Add troubleshooting for incompatible cipher suite

theforeman · Jan 13, 2025 · 1a6807a · 1a6807a
1 parent 40fd602
commit 1a6807a
Showing 1 changed file with 25 additions and 9 deletions.
diff --git a/...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc
@@ -3,15 +3,6 @@
 
 Enable Active Directory (AD) users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}.
 
-[NOTE]
-====
-The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher suite is known to cause incompatibilities.
-If you enabled `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` in your environment, make sure it is disabled on either the {ProjectServer} side or the AD side.
-ifdef::satellite[]
-For more information, see the Red{nbsp}Hat Knowledgebase solution link:https://access.redhat.com/solutions/4870221[API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication].
-endif::[]
-====
-
 .Prerequisites
 * The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain.
 To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:
@@ -114,6 +105,31 @@ $ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin
 <html><body>You are being <a href="{foreman-example-com}/hosts">redirected</a>.</body></html>
 ----
 
+.Troubleshooting
+* Connecting to the AD LDAP can sometimes fail with an error such as the following:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+{ "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }
+----
++
+If you see this error, verify which cipher is used for the connection:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# openssl s_client -connect _ldap.example.com_:636
+----
++
+If the `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is used, disable it on either the {ProjectServer} side or on the AD side.
+The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is known to cause incompatibilities.
++
+ifdef::satellite[]
+For more information, see the Red{nbsp}Hat Knowledgebase solution link:https://access.redhat.com/solutions/4870221[API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication].
+endif::[]
+ifndef::orcharhino[]
+For information on configuring system-wide cryptographic policies, see link:{RHELDocsBaseURL}9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening[Using system-wide cryptographic policies] in _{RHEL}{nbsp}9 Security hardening_.
+endif::[]
+
 .Additional resources
 * `sssd-ad(5)` man page on your system
 * For information about configuring Mozilla Firefox for Kerberos, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _{RHEL}{nbsp}9 Configuring authentication and authorization in RHEL_.