From c01557ab0c836d232cad9ef3c3a2abddf3f1325f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 16 Jan 2025 11:26:06 +0100 Subject: [PATCH] Add troubleshooting for incompatible cipher suite (#3549) --------- Co-authored-by: Ewoud Kohl van Wijngaarden (cherry picked from commit 3be4471fef86ce984a37bb6ef69229ccb58122ce) --- ...uthentication-source-on-projectserver.adoc | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 2aea0c0e60e..38935e623c1 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -105,6 +105,32 @@ $ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin You are being redirected. ---- +.Troubleshooting +* Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +Authentication failed with status code: { + "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } } +---- ++ +If you see this error, verify which cipher is used for the connection: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# openssl s_client -connect _ldap.example.com_:636 +---- ++ +If the `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is used, disable it on either the {ProjectServer} side or on the AD side. +The `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` cipher is known to cause incompatibilities. ++ +ifdef::satellite[] +For more information, see the Red{nbsp}Hat Knowledgebase solution link:https://access.redhat.com/solutions/4870221[API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication]. +endif::[] +ifdef::foreman-el,katello[] +For information on configuring system-wide cryptographic policies, see link:{RHELDocsBaseURL}9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening[Using system-wide cryptographic policies] in _{RHEL}{nbsp}9 Security hardening_. +endif::[] + .Additional resources * `sssd-ad(5)` man page on your system * For information about configuring Mozilla Firefox for Kerberos, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _{RHEL}{nbsp}9 Configuring authentication and authorization in RHEL_.