ldap auth problem after upgrade from 4.4.1 to 4.4.2
Hi, I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa profile anymore. We are using Novell/NetIQ E-directory (load ballanced by haproxy, probably not important...) In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol supported by our edir) from default crypto policies but I was able revert it by update-crypto-policies --set LEGACY after upgrade to 4.4.2 the error is server_error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) but our ldap server is reachable from ovirt, I tested it via (also ldaps and startls variants are working) ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w '************' -b 'o=su' As a workaround I tried to set plain ldap protocol in profile cat /etc/ovirt-engine/aaa/CRO.properties include = <rfc2307-edir.properties> vars.server = ldap1.slu.cz vars.port = 389 vars.user = cn=*****,ou=******,o=su vars.password = ************** pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.ssl.startTLS = false pool.default.ssl.enable = false #pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 #pool.default.ssl.insecure = true sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su #search.default.search-request.derefPolicy = ALWAYS but the error is the same... ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=my_user .... WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] TLS/SSL insecure mode ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) ... INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='CRO' user='my_user' Password: ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) Oct 01, 2020 10:57:37 AM org.ovirt.engine.exttool.core.ExtensionsToolExecutor main SEVERE: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) debug with tcpdump reveals only that connection is made and there are only "bindRequest" and "bindResponse success" messages visible (with correct tcp handshake and close) and nothing more any help would be appreciated Cheers, Jiri
Hi, it seems that you are affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880149 Could you please try the workaround mentioned there? Thanks, Martin On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy, probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol supported by our edir) from default crypto policies but I was able revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also ldaps and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w '************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz vars.port = 389 vars.user = cn=*****,ou=******,o=su vars.password = **************
pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false pool.default.ssl.enable = false #pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 #pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=my_user
.... WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] TLS/SSL insecure mode ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) ... INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='CRO' user='my_user' Password: ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) Oct 01, 2020 10:57:37 AM org.ovirt.engine.exttool.core.ExtensionsToolExecutor main SEVERE: An error occurred while attempting to connect to server ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are only "bindRequest" and "bindResponse success" messages visible (with correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DF...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
Hi, On 10/1/20 2:53 PM, Martin Perina wrote:
Hi,
it seems that you are affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880149 Could you please try the workaround mentioned there?
bingo! Thanks a lot! It is interesting behavior as my engine has no public ipv6 address (ipv6 is set to ignore in nm). also [root@ovirt ~]# ping6 google.com connect: Network is unreachable but ok, problem is solved :-) Jiri
Thanks, Martin
On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>> wrote:
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy, probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol supported by our edir) from default crypto policies but I was able revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also ldaps and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D cn=*****,ou=******,o=su -w '************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz <http://ldap1.slu.cz> vars.port = 389 vars.user = cn=*****,ou=******,o=su vars.password = **************
pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false pool.default.ssl.enable = false #pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 #pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=my_user
.... WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] TLS/SSL insecure mode ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz>] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) ... INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='CRO' user='my_user' Password: ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz>] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) Oct 01, 2020 10:57:37 AM org.ovirt.engine.exttool.core.ExtensionsToolExecutor main SEVERE: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are only "bindRequest" and "bindResponse success" messages visible (with correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DF...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
Hi,
On 10/1/20 2:53 PM, Martin Perina wrote:
Hi,
it seems that you are affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880149 Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6 is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com connect: Network is unreachable
but ok, problem is solved :-)
Most probably your LDAP server can be resolved to both IPv4 and IPv6 addresses and we choose a random resolved address in aaa-ldap when connecting. Enabling IPv6 by default was introduced in https://bugzilla.redhat.com/1726189 but unfortunately we have missed this scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...
Jiri
Thanks, Martin
On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>> wrote:
Hi,
I just upgraded my HE to 4.4.2 but now I cannot login using my ldap
aaa
profile anymore.
We are using Novell/NetIQ E-directory (load ballanced by haproxy, probably not important...)
In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol supported by our edir) from default crypto policies but I was able revert it by
update-crypto-policies --set LEGACY
after upgrade to 4.4.2 the error is
server_error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to
establish a
connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
but our ldap server is reachable from ovirt, I tested it via (also
ldaps
and startls variants are working)
ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D cn=*****,ou=******,o=su -w '************' -b 'o=su'
As a workaround I tried to set plain ldap protocol in profile
cat /etc/ovirt-engine/aaa/CRO.properties
include = <rfc2307-edir.properties>
vars.server = ldap1.slu.cz <http://ldap1.slu.cz> vars.port = 389 vars.user = cn=*****,ou=******,o=su vars.password = **************
pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = false pool.default.ssl.enable = false #pool.default.ssl.protocol = TLSv1 #pool.default.ssl.startTLSProtocol = TLSv1 #pool.default.ssl.insecure = true
sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su
#search.default.search-request.derefPolicy = ALWAYS
but the error is the same...
ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=my_user
.... WARNING:
[ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz>] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) ... INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='CRO' user='my_user' Password: ... WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz>] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) Oct 01, 2020 10:57:37 AM org.ovirt.engine.exttool.core.ExtensionsToolExecutor main SEVERE: An error occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389>: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to
establish a
connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389>: SocketException(Network is unreachable (connect failed)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
debug with tcpdump reveals only that connection is made and there are only "bindRequest" and "bindResponse success" messages visible (with correct tcp handshake and close) and nothing more
any help would be appreciated
Cheers,
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DF...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On 10/1/20 9:41 PM, Martin Perina wrote:
On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka <jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>> wrote:
Hi,
On 10/1/20 2:53 PM, Martin Perina wrote: > Hi, > > it seems that you are affected by > https://bugzilla.redhat.com/show_bug.cgi?id=1880149 > Could you please try the workaround mentioned there?
bingo! Thanks a lot!
It is interesting behavior as my engine has no public ipv6 address (ipv6 is set to ignore in nm).
also
[root@ovirt ~]# ping6 google.com <http://google.com> connect: Network is unreachable
but ok, problem is solved :-)
Most probably your LDAP server can be resolved to both IPv4 and IPv6 addresses and we choose a random resolved address in aaa-ldap when connecting. Enabling IPv6 by default was introduced in https://bugzilla.redhat.com/1726189 but unfortunately we have missed this scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...
yes, this is exactly our case. No problem, it is really hard to catch all variants. Cheers, Jiri
Jiri
> > Thanks, > Martin > > > On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz> > <mailto:jiri.slezka@slu.cz <mailto:jiri.slezka@slu.cz>>> wrote: > > Hi, > > I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa > profile anymore. > > We are using Novell/NetIQ E-directory (load ballanced by haproxy, > probably not important...) > > In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol > supported by our edir) from default crypto policies but I was able > revert it by > > update-crypto-policies --set LEGACY > > after upgrade to 4.4.2 the error is > > server_error: An error occurred while attempting to connect to server > ldap1.slu.cz:389 <http://ldap1.slu.cz:389> <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect > error), errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389> > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > > but our ldap server is reachable from ovirt, I tested it via (also ldaps > and startls variants are working) > > ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> <http://ldap1.slu.cz> -x -D > cn=*****,ou=******,o=su -w > '************' -b 'o=su' > > As a workaround I tried to set plain ldap protocol in profile > > cat /etc/ovirt-engine/aaa/CRO.properties > > > include = <rfc2307-edir.properties> > > vars.server = ldap1.slu.cz <http://ldap1.slu.cz> <http://ldap1.slu.cz> > vars.port = 389 > vars.user = cn=*****,ou=******,o=su > vars.password = ************** > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.serverset.single.port = ${global:vars.port} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > pool.default.ssl.startTLS = false > pool.default.ssl.enable = false > #pool.default.ssl.protocol = TLSv1 > #pool.default.ssl.startTLSProtocol = TLSv1 > #pool.default.ssl.insecure = true > > sequence-init.init.100-my-edir-init-vars = my-edir-init-vars > sequence.my-edir-init-vars.010.description = set baseDN > sequence.my-edir-init-vars.010.type = var-set > sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN > sequence.my-edir-init-vars.010.var-set.value = o=su > > #search.default.search-request.derefPolicy = ALWAYS > > > but the error is the same... > > ovirt-engine-extensions-tool aaa login-user --profile=CRO > --user-name=my_user > > .... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication] > TLS/SSL insecure mode > ... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz> > <http://auth.CRO.slu.cz>] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389> > <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect error), > errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389> > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > ... > INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS > profile='CRO' user='my_user' > Password: > ... > WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz <http://auth.CRO.slu.cz> > <http://auth.CRO.slu.cz>] Cannot > initialize LDAP framework, deferring initialization. Error: An error > occurred while attempting to connect to server ldap1.slu.cz:389 <http://ldap1.slu.cz:389> > <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect error), > errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389> > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > Oct 01, 2020 10:57:37 AM > org.ovirt.engine.exttool.core.ExtensionsToolExecutor main > SEVERE: An error occurred while attempting to connect to server > ldap1.slu.cz:389 <http://ldap1.slu.cz:389> <http://ldap1.slu.cz:389>: > IOException(LDAPException(resultCode=91 (connect > error), errorMessage='An error occurred while attempting to establish a > connection to server ldap1.slu.cz/193.84.206.212:389 <http://ldap1.slu.cz/193.84.206.212:389> > <http://ldap1.slu.cz/193.84.206.212:389>: > SocketException(Network is unreachable (connect failed)), > ldapSDKVersion=4.0.14, > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) > > debug with tcpdump reveals only that connection is made and there are > only "bindRequest" and "bindResponse success" messages visible (with > correct tcp handshake and close) and nothing more > > any help would be appreciated > > Cheers, > > Jiri > > _______________________________________________ > Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> > <mailto:users-leave@ovirt.org <mailto:users-leave@ovirt.org>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DF... > > > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o.
