Bug 1156585

Summary: LDAP authentication fails when minssf is > 0 on IPA server
Product: Red Hat OpenStack Reporter: James W. Mills <jamills>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED NOTABUG QA Contact: Udi Kalifon <ukalifon>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0 (RHEL 7)CC: ayoung, jamills, yeylon
Target Milestone: ---   
Target Release: 6.0 (Juno)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-27 04:58:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
tcpdump -nn -vv -s0 -w /tmp/RHOSldapminssf1.cap port 389 on IPA server (RHEL 6.6) with minssf set to 1 none

Description James W. Mills 2014-10-24 17:20:33 UTC 
Created attachment 950452 [details]
tcpdump -nn -vv  -s0 -w /tmp/RHOSldapminssf1.cap port 389 on IPA server (RHEL 6.6) with minssf set to 1

Description of problem:

When nsslapd-minssf is set > 0, keystone fails to authenticate.


Version-Release number of selected component (if applicable):

RHOS5 (RHEL7)

How reproducible:

100%

Steps to Reproduce:
1. Install RHEL 6.6 IPA server
2. Set nsslapd-minssf to 1 on IPA server
3. keystone user-list

Actual results:

# keystone user-list
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': 'Minimum SSF not met.', 'desc': 'Server is unwilling to perform'} (HTTP 500)


Expected results:

list of users from LDAP


Additional info:

This bug is the second of three that deal with the scenario where a customer is running IPA and using it to authenticate RHEV and RHOS5.  As of IPA 6.6, RHEV requires minssf to be set to >0 in order to authenticate against IPA, which breaks RHOS5.

RHEV bug is here:  https://bugzilla.redhat.com/show_bug.cgi?id=1156577

It contains tcpdumps of RHEV attempting to communicate when minssf is set to 0

I am attaching a tcpdump for RHOS5 when minssf is set to 1.
Comment 2 Nathan Kinder 2014-10-24 17:38:14 UTC 
Is Keystone configured to use LDAPS or TLS?

The whole point of minssf is to require integrity (SSF=1) or confidentiality (SSF>=2).  Integrity alone is not possible with Keystone, as it only supports the LDAP simple bind operation and doesn't have SASL bind support.  This means that encryption is required to have a SSF > 0.
Comment 3 Nathan Kinder 2014-10-24 17:46:22 UTC 
The packet trace shows that the traffic is in the clear, so encryption needs to be enabled for the LDAP connection between Keystone and IPA.  This is very highly recommended anyway, as user passwords are transmitted over the wire in the clear for simple bind attempts.