12:10 p.m.
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w
'************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz
vars.port = 389
vars.user = cn=*****,ou=******,o=su
vars.password = **************
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user
....
WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible (with
correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
3:53 p.m.
Hi,
it seems that you are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=1880149
Could you please try the workaround mentioned there?
Thanks,
Martin
On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka(a)slu.cz> wrote:
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w
'************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz
vars.port = 389
vars.user = cn=*****,ou=******,o=su
vars.password = **************
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user
....
WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible (with
correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R...
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
4:17 p.m.
Hi,
On 10/1/20 2:53 PM, Martin Perina wrote:
Hi,
it seems that you are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=1880149
Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6
is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com
connect: Network is unreachable
but ok, problem is solved :-)
Jiri
Thanks,
Martin
On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka(a)slu.cz
<mailto:jiri.slezka@slu.cz>> wrote:
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389 <http://ldap1.slu.cz:389>;:
IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>;:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D
cn=*****,ou=******,o=su -w
'************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
vars.port = 389
vars.user = cn=*****,ou=******,o=su
vars.password = **************
pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user
....
WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
<http://auth.CRO.slu.cz>] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389
<http://ldap1.slu.cz:389>;:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>;:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
<http://auth.CRO.slu.cz>] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389
<http://ldap1.slu.cz:389>;:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>;:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389 <http://ldap1.slu.cz:389>:
IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>;:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible
(with
correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R...
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
10:41 p.m.
On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka <jiri.slezka(a)slu.cz> wrote:
Hi,
On 10/1/20 2:53 PM, Martin Perina wrote:
> Hi,
>
> it seems that you are affected by
> https://bugzilla.redhat.com/show_bug.cgi?id=1880149
> Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6
is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com
connect: Network is unreachable
but ok, problem is solved :-)
Most probably your LDAP server can be resolved to both IPv4 and IPv6
addresses and we choose a random resolved address in aaa-ldap when
connecting. Enabling IPv6 by default was introduced in
https://bugzilla.redhat.com/1726189 but unfortunately we have missed this
scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...
Jiri
>
> Thanks,
> Martin
>
>
> On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka(a)slu.cz
> <mailto:jiri.slezka@slu.cz>> wrote:
>
> Hi,
>
> I just upgraded my HE to 4.4.2 but now I cannot login using my ldap
aaa
> profile anymore.
>
> We are using Novell/NetIQ E-directory (load ballanced by haproxy,
> probably not important...)
>
> In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
> supported by our edir) from default crypto policies but I was able
> revert it by
>
> update-crypto-policies --set LEGACY
>
> after upgrade to 4.4.2 the error is
>
> server_error: An error occurred while attempting to connect to server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>;:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to
establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>;:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> but our ldap server is reachable from ovirt, I tested it via (also
ldaps
> and startls variants are working)
>
> ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D
> cn=*****,ou=******,o=su -w
> '************' -b 'o=su'
>
> As a workaround I tried to set plain ldap protocol in profile
>
> cat /etc/ovirt-engine/aaa/CRO.properties
>
>
> include = <rfc2307-edir.properties>
>
> vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
> vars.port = 389
> vars.user = cn=*****,ou=******,o=su
> vars.password = **************
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = ${global:vars.port}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> pool.default.ssl.startTLS = false
> pool.default.ssl.enable = false
> #pool.default.ssl.protocol = TLSv1
> #pool.default.ssl.startTLSProtocol = TLSv1
> #pool.default.ssl.insecure = true
>
> sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
> sequence.my-edir-init-vars.010.description = set baseDN
> sequence.my-edir-init-vars.010.type = var-set
> sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-edir-init-vars.010.var-set.value = o=su
>
> #search.default.search-request.derefPolicy = ALWAYS
>
>
> but the error is the same...
>
> ovirt-engine-extensions-tool aaa login-user --profile=CRO
> --user-name=my_user
>
> ....
> WARNING:
[ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
> TLS/SSL insecure mode
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389
> <http://ldap1.slu.cz:389>;:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>;:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> ...
> INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='CRO' user='my_user'
> Password:
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389
> <http://ldap1.slu.cz:389>;:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>;:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> Oct 01, 2020 10:57:37 AM
> org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
> SEVERE: An error occurred while attempting to connect to server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>;:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to
establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
> <http://ldap1.slu.cz/193.84.206.212:389>;:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> debug with tcpdump reveals only that connection is made and there are
> only "bindRequest" and "bindResponse success" messages
visible (with
> correct tcp handshake and close) and nothing more
>
> any help would be appreciated
>
> Cheers,
>
> Jiri
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
> To unsubscribe send an email to users-leave(a)ovirt.org
> <mailto:users-leave@ovirt.org>
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R...
>
>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
12:22 p.m.
On 10/1/20 9:41 PM, Martin Perina wrote:
On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka <jiri.slezka(a)slu.cz
<mailto:jiri.slezka@slu.cz>> wrote:
Hi,
On 10/1/20 2:53 PM, Martin Perina wrote:
> Hi,
>
> it seems that you are affected by
> https://bugzilla.redhat.com/show_bug.cgi?id=1880149
> Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6
is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com <http://google.com>
connect: Network is unreachable
but ok, problem is solved :-)
Most probably your LDAP server can be resolved to both IPv4 and IPv6
addresses and we choose a random resolved address in aaa-ldap when
connecting. Enabling IPv6 by default was introduced in
https://bugzilla.redhat.com/1726189 but unfortunately we have missed
this scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...
yes, this is exactly our case. No problem, it is really hard to catch
all variants.
Cheers,
Jiri
Jiri
>
> Thanks,
> Martin
>
>
> On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka(a)slu.cz
<mailto:jiri.slezka@slu.cz>
> <mailto:jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>>> wrote:
>
> Hi,
>
> I just upgraded my HE to 4.4.2 but now I cannot login using my
ldap aaa
> profile anymore.
>
> We are using Novell/NetIQ E-directory (load ballanced by haproxy,
> probably not important...)
>
> In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
> supported by our edir) from default crypto policies but I was able
> revert it by
>
> update-crypto-policies --set LEGACY
>
> after upgrade to 4.4.2 the error is
>
> server_error: An error occurred while attempting to connect to
server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>
<http://ldap1.slu.cz:389>;:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to
establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> but our ldap server is reachable from ovirt, I tested it via
(also ldaps
> and startls variants are working)
>
> ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz>
<http://ldap1.slu.cz> -x -D
> cn=*****,ou=******,o=su -w
> '************' -b 'o=su'
>
> As a workaround I tried to set plain ldap protocol in profile
>
> cat /etc/ovirt-engine/aaa/CRO.properties
>
>
> include = <rfc2307-edir.properties>
>
> vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
<http://ldap1.slu.cz>
> vars.port = 389
> vars.user = cn=*****,ou=******,o=su
> vars.password = **************
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = ${global:vars.port}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> pool.default.ssl.startTLS = false
> pool.default.ssl.enable = false
> #pool.default.ssl.protocol = TLSv1
> #pool.default.ssl.startTLSProtocol = TLSv1
> #pool.default.ssl.insecure = true
>
> sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
> sequence.my-edir-init-vars.010.description = set baseDN
> sequence.my-edir-init-vars.010.type = var-set
> sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-edir-init-vars.010.var-set.value = o=su
>
> #search.default.search-request.derefPolicy = ALWAYS
>
>
> but the error is the same...
>
> ovirt-engine-extensions-tool aaa login-user --profile=CRO
> --user-name=my_user
>
> ....
> WARNING:
[ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
> TLS/SSL insecure mode
> ...
> WARNING:
[ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
<http://auth.CRO.slu.cz>
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An
error
> occurred while attempting to connect to server
ldap1.slu.cz:389 <http://ldap1.slu.cz:389>
> <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> ...
> INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='CRO' user='my_user'
> Password:
> ...
