Add troubleshooting for incompatible cipher suite (#3549)

--------- Co-authored-by: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl> (cherry picked from commit 3be4471)
theforeman · Jan 16, 2025 · c01557a · c01557a
1 parent dd41db4
commit c01557a
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc
@@ -105,6 +105,32 @@ $ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin
 <html><body>You are being <a href="{foreman-example-com}/hosts">redirected</a>.</body></html>
 ----
 
+.Troubleshooting
+* Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+Authentication failed with status code: {
+  "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }
+----
++
+If you see this error, verify which cipher is used for the connection:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# openssl s_client -connect _ldap.example.com_:636
+----
++
+If the `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is used, disable it on either the {ProjectServer} side or on the AD side.
+The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is known to cause incompatibilities.
++
+ifdef::satellite[]
+For more information, see the Red{nbsp}Hat Knowledgebase solution link:https://access.redhat.com/solutions/4870221[API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication].
+endif::[]
+ifdef::foreman-el,katello[]
+For information on configuring system-wide cryptographic policies, see link:{RHELDocsBaseURL}9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening[Using system-wide cryptographic policies] in _{RHEL}{nbsp}9 Security hardening_.
+endif::[]
+
 .Additional resources
 * `sssd-ad(5)` man page on your system
 * For information about configuring Mozilla Firefox for Kerberos, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _{RHEL}{nbsp}9 Configuring authentication and authorization in RHEL_.