Bug 1275103 - Setup with SSL fails if anonymous access is forbidden
Setup with SSL fails if anonymous access is forbidden
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Setup (Show other bugs)
All All
unspecified Severity high (vote)
: ---
: ---
Assigned To: Alon Bar-Lev
Ondra Machacek
Depends On:
  Show dependency treegraph
Reported: 2015-10-25 18:08 EDT by Jacek Kowalski
Modified: 2016-01-04 00:41 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-25 18:49:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jacek Kowalski 2015-10-25 18:08:14 EDT
Description of problem:

When trying to configure this extension using ovirt-engine-extension-aaa-ldap-setup for FreeIPA, it is impossible to finish installation, because setup continuously asks for certificate while connection fails with error 'Anonymous access is not allowed.'.

Version-Release number of selected component (if applicable):

Name        : ovirt-engine-extension-aaa-ldap-setup
Arch        : noarch
Version     : 1.1.0
Release     : 1.el7.centos
Repo        : installed
From repo   : ovirt-3.6

How reproducible:


Steps to Reproduce:

1. Configure LDAP server not to allow anonymous access.
2. Enable STARTTLS in LDAP server.
3. Try to configure such server with ovirt-engine-extension-aaa-ldap-setup.

Actual results:

          Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): Inline
          Please paste CA certificate
          type '--=451b80dc-996f-432e-9e4f-2b29ef6d1141=--' in own line to mark end.
/* CUT */
[ INFO  ] Connecting to LDAP using 'ldap://ipa.local:389'
[ INFO  ] Executing startTLS
[WARNING] Cannot connect using 'ldap://ipa.local:389': {'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate authentication'}
[ ERROR ] Cannot connect using any of available options
          Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): 

And such loop continues.
Comment 1 Alon Bar-Lev 2015-10-25 18:30:08 EDT
Please attach setup log.

startTLS and rootDSE access should be enabled as anonymous[1][2], need a log to confirm that, but having restricted rootDSE is something that is not expected and is supported only using manual configuration.

[1] https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/disabling-anon-binds.html
[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html
Comment 2 Jacek Kowalski 2015-10-25 18:49:35 EDT
Thanks! You are right - nsslapd-allow-anonymous-access was set to off. My bad.

Note You need to log in before you can comment on or make changes to this bug.