Description of problem: Currently when we are resolving groups of user, we try to contact all the domains in forest to find information about all groups of the users, within whole forest. But in case one of the domain is not working and the user is part of the group, which reside in non-working domain, we fail the login. It would be better to succeed with the login, and ignore the groups from non-working. domain Version-Release number of selected component (if applicable): 4.0 How reproducible: always Steps to Reproduce: 1. See description.
We have following workarounds for the issue: 1. You can remove groups from non-working domain for particular user to enable successful login 2. You can remove non-working domain (assuming it's not a temporary failure)
Fix is contained in ovirt-engine-extension-aaa-ldap-1.3.1
Verified with: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch 2017-04-05 11:29:15,595+03 WARNING Exception: An error occurred while attempting to connect to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com/10.34.63.33:389: NoRouteToHostException(message='No route to host (Host unreachable)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(Socket.java:538) / <init>(Socket.java:434) / <init>(Socket.java:244) / createSocket(SocketFactory.java:277) / createSocket(ResolverSocketFactory.java:63) / createSocket(ResolverSocketFactory.java:76) / run(ConnectThread.java:139)', revision=0)') 2017-04-05 11:29:15,602+03 WARNING Ignoring records from pool: 'authz.com' 2017-04-05 11:29:15,696+03 WARNING Ignoring records from pool: 'authz.com'