Bug 1151093 - attempting to login in via LDAP auth source configured in Sat 6 on RHEL 7 gives connection error
Summary: attempting to login in via LDAP auth source configured in Sat 6 on RHEL 7 giv...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-09 14:54 UTC by Jason Montleon
Modified: 2019-08-15 04:00 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 05:17:48 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
foreman-debug (576.78 KB, application/x-xz)
2014-10-09 15:31 UTC, Jason Montleon
no flags Details
LDAP auth source sat61_rhel71 (40.92 KB, image/png)
2015-03-18 14:39 UTC, Kedar Bidarkar
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1229603 0 None None None Never
Red Hat Product Errata RHSA-2015:1592 0 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 09:04:35 UTC

Description Jason Montleon 2014-10-09 14:54:53 UTC
Description of problem:
Trying to log in via corporate LDAP results in:
Errno::EACCES
Permission denied - connect(2)
app/models/auth_sources/auth_source_ldap.rb:162:in `search_for_user_entries'
app/models/auth_sources/auth_source_ldap.rb:39:in `authenticate'
app/models/user.rb:178:in `try_to_login'
app/controllers/users_controller.rb:72:in `login'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

Version-Release number of selected component (if applicable):
Satellite 6.0.4 on RHEL 7

How reproducible:
Always

Steps to Reproduce:
1. Set up Satellite 6.0.4
2. Configure corporate LDAP as an auth source
3. Try to log in with a valid account

Actual results:
fails to log in with error above

Expected results:
Successful login

Additional info:
Interestingly I did not hit this while setting up an AD source. running audit2allow gave this:

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap, passenger_can_connect_all
allow passenger_t ldap_port_t:tcp_socket name_connect;

setsebool -P authlogin_nsswitch_use_ldap on did seem to correct it.

Comment 1 RHEL Program Management 2014-10-09 15:13:05 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Lukas Zapletal 2014-10-09 15:23:31 UTC
This is strange, are you sure it helped?

tunable_policy(`authlogin_nsswitch_use_ldap',`
    allow nsswitch_domain self:tcp_socket create_socket_perms;
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
	corenet_tcp_connect_ldap_port(nsswitch_domain)
	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	# Support for LDAPS
	dev_read_rand(nsswitch_domain)
	# LDAP Configuration using encrypted requires
	dev_read_urand(nsswitch_domain)
	sysnet_read_config(nsswitch_domain)
')

tunable_policy(`authlogin_nsswitch_use_ldap',`
	miscfiles_read_generic_certs(nsswitch_domain)
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
		dirsrv_stream_connect(nsswitch_domain)
	')
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
        ldap_read_certs(nsswitch_domain)
		ldap_stream_connect(nsswitch_domain)
	')
')

Comment 4 Jason Montleon 2014-10-09 15:31:23 UTC
Created attachment 945367 [details]
foreman-debug

Comment 5 Jason Montleon 2014-10-09 15:31:50 UTC
This is the denial I see with selinux enabled

type=AVC msg=audit(1412866146.560:2789): avc:  denied  { name_connect } for  pid=102294 comm="ruby" dest=636 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Comment 9 Lukas Zapletal 2014-10-14 06:49:15 UTC
Hello all,

workaround:

setsebool -P passenger_can_connect_all

Comment 10 Bryan Kearney 2014-10-21 10:04:47 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/7932 has been closed
-------------
Anonymous
Applied in changeset commit:aab37c64a87a4b4e332511a050329c9e28be833e.

Comment 11 Marcus Moeller 2015-02-03 14:09:05 UTC
Could we please push this as an errata update?

Comment 15 Kedar Bidarkar 2015-03-18 14:39:36 UTC
Created attachment 1003263 [details]
LDAP auth source sat61_rhel71

Tested with below LDAP auth sources and it works fine.

a) AD 
b) IDM

works fine no AVC messages seen in /var/log/audit/audit.log

VERIFIED with sat6.1 on RHEL71
AD win2008R2
IDM on RHEL71 with 4.1

build used Sat6.1 Beta snap6 compose2

Comment 16 Bryan Kearney 2015-08-11 13:28:00 UTC
This bug is slated to be released with Satellite 6.1.

Comment 17 errata-xmlrpc 2015-08-12 05:17:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592


Note You need to log in before you can comment on or make changes to this bug.