Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1420281 - Ignore groups which can't be resolved from non-working domain inside Active Directory multi-domain forrest
Summary: Ignore groups which can't be resolved from non-working domain inside Active D...
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.1.1
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-08 10:56 UTC by Ondra Machacek
Modified: 2020-06-11 13:16 UTC (History)
9 users (show)

Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-04-25 00:55:20 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1017 0 normal SHIPPED_LIVE ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.1 2017-04-18 20:24:14 UTC
oVirt gerrit 72377 0 None None None 2017-02-15 16:33:49 UTC

Description Ondra Machacek 2017-02-08 10:56:10 UTC
Description of problem:
Currently when we are resolving groups of user, we try to contact all the domains in forest to find information about all groups of the users, within whole forest.

But in case one of the domain is not working and the user is part of the group, which reside in non-working domain, we fail the login. It would be better to succeed with the login, and ignore the groups from non-working. domain

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. See description.

Comment 1 Martin Perina 2017-02-08 11:02:22 UTC
We have following workarounds for the issue:

1. You can remove groups from non-working domain for particular user to enable successful login

2. You can remove non-working domain (assuming it's not a temporary failure)

Comment 2 Martin Perina 2017-02-20 09:53:22 UTC
Fix is contained in ovirt-engine-extension-aaa-ldap-1.3.1

Comment 4 Gonza 2017-04-05 08:33:24 UTC
Verified with:

2017-04-05 11:29:15,595+03 WARNING Exception: An error occurred while attempting to connect to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com:389:  java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server brq-w2k12r2p-2c.ad-w2k12r2pc.redhat.com/  NoRouteToHostException(message='No route to host (Host unreachable)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(Socket.java:538) / <init>(Socket.java:434) / <init>(Socket.java:244) / createSocket(SocketFactory.java:277) / createSocket(ResolverSocketFactory.java:63) / createSocket(ResolverSocketFactory.java:76) / run(ConnectThread.java:139)', revision=0)')
2017-04-05 11:29:15,602+03 WARNING Ignoring records from pool: 'authz@ad-w2k12r2pc.redhat.com'
2017-04-05 11:29:15,696+03 WARNING Ignoring records from pool: 'authz@ad-w2k12r2pc.redhat.com'

Note You need to log in before you can comment on or make changes to this bug.