[Engine-patches] Change in ovirt-engine[master]: tools: Explicit message for bad minssf

Wed, 22 Jan 2014 01:38:54 -0800 

Juan Hernandez has submitted this change and it was merged.

Change subject: tools: Explicit message for bad minssf
......................................................................


tools: Explicit message for bad minssf

Currently when the engine-manage-domains tool tries to connect to an
OpenLDAP server configured with the default minimum security strength
factor (minssf=0) the Kerberos implementation of the virtual machine
generates an exception that is directly printed to the output, without
any friendly explanation, something like this:

  java.lang.NegativeArraySizeException
    at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
    sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
    ...

This patch changes the engine-manage-domains tool so that when this
exception is detected it will print the following message:

  Failure while testing domain example.com. Details: An internal
  error has ocurred in the Kerberos implementation of the Java virtual
  machine. This usually means that the LDAP server is configured with a
  minium security strength factor (minssf) of 0. Change it to 1 and try
  again.

The way to change the minssf parameter in OpenLDAP is this:

  # cat > fixssf.ldif <<'.'
  dn: cn=config
  replace: olcSaslSecProps
  olcSaslSecProps: noanonymous,noplain,minssf=1
  -
  .
  # ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif

This OpenLDAP configuration has been tested and works correctly.

The 389 directory server also has this parameter, and can be changed in
the /etc/dirsrv/slapd-YOUR-REALM/dse.ldif file, something like this:

  dn: cn=config
  nsslapd-minssf: 1

This 389 directory server configuration hasn't been tested.

Change-Id: I2f1abaa8a6dbde146786326d62c185e8414595e1
Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com>
---
M 
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/AuthenticationResult.java
M 
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java
2 files changed, 12 insertions(+), 4 deletions(-)

Approvals:
  Martin Peřina: Looks good to me, but someone else must approve
  Juan Hernandez: Verified
  Yedidyah Bar David: Looks good to me, but someone else must approve
  Yair Zaslavsky: Looks good to me, approved
  Oved Ourfali: Looks good to me, approved



-- 
To view, visit http://gerrit.ovirt.org/21505
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I2f1abaa8a6dbde146786326d62c185e8414595e1
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Martin Peřina <mper...@redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com>
Gerrit-Reviewer: Yedidyah Bar David <d...@redhat.com>
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to