldap-master.niif.hu and
ldap.niif.hu, but in real, there are two servers, which actually
have their own FQDNs.
The actual DNS structure:
host -t CNAME
ldap-master.niif.hu
ldap-master.niif.hu is an alias for
elm.niif.hu.
host -t CNAME
ldap.niif.hu
ldap.niif.hu is an alias for
holly.ldap.einfra.hu.
host
elm.niif.hu
elm.niif.hu has address 193.225.14.175
elm.niif.hu has IPv6 address 2001:738:0:701::3
host
holly.ldap.einfra.hu
holly.ldap.einfra.hu has address 193.224.92.6
holly.ldap.einfra.hu has IPv6 address 2001:738:0:431::6
The commit above (as far as I understand) only tries to resolve A
and AAAA records in DNS, and drop the connection if it not found. Of
course, the certificate only have ldap-master and
ldap.niif.hu in
it, so using holly end elm does not solve the problem (also, if the
service will be migrated, the service domain will be kept, but not
the machine's FQDN, since we cannot afford to shut down one of our
LDAP server for a migration windows.
We've tried to downgrade the package to 1.4.3, which is works fine.
The actual error looks like this (engine.log)
2021-09-07 15:53:09,833+02 WARN
[org.ovirt.engine.extension.aaa.ldap.AuthnExtension] (default
task-1) [] [ovirt-engine-extension-aaa-ldap.authn::NIIFLdap-authn]
Cannot initialize LDAP framework, deferring initialization. Error:
An error occurred while attempting to connect to server
ldap-master.niif.hu:636: IOException(LDAPException(resultCode=91
(connect error), errorMessage='An error occurred while attempting to
establish a connection to server
ldap-master.niif.hu/193.225.14.175:636:
UnknownHostException(
ldap-master.niif.hu), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
2021-09-07 15:53:09,833+02 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
task-1) [] Internal Server Error: An error occurred while attempting
to connect to server
ldap-master.niif.hu:636:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server
ldap-master.niif.hu/193.225.14.175:636:
UnknownHostException(
ldap-master.niif.hu), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
2021-09-07 15:53:09,833+02 ERROR
[org.ovirt.engine.core.sso.service.SsoService] (default task-1) []
An error occurred while attempting to connect to server
ldap-master.niif.hu:636: IOException(LDAPException(resultCode=91
(connect error), errorMessage='An error occurred while attempting to
establish a connection to server
ldap-master.niif.hu/193.225.14.175:636:
UnknownHostException(
ldap-master.niif.hu), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
2021-09-07 15:53:09,854+02 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
task-1) [] server_error: An error occurred while attempting to
connect to server
ldap-master.niif.hu:636:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server
ldap-master.niif.hu/193.225.14.175:636:
UnknownHostException(
ldap-master.niif.hu), ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
As we tried to run the setup tool, that is also looks broken (after
that, we've copied the required files to /etc/ovirt-engine/aaa and
/etc/ovirt-engine/extensions.d/ from other, working hosted engine)
so we've tested the plugin itself, and the setup too, but no luck.
I think, this (CNAME in DNS) should be working with the plugin.
Could you please investigate this issue? (we're here to help test
the repaired version/patch, if needed, but not feel the knowledge to
create the patch ourself)