2017-02-21 04:35 AM
I installed the OCUM 7.1 on a RHEL 7.2 physical box without any problem
I configured the remote authentication using the "Other" settings (Same config as a running OCUM 6.4).
Some accounts created in 7.1 as remote user are able to log-in, some of them not.
This users don't get a denied message, there is just no response.
I get a denied if I want to log-in with a user thats not permitted to log in.
The LDAP connection is working, I checked it in the settings.
If the log-in failes with no response, I see the following message in /var/log/messages
Feb 21 11:07:48 snocumm1539 kernel: authenticate: segfault at 0 ip 00007ffa13fc9fc6 sp 00007ffd9910f3c8 error 4 in libc-2.17.so[7ffa13e98000+1b6000]
and some more in the jboss server.log
2017-02-21 11:07:48,362 ERROR [io.undertow.request] (default task-256) UT005023: Exception handling request to /um/login: java.lang.RuntimeException: Error while attempting authentication: at com.netapp.dfm.core.authentication.ExternalProcess
UnixAuthenticationProvider.authenticate(ExternalPr ocessUnixAuthenticationProvider.java:127) [dfm-core.jar:7.1] at org.springframework.security.authentication.Provid erManager.authenticate(ProviderManager.java:156) [spring-security-core.jar:3.2.3.RELEASE] at com.netapp.dfm.app.common.authentication.CachingAu thenticationManager.authenticate(CachingAuthentica tionManager.java:174) [dfm-app-common.jar:7.1] at org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter.attemptAuthenti cation(UsernamePasswordAuthenticationFilter.java:9 4) [spring-security-web.jar:3.2.3.RELEASE] at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:211) [spring-security-web.jar:3.2.3.RELEASE] at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 342) [spring-security-web.jar:3.2.3.RELEASE] at com.netapp.dfm.core.authentication.TemporaryTokenA uthenticationFilter.doFilter(TemporaryTokenAuthent icationFilter.java:63) [dfm-core.jar:7.1] [...]
LDAP login on the RHEL host works.
2017-02-23 12:38 AM
The problem is most probably here:
"LDAP login on the RHEL host works"
Some authentication servers will only do one connection per client (like SSSD). Generally OCUM comes with its own client and until now it cannot delegate LDAP authentication to the host.
It might work correctly for a while if you deactivate the ldap client on the RHEL host, restart the ocum services like service ocieau stop, then service ocie restart, service ocieau start and then re-activate the LDAP client on the host.
The clean solution would be to use the OCUM LDAP client only and none on the host.
a month ago - last edited a month ago
Are the account that fail to successfully login members of nested groups? If so, disable nested groups and test their login - there is a checkbox on the Remote Authentication configuration screen for disabling nested users (Page 33 of the RHEL ISG: https://library.netapp.com/ecm/ecm_download_file/E
2 weeks ago
I encountered a similar situation.
Did a fresh install of OCUM 7.1 on a RHEL7.2
Applied the exact same config like we had on the old ocum 6.3.
Remote Authentication Test works fine, the Remote group is found but my users can not login.
Opened a Case with Netapp on this. If I get a solution I will post it here