Bug 1151093

Summary: attempting to login in via LDAP auth source configured in Sat 6 on RHEL 7 gives connection error
Product: Red Hat Satellite Reporter: Jason Montleon <jmontleo>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0.4CC: aladen, aupadhye, bbuckingham, dkaylor, kbidarka, marcus.moeller, sthirugn, tbily, xdmoon
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/7932
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:17:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
foreman-debug
none
LDAP auth source sat61_rhel71 none

Description Jason Montleon 2014-10-09 14:54:53 UTC 
Description of problem:
Trying to log in via corporate LDAP results in:
Errno::EACCES
Permission denied - connect(2)
app/models/auth_sources/auth_source_ldap.rb:162:in `search_for_user_entries'
app/models/auth_sources/auth_source_ldap.rb:39:in `authenticate'
app/models/user.rb:178:in `try_to_login'
app/controllers/users_controller.rb:72:in `login'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL 7

How reproducible:
Always

Steps to Reproduce:
1. Set up Satellite 6.0.4
2. Configure corporate LDAP as an auth source
3. Try to log in with a valid account

Actual results:
fails to log in with error above

Expected results:
Successful login

Additional info:
Interestingly I did not hit this while setting up an AD source. running audit2allow gave this:

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap, passenger_can_connect_all
allow passenger_t ldap_port_t:tcp_socket name_connect;

setsebool -P authlogin_nsswitch_use_ldap on did seem to correct it.
Comment 1 RHEL Program Management 2014-10-09 15:13:05 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Lukas Zapletal 2014-10-09 15:23:31 UTC 
This is strange, are you sure it helped?

tunable_policy(`authlogin_nsswitch_use_ldap',`
    allow nsswitch_domain self:tcp_socket create_socket_perms;
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
	corenet_tcp_connect_ldap_port(nsswitch_domain)
	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	# Support for LDAPS
	dev_read_rand(nsswitch_domain)
	# LDAP Configuration using encrypted requires
	dev_read_urand(nsswitch_domain)
	sysnet_read_config(nsswitch_domain)
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	miscfiles_read_generic_certs(nsswitch_domain)
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
		dirsrv_stream_connect(nsswitch_domain)
	')
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
        ldap_read_certs(nsswitch_domain)
		ldap_stream_connect(nsswitch_domain)
	')
')
Comment 4 Jason Montleon 2014-10-09 15:31:23 UTC 
Created attachment 945367 [details]
foreman-debug
Comment 5 Jason Montleon 2014-10-09 15:31:50 UTC 
This is the denial I see with selinux enabled

type=AVC msg=audit(1412866146.560:2789): avc:  denied  { name_connect } for  pid=102294 comm="ruby" dest=636 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
Comment 9 Lukas Zapletal 2014-10-14 06:49:15 UTC 
Hello all,

workaround:

setsebool -P passenger_can_connect_all
Comment 10 Bryan Kearney 2014-10-21 10:04:47 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/7932 has been closed
-------------
Anonymous
Applied in changeset commit:aab37c64a87a4b4e332511a050329c9e28be833e.
Comment 11 Marcus Moeller 2015-02-03 14:09:05 UTC 
Could we please push this as an errata update?
Comment 15 Kedar Bidarkar 2015-03-18 14:39:36 UTC 
Created attachment 1003263 [details]
LDAP auth source sat61_rhel71

Tested with below LDAP auth sources and it works fine.

a) AD 
b) IDM

works fine no AVC messages seen in /var/log/audit/audit.log

VERIFIED with sat6.1 on RHEL71
AD win2008R2
IDM on RHEL71 with 4.1

build used Sat6.1 Beta snap6 compose2
Comment 16 Bryan Kearney 2015-08-11 13:28:00 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 17 errata-xmlrpc 2015-08-12 05:17:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592