> WARNING:
[ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
<http://auth.CRO.slu.cz>
> <http://auth.CRO.slu.cz>] Cannot
> initialize LDAP framework, deferring initialization. Error: An
error
> occurred while attempting to connect to server
ldap1.slu.cz:389 <http://ldap1.slu.cz:389>
> <http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> Oct 01, 2020 10:57:37 AM
> org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
> SEVERE: An error occurred while attempting to connect to server
> ldap1.slu.cz:389 <http://ldap1.slu.cz:389>
<http://ldap1.slu.cz:389>:
> IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to
establish a
> connection to server ldap1.slu.cz/193.84.206.212:389
<http://ldap1.slu.cz/193.84.206.212:389>
> <http://ldap1.slu.cz/193.84.206.212:389>:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> debug with tcpdump reveals only that connection is made and
there are
> only "bindRequest" and "bindResponse success" messages
visible
(with
> correct tcp handshake and close) and nothing more
>
> any help would be appreciated
>
> Cheers,
>
> Jiri
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
> <mailto:users-leave@ovirt.org <mailto:users-leave@ovirt.org>>
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/
>
>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
4:48 p.m.
New subject: CPU Type / Cluster
to get these two hosts into a cluster would i need to castrate them down
to nehalem, or would i be able to botch the db for the 2nd host from
"EPYC-IBPB" to "Opteron_G5"?
I don't really want to drop them down to nehalem, so either I can botch
the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU
for host1 to bring it up to "EPYC-IBPB";
I have;
host1;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" |
grep
model_ | sed 's/"//' | sort -n
model_486
model_Conroe
model_cpu64-rhel6
model_kvm32
model_kvm64
model_Nehalem
model_Opteron_G1
model_Opteron_G2
model_Opteron_G3
model_Opteron_G4
model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor"
model_Penryn
model_pentium
model_pentium2
model_pentium3
model_qemu32
model_qemu64
model_Westmere
host2;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" |
grep
model_ | sed 's/"//' | sort -n
model_486
model_Conroe
model_Dhyana
model_EPYC
model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor"
model_kvm32
model_kvm64
model_Nehalem
model_Opteron_G1
model_Opteron_G2
model_Opteron_G3
model_Penryn
model_pentium
model_pentium2
model_pentium3
model_qemu32
model_qemu64
model_SandyBridge
model_Westmere
Thanks,
Mike
7:51 p.m.
New subject: CPU Type / Cluster
Hi Mike,
In order to add them to a single cluster , you should set them to Opteron_G5 (my FX-8350
is also there) , untill you replace the host with something more modern.
Of course , you can have your hosts in separate clusters - but then you won't be able
to live migrate your VMs.
Best Regards,
Strahil Nikolov
В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones
<mj(a)mikejonesey.co.uk> написа:
to get these two hosts into a cluster would i need to castrate them down
to nehalem, or would i be able to botch the db for the 2nd host from
"EPYC-IBPB" to "Opteron_G5"?
I don't really want to drop them down to nehalem, so either I can botch
the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU
for host1 to bring it up to "EPYC-IBPB";
I have;
host1;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" |
grep
model_ | sed 's/"//' | sort -n
model_486
model_Conroe
model_cpu64-rhel6
model_kvm32
model_kvm64
model_Nehalem
model_Opteron_G1
model_Opteron_G2
model_Opteron_G3
model_Opteron_G4
model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor"
model_Penryn
model_pentium
model_pentium2
model_pentium3
model_qemu32
model_qemu64
model_Westmere
host2;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" |
grep
model_ | sed 's/"//' | sort -n
model_486
model_Conroe
model_Dhyana
model_EPYC
model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor"
model_kvm32
model_kvm64
model_Nehalem
model_Opteron_G1
model_Opteron_G2
model_Opteron_G3
model_Penryn
model_pentium
model_pentium2
model_pentium3
model_qemu32
model_qemu64
model_SandyBridge
model_Westmere
Thanks,
Mike
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736...
12:06 a.m.
New subject: CPU Type / Cluster
Thanks for the email;
unfortunately it seems "Opteron_G5" is not on the 2nd host (guessing it
was removed in 4.2 or some strange cpu compat thing);
I upgraded the CPU #consumerism,
now both are "model_EPYC-IBPB / EPYC Secure" and clustered.
Kind Regards,
Mike
On 04/10/2020 17:51, Strahil Nikolov wrote:
> Hi Mike,
>
> In order to add them to a single cluster , you should set them to Opteron_G5 (my
FX-8350 is also there) , untill you replace the host with something more modern.
>
> Of course , you can have your hosts in separate clusters - but then you won't be
able to live migrate your VMs.
