Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Declare a cipher unsupported for direct AD integration #3549

Merged
merged 6 commits into from
Jan 16, 2025
Merged

Declare a cipher unsupported for direct AD integration #3549

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
db6c6ec
Declare a cipher unsupported for direct AD integration
asteflova Jan 6, 2025
5baf3d2
Be more specific about avoiding an insecure cipher
asteflova Jan 7, 2025
40fd602
Rephrase cipher limitation
asteflova Jan 13, 2025
1a6807a
Add troubleshooting for incompatible cipher suite
asteflova Jan 13, 2025
ed03554
Update a conditional
asteflova Jan 14, 2025
5552a68
Clarify that the LDAP connection error appears in logs
asteflova Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions ...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,32 @@
<html><body>You are being <a href="{foreman-example-com}/hosts">redirected</a>.</body></html>
----

.Troubleshooting
* Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
Authentication failed with status code: {
"error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }
----
+
If you see this error, verify which cipher is used for the connection:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# openssl s_client -connect _ldap.example.com_:636
----
+
If the `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is used, disable it on either the {ProjectServer} side or on the AD side.
The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is known to cause incompatibilities.
+
ifdef::satellite[]
For more information, see the Red{nbsp}Hat Knowledgebase solution link:https://access.redhat.com/solutions/4870221[API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication].
endif::[]
ifdef::foreman-el,katello[]
For information on configuring system-wide cryptographic policies, see link:{RHELDocsBaseURL}9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening[Using system-wide cryptographic policies] in _{RHEL}{nbsp}9 Security hardening_.
endif::[]

.Additional resources
* `sssd-ad(5)` man page on your system
* For information about configuring Mozilla Firefox for Kerberos, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _{RHEL}{nbsp}9 Configuring authentication and authorization in RHEL_.

Check failure on line 136 in guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc

View workflow job for this annotation

GitHub Actions / linter 

[vale] reported by reviewdog 🐶
[RedHat.TermsErrors] Use 'Mozilla Firefox' rather than 'Firefox'.

Raw Output:
{"message": "[RedHat.TermsErrors] Use 'Mozilla Firefox' rather than 'Firefox'.", "location": {"path": "guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc", "range": {"start": {"line": 136, "column": 45}}}, "severity": "ERROR"}
Loading