Description of problem: Trying to log in via corporate LDAP results in: Errno::EACCES Permission denied - connect(2) app/models/auth_sources/auth_source_ldap.rb:162:in `search_for_user_entries' app/models/auth_sources/auth_source_ldap.rb:39:in `authenticate' app/models/user.rb:178:in `try_to_login' app/controllers/users_controller.rb:72:in `login' app/models/concerns/foreman/thread_session.rb:33:in `clear_thread' lib/middleware/catch_json_parse_errors.rb:9:in `call' Version-Release number of selected component (if applicable): Satellite 6.0.4 on RHEL 7 How reproducible: Always Steps to Reproduce: 1. Set up Satellite 6.0.4 2. Configure corporate LDAP as an auth source 3. Try to log in with a valid account Actual results: fails to log in with error above Expected results: Successful login Additional info: Interestingly I did not hit this while setting up an AD source. running audit2allow gave this: #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, authlogin_nsswitch_use_ldap, passenger_can_connect_all allow passenger_t ldap_port_t:tcp_socket name_connect; setsebool -P authlogin_nsswitch_use_ldap on did seem to correct it.
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
This is strange, are you sure it helped? tunable_policy(`authlogin_nsswitch_use_ldap',` allow nsswitch_domain self:tcp_socket create_socket_perms; ') tunable_policy(`authlogin_nsswitch_use_ldap',` corenet_tcp_sendrecv_generic_if(nsswitch_domain) corenet_tcp_sendrecv_generic_node(nsswitch_domain) corenet_tcp_sendrecv_ldap_port(nsswitch_domain) corenet_tcp_connect_ldap_port(nsswitch_domain) corenet_sendrecv_ldap_client_packets(nsswitch_domain) ') tunable_policy(`authlogin_nsswitch_use_ldap',` # Support for LDAPS dev_read_rand(nsswitch_domain) # LDAP Configuration using encrypted requires dev_read_urand(nsswitch_domain) sysnet_read_config(nsswitch_domain) ') tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) ') optional_policy(` tunable_policy(`authlogin_nsswitch_use_ldap',` dirsrv_stream_connect(nsswitch_domain) ') ') optional_policy(` tunable_policy(`authlogin_nsswitch_use_ldap',` ldap_read_certs(nsswitch_domain) ldap_stream_connect(nsswitch_domain) ') ')
Created attachment 945367 [details] foreman-debug
This is the denial I see with selinux enabled type=AVC msg=audit(1412866146.560:2789): avc: denied { name_connect } for pid=102294 comm="ruby" dest=636 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
Hello all, workaround: setsebool -P passenger_can_connect_all
Moving to POST since upstream bug http://projects.theforeman.org/issues/7932 has been closed ------------- Anonymous Applied in changeset commit:aab37c64a87a4b4e332511a050329c9e28be833e.
Could we please push this as an errata update?
Created attachment 1003263 [details] LDAP auth source sat61_rhel71 Tested with below LDAP auth sources and it works fine. a) AD b) IDM works fine no AVC messages seen in /var/log/audit/audit.log VERIFIED with sat6.1 on RHEL71 AD win2008R2 IDM on RHEL71 with 4.1 build used Sat6.1 Beta snap6 compose2
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592