On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
Hi,

On 10/1/20 2:53 PM, Martin Perina wrote:
> Hi,
>
> it seems that you are affected by
> https://bugzilla.redhat.com/show_bug.cgi?id=1880149
> Could you please try the workaround mentioned there?

bingo! Thanks a lot!

It is interesting behavior as my engine has no public ipv6 address (ipv6
is set to ignore in nm).

also

[root@ovirt ~]# ping6 google.com
connect: Network is unreachable

but ok, problem is solved :-)

Most probably your LDAP server can be resolved to both IPv4 and IPv6 addresses and we choose a random resolved address in aaa-ldap when connecting. Enabling IPv6 by default was introduced in https://bugzilla.redhat.com/1726189 but unfortunately we have missed this scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...


Jiri


>
> Thanks,
> Martin
>
>
> On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz
> <mailto:jiri.slezka@slu.cz>> wrote:
>
>     Hi,
>
>     I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
>     profile anymore.
>
>     We are using Novell/NetIQ E-directory (load ballanced by haproxy,
>     probably not important...)
>
>     In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
>     supported by our edir) from default crypto policies but I was able
>     revert it by
>
>     update-crypto-policies --set LEGACY
>
>     after upgrade to 4.4.2 the error is
>
>     server_error: An error occurred while attempting to connect to server
>     ldap1.slu.cz:389 <http://ldap1.slu.cz:389>:
>     IOException(LDAPException(resultCode=91 (connect
>     error), errorMessage='An error occurred while attempting to establish a
>     connection to server ldap1.slu.cz/193.84.206.212:389
>     <http://ldap1.slu.cz/193.84.206.212:389>:
>     SocketException(Network is unreachable (connect failed)),
>     ldapSDKVersion=4.0.14,
>     revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
>     but our ldap server is reachable from ovirt, I tested it via (also ldaps
>     and startls variants are working)
>
>     ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D
>     cn=*****,ou=******,o=su -w
>     '************' -b 'o=su'
>
>     As a workaround I tried to set plain ldap protocol in profile
>
>     cat /etc/ovirt-engine/aaa/CRO.properties
>
>
>     include = <rfc2307-edir.properties>
>
>     vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
>     vars.port = 389
>     vars.user = cn=*****,ou=******,o=su
>     vars.password = **************
>
>     pool.default.serverset.single.server = ${global:vars.server}
>     pool.default.serverset.single.port = ${global:vars.port}
>     pool.default.auth.simple.bindDN = ${global:vars.user}
>     pool.default.auth.simple.password = ${global:vars.password}
>
>     pool.default.ssl.startTLS = false
>     pool.default.ssl.enable = false
>     #pool.default.ssl.protocol = TLSv1
>     #pool.default.ssl.startTLSProtocol = TLSv1
>     #pool.default.ssl.insecure = true
>
>     sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
>     sequence.my-edir-init-vars.010.description = set baseDN
>     sequence.my-edir-init-vars.010.type = var-set
>     sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
>     sequence.my-edir-init-vars.010.var-set.value = o=su
>
>     #search.default.search-request.derefPolicy = ALWAYS
>
>
>     but the error is the same...
>
>     ovirt-engine-extensions-tool aaa login-user --profile=CRO
>     --user-name=my_user
>
>     ....
>     WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
>     TLS/SSL insecure mode
>     ...
>     WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
>     <http://auth.CRO.slu.cz>] Cannot
>     initialize LDAP framework, deferring initialization. Error: An error
>     occurred while attempting to connect to server ldap1.slu.cz:389
>     <http://ldap1.slu.cz:389>:
>     IOException(LDAPException(resultCode=91 (connect error),
>     errorMessage='An error occurred while attempting to establish a
>     connection to server ldap1.slu.cz/193.84.206.212:389
>     <http://ldap1.slu.cz/193.84.206.212:389>:
>     SocketException(Network is unreachable (connect failed)),
>     ldapSDKVersion=4.0.14,
>     revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>     ...
>     INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
>     profile='CRO' user='my_user'
>     Password:
>     ...
>     WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
>     <http://auth.CRO.slu.cz>] Cannot
>     initialize LDAP framework, deferring initialization. Error: An error
>     occurred while attempting to connect to server ldap1.slu.cz:389
>     <http://ldap1.slu.cz:389>:
>     IOException(LDAPException(resultCode=91 (connect error),
>     errorMessage='An error occurred while attempting to establish a
>     connection to server ldap1.slu.cz/193.84.206.212:389
>     <http://ldap1.slu.cz/193.84.206.212:389>:
>     SocketException(Network is unreachable (connect failed)),
>     ldapSDKVersion=4.0.14,
>     revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>     Oct 01, 2020 10:57:37 AM
>     org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
>     SEVERE: An error occurred while attempting to connect to server
>     ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: 
>     IOException(LDAPException(resultCode=91 (connect
>     error), errorMessage='An error occurred while attempting to establish a
>     connection to server ldap1.slu.cz/193.84.206.212:389
>     <http://ldap1.slu.cz/193.84.206.212:389>:
>     SocketException(Network is unreachable (connect failed)),
>     ldapSDKVersion=4.0.14,
>     revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
>     debug with tcpdump reveals only that connection is made and there are
>     only "bindRequest" and "bindResponse success" messages visible (with
>     correct tcp handshake and close) and nothing more
>
>     any help would be appreciated
>
>     Cheers,
>
>     Jiri
>
>     _______________________________________________
>     Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
>     To unsubscribe send an email to users-leave@ovirt.org
>     <mailto:users-leave@ovirt.org>
>     Privacy Statement: https://www.ovirt.org/privacy-policy.html
>     oVirt Code of Conduct:
>     https://www.ovirt.org/community/about/community-guidelines/
>     List Archives:
>     https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/
>
>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.




--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.