>
> Best Regards,
> Strahil Nikolov
>
>
>
>
>
>
> В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones
<mj(a)mikejonesey.co.uk> написа:
>
>
>
>
>
> to get these two hosts into a cluster would i need to castrate them down
> to nehalem, or would i be able to botch the db for the 2nd host from
> "EPYC-IBPB" to "Opteron_G5"?
>
> I don't really want to drop them down to nehalem, so either I can botch
> the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU
> for host1 to bring it up to "EPYC-IBPB";
>
> I have;
>
> host1;
>
> # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n"
| grep
> model_ | sed 's/"//' | sort -n
> model_486
> model_Conroe
> model_cpu64-rhel6
> model_kvm32
> model_kvm64
> model_Nehalem
> model_Opteron_G1
> model_Opteron_G2
> model_Opteron_G3
> model_Opteron_G4
> model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor"
> model_Penryn
> model_pentium
> model_pentium2
> model_pentium3
> model_qemu32
> model_qemu64
> model_Westmere
>
> host2;
>
> # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n"
| grep
> model_ | sed 's/"//' | sort -n
> model_486
> model_Conroe
> model_Dhyana
> model_EPYC
> model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor"
> model_kvm32
> model_kvm64
> model_Nehalem
> model_Opteron_G1
> model_Opteron_G2
> model_Opteron_G3
> model_Penryn
> model_pentium
> model_pentium2
> model_pentium3
> model_qemu32
> model_qemu64
> model_SandyBridge
> model_Westmere
>
> Thanks,
>
> Mike
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736...
>
1:31 a.m.
New subject: CPU Type / Cluster
Hi Michael,
I'm running 4.3.10 and I can confirm that Opteron_G5 was not removed.
What is reported by 'virsh -c
qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf capabilities' on both
hosts ?
Best Regards,
Strahil Nikolov
В сряда, 7 октомври 2020 г., 00:06:08 Гринуич+3, Michael Jones
<mj(a)mikejonesey.co.uk> написа:
Thanks for the email;
unfortunately it seems "Opteron_G5" is not on the 2nd host (guessing it
was removed in 4.2 or some strange cpu compat thing);
I upgraded the CPU #consumerism,
now both are "model_EPYC-IBPB / EPYC Secure" and clustered.
Kind Regards,
Mike
On 04/10/2020 17:51, Strahil Nikolov wrote:
> Hi Mike,
>
> In order to add them to a single cluster , you should set them to Opteron_G5 (my
FX-8350 is also there) , untill you replace the host with something more modern.
>
> Of course , you can have your hosts in separate clusters - but then you won't be
able to live migrate your VMs.
>
> Best Regards,
> Strahil Nikolov
>
>
>
>
>
>
> В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones
<mj(a)mikejonesey.co.uk> написа:
>
>
>
>
>
> to get these two hosts into a cluster would i need to castrate them down
> to nehalem, or would i be able to botch the db for the 2nd host from
> "EPYC-IBPB" to "Opteron_G5"?
>
> I don't really want to drop them down to nehalem, so either I can botch
> the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU
> for host1 to bring it up to "EPYC-IBPB";
>
> I have;
>
> host1;
>
> # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n"
| grep
> model_ | sed 's/"//' | sort -n
> model_486
> model_Conroe
> model_cpu64-rhel6
> model_kvm32
> model_kvm64
> model_Nehalem
> model_Opteron_G1
> model_Opteron_G2
> model_Opteron_G3
> model_Opteron_G4
> model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor"
> model_Penryn
> model_pentium
> model_pentium2
> model_pentium3
> model_qemu32
> model_qemu64
> model_Westmere
>
> host2;
>
> # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n"
| grep
> model_ | sed 's/"//' | sort -n
> model_486
> model_Conroe
> model_Dhyana
> model_EPYC
> model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor"
> model_kvm32
> model_kvm64
> model_Nehalem
> model_Opteron_G1
> model_Opteron_G2
> model_Opteron_G3
> model_Penryn
> model_pentium
> model_pentium2
> model_pentium3
> model_qemu32
> model_qemu64
> model_SandyBridge
> model_Westmere
>
> Thanks,
>
> Mike
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736...
>
1508
days inactive
1513
days old
8 comments
4 participants
participants (4)
-
Jiří Sléžka -
Martin Perina -
Michael Jones -
Strahil Nikolov