Juan Hernandez has submitted this change and it was merged.
Change subject: tools: Explicit message for bad minssf
......................................................................
tools: Explicit message for bad minssf
Currently when the engine-manage-domains tool tries to connect to an
OpenLDAP server configured with the default minimum security strength
factor (minssf=0) the Kerberos implementation of the virtual machine
generates an exception that is directly printed to the output, without
any friendly explanation, something like this:
java.lang.NegativeArraySizeException
at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
...
This patch changes the engine-manage-domains tool so that when this
exception is detected it will print the following message:
Failure while testing domain
example.com. Details: An internal
error has ocurred in the Kerberos implementation of the Java virtual
machine. This usually means that the LDAP server is configured with a
minium security strength factor (minssf) of 0. Change it to 1 and try
again.
The way to change the minssf parameter in OpenLDAP is this:
# cat > fixssf.ldif <<'.'
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=1
-
.
# ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif
This OpenLDAP configuration has been tested and works correctly.
The 389 directory server also has this parameter, and can be changed in
the /etc/dirsrv/slapd-YOUR-REALM/dse.ldif file, something like this:
dn: cn=config
nsslapd-minssf: 1
This 389 directory server configuration hasn't been tested.
Change-Id: I2f1abaa8a6dbde146786326d62c185e8414595e1
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
2 files changed, 12 insertions(+), 4 deletions(-)
Approvals:
Martin Peřina: Looks good to me, but someone else must approve
Juan Hernandez: Verified
Yedidyah Bar David: Looks good to me, but someone else must approve
Yair Zaslavsky: Looks good to me, approved
Oved Ourfali: Looks good to me, approved
--
To view, visit
http://gerrit.ovirt.org/21505
To unsubscribe, visit
http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2f1abaa8a6dbde146786326d62c185e8414595e1
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Martin Peřina <mperina(a)redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourfali(a)redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzaslavs(a)redhat.com>
Gerrit-Reviewer: Yedidyah Bar David <didi(a)redhat.com>
Gerrit-Reviewer: oVirt Jenkins CI Server