Bug 1380792 - Authentication against ldap does not work.
Summary: Authentication against ldap does not work.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Core
Version: 1.2.1
Hardware: x86_64
OS: Linux
unspecified
unspecified vote
Target Milestone: ---
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-30 14:43 UTC by Piotr Gbyliczek
Modified: 2016-10-05 07:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-05 07:15:42 UTC
oVirt Team: Infra
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?

Attachments (Terms of Use)
logs (11.66 KB, text/plain)
2016-09-30 14:43 UTC, Piotr Gbyliczek 		no flags Details
properties file (224 bytes, text/plain)
2016-09-30 14:44 UTC, Piotr Gbyliczek 		no flags Details
authn file (536 bytes, text/plain)
2016-09-30 14:44 UTC, Piotr Gbyliczek 		no flags Details
authz file (426 bytes, text/plain)
2016-09-30 14:45 UTC, Piotr Gbyliczek 		no flags Details
Requested log file (243.96 KB, text/plain)
2016-10-04 15:44 UTC, Piotr Gbyliczek 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Piotr Gbyliczek 2016-09-30 14:43:26 UTC 
Created attachment 1206305 [details]
logs

Description of problem:

Authentication against openldap server fails with connection error while ldapsearch from command line is successful.

Version-Release number of selected component (if applicable):

CentOS 7.2.1511
ovirt-engine-4.0.1.1-1.el7
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7
ovirt-engine-extension-aaa-jdbc-1.1.0-1.el7

java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2
java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2

How reproducible:

Always

Steps to Reproduce:
1. Configure ovirt to authenticate against ldap.
2. Log in

Actual results:

Java exception visible in logs and on login page


Expected results:

Successful log in or invalid credentials message

Additional info:
Comment 1 Piotr Gbyliczek 2016-09-30 14:44:30 UTC 
Created attachment 1206306 [details]
properties file
Comment 2 Piotr Gbyliczek 2016-09-30 14:44:55 UTC 
Created attachment 1206307 [details]
authn file
Comment 3 Piotr Gbyliczek 2016-09-30 14:45:45 UTC 
Created attachment 1206309 [details]
authz file
Comment 4 Piotr Gbyliczek 2016-09-30 14:47:30 UTC 
It seems that a workaround is to change the following in properties file : 


pool.default.socketfactory.type = java

to 

pool.default.socketfactory.resolver.enableAddressOnly = true
Comment 5 Ondra Machacek 2016-10-03 14:43:47 UTC 
Hello Piotr,

I can't reproduce this issue. Would it be possible to send DEBUG log?
I mean output of the following command:

 $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=company.co.uk --user-name=username

Before running the command please add the 'pool.default.socketfactory.type = java' line to your properties file and remove 'pool.default.socketfactory.resolver.enableAddressOnly = true'.

Please note that when you change the properties file, you don't have to restart the ovirt-engine service to run the 'ovirt-engine-extensions-tool'. So you can just change it, run the tool and then change it back, without restarting oVirt.
Comment 6 Piotr Gbyliczek 2016-10-04 15:44:00 UTC 
Created attachment 1207252 [details]
Requested log file
Comment 7 Piotr Gbyliczek 2016-10-04 15:56:13 UTC 
Hi Ondra, 

Surely enough, it seems that it works fine now. 

I've looked through the output from the command and it seemed to me that it was successful, so I have restarted ovirt-engine to see if that issue is still visible via Tomcat app. It is not. 

Now, only changes I did was adding more users to LDAP and adding these users to oVirt as specific roles, so I can test quotas. 

I guess that sorts it out, unless this will resurface in my test environment. I keep it set to "pool.default.socketfactory.type = java", so a reboot may bring it back. 

Regards,
Piotr
Comment 8 Ondra Machacek 2016-10-05 07:16:37 UTC 
Thank you for info, I will close bug for now, feel free to reopen if problem will 
come back.
Note You need to log in before you can comment on or make changes to this bug.