Subscribe

OCUM 7.1 LDAP auth problem

Hi,

 

I installed the OCUM 7.1 on a RHEL 7.2 physical box without any problem

 

I configured the remote authentication using the "Other" settings (Same config as a running OCUM 6.4).

Some accounts created in 7.1 as remote user are able to log-in, some of them not.

 

This users don't get a denied message, there is just no response.

I get a denied if I want to log-in with a user thats not permitted to log in.

 

The LDAP connection is working, I checked it in the settings. 

 

If the log-in failes with no response, I see the following message in /var/log/messages

 

Feb 21 11:07:48 snocumm1539 kernel: authenticate[6847]: segfault at 0 ip 00007ffa13fc9fc6 sp 00007ffd9910f3c8 error 4 in libc-2.17.so[7ffa13e98000+1b6000]

and some more in the jboss server.log

 

2017-02-21 11:07:48,362 ERROR [io.undertow.request] (default task-256) UT005023: Exception handling request to /um/login: java.lang.RuntimeException: Error while attempting authentication:

	at com.netapp.dfm.core.authentication.ExternalProcessUnixAuthenticationProvider.authenticate(ExternalProcessUnixAuthenticationProvider.java:127) [dfm-core.jar:7.1]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) [spring-security-core.jar:3.2.3.RELEASE]
	at com.netapp.dfm.app.common.authentication.CachingAuthenticationManager.authenticate(CachingAuthenticationManager.java:174) [dfm-app-common.jar:7.1]
	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) [spring-security-web.jar:3.2.3.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) [spring-security-web.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web.jar:3.2.3.RELEASE]
	at com.netapp.dfm.core.authentication.TemporaryTokenAuthenticationFilter.doFilter(TemporaryTokenAuthenticationFilter.java:63) [dfm-core.jar:7.1]

[...]

LDAP login on the RHEL host works.

 

Some Ideas?

 

Marcus

 

 

Re: OCUM 7.1 LDAP auth problem

Hello,

 

The problem is most probably here:

"LDAP login on the RHEL host works"

 

Some authentication servers will only do one connection per client (like SSSD). Generally OCUM comes with its own client and until now it cannot delegate LDAP authentication to the host.

It might work correctly for a while if you deactivate the ldap client on the RHEL host, restart the ocum services like service ocieau stop, then service ocie restart, service ocieau start and then re-activate the LDAP client on the host.

 

The clean solution would be to use the OCUM LDAP client only and none on the host.

 

Helge

Re: OCUM 7.1 LDAP auth problem

[ Edited ]

Are the account that fail to successfully login members of nested groups?  If so, disable nested groups and test their login - there is a checkbox on the Remote Authentication configuration screen for disabling nested users (Page 33 of the RHEL ISG:  https://library.netapp.com/ecm/ecm_download_file/ECMLP2553755).

Re: OCUM 7.1 LDAP auth problem

Hey,

 

I encountered a similar situation.

 

Did a fresh install of OCUM 7.1 on a RHEL7.2

 

Applied the exact same config like we had on the old ocum 6.3.

 

Remote Authentication Test works fine, the Remote group is found but my users can not login.

 

Opened a Case with Netapp on this. If I get a solution I will post it here Smiley Wink

Re: OCUM 7.1 LDAP auth problem

After I removed sssd-ldap all worked Smiley Very Happy