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
to get these two hosts into a cluster would i need to castrate them down to nehalem, or would i be able to botch the db for the 2nd host from "EPYC-IBPB" to "Opteron_G5"? I don't really want to drop them down to nehalem, so either I can botch the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU for host1 to bring it up to "EPYC-IBPB"; I have; host1; # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_cpu64-rhel6 model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Opteron_G4 model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor" model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_Westmere host2; # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_Dhyana model_EPYC model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor" model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_SandyBridge model_Westmere Thanks, Mike
Hi Mike, In order to add them to a single cluster , you should set them to Opteron_G5 (my FX-8350 is also there) , untill you replace the host with something more modern. Of course , you can have your hosts in separate clusters - but then you won't be able to live migrate your VMs. Best Regards, Strahil Nikolov В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones <mj@mikejonesey.co.uk> написа: to get these two hosts into a cluster would i need to castrate them down to nehalem, or would i be able to botch the db for the 2nd host from "EPYC-IBPB" to "Opteron_G5"? I don't really want to drop them down to nehalem, so either I can botch the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU for host1 to bring it up to "EPYC-IBPB"; I have; host1; # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_cpu64-rhel6 model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Opteron_G4 model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor" model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_Westmere host2; # vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_Dhyana model_EPYC model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor" model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_SandyBridge model_Westmere Thanks, Mike _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736A4M...
Thanks for the email; unfortunately it seems "Opteron_G5" is not on the 2nd host (guessing it was removed in 4.2 or some strange cpu compat thing); I upgraded the CPU #consumerism, now both are "model_EPYC-IBPB / EPYC Secure" and clustered. Kind Regards, Mike On 04/10/2020 17:51, Strahil Nikolov wrote:
Hi Mike,
In order to add them to a single cluster , you should set them to Opteron_G5 (my FX-8350 is also there) , untill you replace the host with something more modern.
Of course , you can have your hosts in separate clusters - but then you won't be able to live migrate your VMs.
Best Regards, Strahil Nikolov
В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones <mj@mikejonesey.co.uk> написа:
to get these two hosts into a cluster would i need to castrate them down to nehalem, or would i be able to botch the db for the 2nd host from "EPYC-IBPB" to "Opteron_G5"?
I don't really want to drop them down to nehalem, so either I can botch the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU for host1 to bring it up to "EPYC-IBPB";
I have;
host1;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_cpu64-rhel6 model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Opteron_G4 model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor" model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_Westmere
host2;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_Dhyana model_EPYC model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor" model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_SandyBridge model_Westmere
Thanks,
Mike
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736A4M...
Hi Michael, I'm running 4.3.10 and I can confirm that Opteron_G5 was not removed. What is reported by 'virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf capabilities' on both hosts ? Best Regards, Strahil Nikolov В сряда, 7 октомври 2020 г., 00:06:08 Гринуич+3, Michael Jones <mj@mikejonesey.co.uk> написа: Thanks for the email; unfortunately it seems "Opteron_G5" is not on the 2nd host (guessing it was removed in 4.2 or some strange cpu compat thing); I upgraded the CPU #consumerism, now both are "model_EPYC-IBPB / EPYC Secure" and clustered. Kind Regards, Mike On 04/10/2020 17:51, Strahil Nikolov wrote:
Hi Mike,
In order to add them to a single cluster , you should set them to Opteron_G5 (my FX-8350 is also there) , untill you replace the host with something more modern.
Of course , you can have your hosts in separate clusters - but then you won't be able to live migrate your VMs.
Best Regards, Strahil Nikolov
В събота, 3 октомври 2020 г., 16:50:24 Гринуич+3, Michael Jones <mj@mikejonesey.co.uk> написа:
to get these two hosts into a cluster would i need to castrate them down to nehalem, or would i be able to botch the db for the 2nd host from "EPYC-IBPB" to "Opteron_G5"?
I don't really want to drop them down to nehalem, so either I can botch the 2nd cpu so they are both on opteron_G5 or i'll have to buy a new CPU for host1 to bring it up to "EPYC-IBPB";
I have;
host1;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_cpu64-rhel6 model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Opteron_G4 model_Opteron_G5 <<<< "AMD FX(tm)-8350 Eight-Core Processor" model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_Westmere
host2;
# vdsm-client Host getCapabilities | grep cpuFlags | tr "," "\n" | grep model_ | sed 's/"//' | sort -n model_486 model_Conroe model_Dhyana model_EPYC model_EPYC-IBPB <<<< "AMD Ryzen 7 1700X Eight-Core Processor" model_kvm32 model_kvm64 model_Nehalem model_Opteron_G1 model_Opteron_G2 model_Opteron_G3 model_Penryn model_pentium model_pentium2 model_pentium3 model_qemu32 model_qemu64 model_SandyBridge model_Westmere
Thanks,
Mike
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NULJX3JB736A4M...
participants (4)
-
Jiří Sléžka -
Martin Perina -
Michael Jones -
Strahil Nikolov