| Summary: | LDAP authenticates against domain URI instead of LDAP Server URI from SRV records | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Vaclav Ehrlich <vehrlich> |
| Component: | ovirt-engine-core | Assignee: | Oved Ourfali <oourfali> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, djasa, iheim, oourfali, tpelka, ykaul |
| Target Milestone: | --- | ||
| Target Release: | 3.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-09 08:05:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Attachments: | |||
Created attachment 556297 [details]
capture of DNS traffic of: engine-manage-domains -action=validate
Created attachment 556298 [details]
capture of DNS traffic when Admin Portal loads
Created attachment 556299 [details]
capture of DNS traffic when user tries to authenticate in Admin Portal
These three captures were taken on oVirt machine. They show that domain is configured correctly (as engine-manage-domains -action=validate shows) but then engine tries to reach ldap on itself, which results in USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR presented to user.
Does it reproduce also after restarting the ovirt engine? The reason of using URI is once we don't find the LDAP SRV record. I see that it exists, but when the engine started he couldn't find it. In case it indeed reproduces upon startup, the DNS traffic upon startup can help us understand the problem. Proposed commit: http://gerrit.ovirt.org/#change,1184 Created attachment 557243 [details] capture of DNS traffic when ovirt-engine/jboss-as start I hope that this comment doesn't come too late... (In reply to comment #4) > Does it reproduce also after restarting the ovirt engine? > Yes, it does. > The reason of using URI is once we don't find the LDAP SRV record. > I see that it exists, but when the engine started he couldn't find it. > > In case it indeed reproduces upon startup, the DNS traffic upon startup can > help us understand the problem. Attached. Note that ovirt does _not_ ask for SRV records, it just goes through series of trial-and-error with A and PTR records. You can see also another domain whose configuration looks almost the same but authentication against it works: Domain: rhev.lab.eng.brq.redhat.com User name: vdcadmin.ENG.BRQ.REDHAT.COM This domain is a remote domain. Note that A record for the rhev.lab.<...> domain points to IP of AD so oVirt assumes the AD is not there. This is not the case with spice.lab.<...> domain so when oVirt does not ask for SRV record of _ldap._tcp.spice.<...>, it's clear that it has no clue where the AD server is. This is a clear blocker if not fixed by previous commit IMO. Created attachment 557496 [details]
capture of DNS traffic: rhevm start to display of webadmin page
RHEV-M unlike oVirt employs no guesswork and asks correctly for _ldap._tcp.<domain> SRV record. Oved, could you have a quick look if your commit indeed fixes the issue or guide me to verify it? The commit should fix the issue. The problem was a class loading issue with classes used to do the DNS queries. The commit adds these classes to the correct jboss module. Confirmed on my setup, doing the source modifications manually (module.xml was not yet updated in -3.0.0_0001-1.3.fc16.x86_64), the setup started working for me. closing ON_QA bugs as oVirt 3.1 was released: http://www.ovirt.org/get-ovirt/ |
Created attachment 556270 [details] ovirt-engine log Description of problem: User could not be authenticated, because oVirt wants to connect to bad LDAP URI. Version-Release number of selected component (if applicable): ovirt-engine-3.0.0_0001-1.2.fc16.x86_64 How reproducible: always Steps to Reproduce: 1.Install and set up oVirt 2.Start jboss-as (if is not running) 3.Open browser, connect to ovirt management page and try to log in with proper credentials Actual results: User is not log in, because ldap URI for authenticate is not valid Expected results: User is log in into system Additional info: [root@ovirt ~]# engine-manage-domains -action=validate Domain spice.lab.eng.brq.redhat.com is valid. Manage Domains completed successfully [root@ovirt ~]# engine-manage-domains -action=list Domain: spice.lab.eng.brq.redhat.com User name: vdcadmin.ENG.BRQ.REDHAT.COM This domain is a remote domain. Manage Domains completed successfully [root@ovirt ~]# host -t SRV _ldap._tcp.spice.lab.eng.brq.redhat.com _ldap._tcp.spice.lab.eng.brq.redhat.com has SRV record 0 0 389 ad.spice.lab.eng.brq.redhat.com.