Bug 1420281 - Ignore groups which can't be resolved from non-working domain inside Active Directory multi-domain forrest
Summary: Ignore groups which can't be resolved from non-working domain inside Active D...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.1.1
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-08 10:56 UTC by Ondra Machacek
Modified: 2020-06-11 13:16 UTC (History)
9 users (show)

Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-25 00:55:20 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1017 0 normal SHIPPED_LIVE ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.1 2017-04-18 20:24:14 UTC
oVirt gerrit 72377 0 None None None 2017-02-15 16:33:49 UTC

Description Ondra Machacek 2017-02-08 10:56:10 UTC
Description of problem:
Currently when we are resolving groups of user, we try to contact all the domains in forest to find information about all groups of the users, within whole forest.

But in case one of the domain is not working and the user is part of the group, which reside in non-working domain, we fail the login. It would be better to succeed with the login, and ignore the groups from non-working. domain

Version-Release number of selected component (if applicable):
4.0

How reproducible:
always

Steps to Reproduce:
1. See description.

Comment 1 Martin Perina 2017-02-08 11:02:22 UTC
We have following workarounds for the issue:

1. You can remove groups from non-working domain for particular user to enable successful login

2. You can remove non-working domain (assuming it's not a temporary failure)

Comment 2 Martin Perina 2017-02-20 09:53:22 UTC
Fix is contained in ovirt-engine-extension-aaa-ldap-1.3.1

Comment 4 Gonza 2017-04-05 08:33:24 UTC
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch


2017-04-05 11:29:15,595+03 WARNING Exception: An error occurred while attempting to connect to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com/10.34.63.33:389:  NoRouteToHostException(message='No route to host (Host unreachable)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(Socket.java:538) / <init>(Socket.java:434) / <init>(Socket.java:244) / createSocket(SocketFactory.java:277) / createSocket(ResolverSocketFactory.java:63) / createSocket(ResolverSocketFactory.java:76) / run(ConnectThread.java:139)', revision=0)')
2017-04-05 11:29:15,602+03 WARNING Ignoring records from pool: 'authz.com'
2017-04-05 11:29:15,696+03 WARNING Ignoring records from pool: 'authz.com'


Note You need to log in before you can comment on or make changes to this bug.