Hi,
On 10/1/20 2:53 PM, Martin Perina wrote:
> Hi,
>
> it seems that you are affected by
> https://bugzilla.redhat.com/show_bug.cgi?id=1880149
> Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6
is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com
connect: Network is unreachable
but ok, problem is solved :-)
Jiri
>
> Thanks,
> Martin
>
>
> On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz
> <mailto:jiri.slezka@slu.cz>> wrote:
>
> Hi,
>
> I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
> profile anymore.
>
> We are using Novell/NetIQ E-directory (load ballanced by haproxy,
> probably not important...)
>
> In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
> supported by our edir) from default crypto policies but I was able
> revert it by
>
> update-crypto-policies --set LEGACY
>
> after upgrade to 4.4.2 the error is
>
> server_error: An error occurred while attempting to connect to server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> but our ldap server is reachable from ovirt, I tested it via (also ldaps
> and startls variants are working)
>
> ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D
> cn=*****,ou=******,o=su -w
> '************' -b 'o=su'
>
> As a workaround I tried to set plain ldap protocol in profile
>
> cat /etc/ovirt-engine/aaa/CRO.properties
>
>
> include = <rfc2307-edir.properties>
>
> vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
> vars.port = 389
> vars.user = cn=*****,ou=******,o=su
> vars.password = **************
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = ${global:vars.port}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> pool.default.ssl.startTLS = false
> pool.default.ssl.enable = false
> #pool.default.ssl.protocol = TLSv1
> #pool.default.ssl.startTLSProtocol = TLSv1
> #pool.default.ssl.insecure = true
>
> sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
> sequence.my-edir-init-vars.010.description = set baseDN
> sequence.my-edir-init-vars.010.type = var-set
> sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-edir-init-vars.010.var-set.value = o=su
>
> #search.default.search-request.derefPolicy = ALWAYS
>
>
> but the error is the same...
>
> ovirt-engine-extensions-tool aaa login-user --profile=CRO
> --user-name=my_user
>
> ....
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
> TLS/SSL insecure mode
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389
> <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> ...
> INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='CRO' user='my_user'
> Password:
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389
> <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> Oct 01, 2020 10:57:37 AM
> org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
> SEVERE: An error occurred while attempting to connect to server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> debug with tcpdump reveals only that connection is made and there are
> only "bindRequest" and "bindResponse success" messages visible (with
> correct tcp handshake and close) and nothing more
>
> any help would be appreciated
>
> Cheers,
>
> Jiri
>
> _______________________________________________
> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
> To unsubscribe send an email to users-leave@ovirt.org
> <mailto:users-leave@ovirt.org>
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/
>
>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.