Bug 1118251 - [AAA] When no trusted certificate is found in truststore, ignore that extension configuration
Summary: [AAA] When no trusted certificate is found in truststore, ignore that extensi...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: RFEs
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: ---
: ---
Assignee: Alon Bar-Lev
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: oVirt-AAA-LDAP
TreeView+ depends on / blocked
 
Reported: 2014-07-10 09:46 UTC by Ondra Machacek
Modified: 2016-02-10 19:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-14 11:54:28 UTC
oVirt Team: Infra


Attachments (Terms of Use)
engine.log (24.71 KB, text/x-log)
2014-07-10 09:46 UTC, Ondra Machacek
no flags Details

Description Ondra Machacek 2014-07-10 09:46:30 UTC
Created attachment 917033 [details]
engine.log

Description of problem:


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.el6_5.noarch
ovirt-engine-extensions-api-impl-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. create trustore with invalid certificate for domain
   and set it as for ad trustore
pool.default.ssl.truststore.file = /tmp/ad.ts

Actual results:
extension is added but is not working[see attachment engine.log]

Expected results:
1) extension is ignored with proper log message why it's ignored
or
2) extension is added and proper messege is showed for user why not working 

if 2) then connected with bug 1106435


Additional info:

2014-07-10 11:26:01,370 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-2) Cannot initialize LDAP framework, deferring initialization. Error: The connection reader was unable to successfully complete TLS negotiation:  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found caused by sun.security.validator.ValidatorException: No trusted certificate found

Comment 1 Alon Bar-Lev 2014-07-10 10:07:48 UTC
I do not understand the problem.

If untrusted SSL connection is found extension should not permit ldap usage.

Comment 2 Ondra Machacek 2014-07-10 10:15:33 UTC
Well, then ignore that extension configuration.
Current situation is that it can be used, with NPE in log.

Comment 3 Alon Bar-Lev 2014-07-10 10:18:24 UTC
(In reply to Ondra Machacek from comment #2)
> Well, then ignore that extension configuration.
> Current situation is that it can be used, with NPE in log.

if there is NPE exception in engine log, please open separate bug on engine.

extension cannot be disabled, as problem may be temporary.

please close this bug if the extension behaves as designed.

Comment 4 Oved Ourfali 2014-07-13 08:18:29 UTC
Marking it as 3.5.0, if a fix is needed.
If not, please close this bug.

Comment 5 Ondra Machacek 2014-07-14 19:14:19 UTC
Closing, as this is engine bug.

Comment 6 Sven Kieske 2014-07-15 07:27:43 UTC
then please don't close as "not a bug" but reassign to the correct component?
or if there is already a bug open for this on engine side close as duplicate?
Thanks.

Comment 7 Alon Bar-Lev 2014-07-15 08:17:35 UTC
(In reply to Sven Kieske from comment #6)
> then please don't close as "not a bug" but reassign to the correct component?
> or if there is already a bug open for this on engine side close as duplicate?
> Thanks.

the behavior request is to be closed.

a new specific bug can be opened with proper description.

moving around bugs with long history that is not entirely relevant is confusing.

Comment 8 Pavel Stehlik 2014-08-06 11:26:42 UTC
(In reply to Alon Bar-Lev from comment #7)
> (In reply to Sven Kieske from comment #6)
> > then please don't close as "not a bug" but reassign to the correct component?
> > or if there is already a bug open for this on engine side close as duplicate?
> > Thanks.
> 
> the behavior request is to be closed.
> 
> a new specific bug can be opened with proper description.
> 
> moving around bugs with long history that is not entirely relevant is
> confusing.

For sure this is BZ, thus can't be closed as NOTABUG.

*** This bug has been marked as a duplicate of bug 1117488 ***

Comment 9 Alon Bar-Lev 2014-08-06 11:31:03 UTC
I am sorry, but reclosing as notabug, as ignoring truststore/disable extension is not to be done, nor duplicate of bug#1117488

please ping me if you disagree, and we discuss.

Comment 10 Pavel Stehlik 2014-08-14 08:15:11 UTC
Feel free to explain here, why you insist on NOTABUG solution. 
Based on above, feel free either WONTFIX or keep in standard workflow - thus for tjis tome ASSIGNED.

Comment 11 Alon Bar-Lev 2014-08-14 11:54:28 UTC
whatever needed in order to keep this closed.


Note You need to log in before you can comment on or make changes to this bug.