Install of 2.5.17 on CentOS 7 - problems talking to AD server
35 views
Skip to first unread message
Peter Howard
Sep 24, 2018, 6:45:36 PM9/24/18
to Review Board Community
We're having trouble getting our new 2.5.17 install on CentOS 7 talking to our Active Directory server.
Our 1.7.27 install on CentOS 6 talks to the server with no problems.
A Kallithea install on the same CentOS 7 machine talks to the server with no problems.
(Note the original 1.7.27 install was done in 2014 - by someone else no longer with the company - and the people in IT who handled the original AD setup a long gone as well, so I may be missing a key detail)
For 1.7.27 the setup was fairly straightforward - on the Authentication Page:
- Method - Active Directory
- Domain Name - our normal domain name
- Domain Controller - IP addr
- OU name - basic name.
Everything else blank
Trying the same details on 2.5.17 resulted in log messages saying the Active Directory server could not be reached. A scan of the database tables shows that the actual data stored for 1.7.27 from those details is different to 2.5.17) Given that Kallithea was working via LDAP rather than AD we tried the same LDAP configuration. From which we get either
root - Error authenticating with LDAP: (2, 'No such file or directory')
or back to "can't connect". Sigh.
Hoping for some suggestions.
PJH
mujahid...@thoughtwire.com
Oct 3, 2018, 12:17:33 PM10/3/18
to Review Board Community
Hi Peter,
On 3.0.8 I had to ensure that these were installed in order to get AD working: python-ldap openldap-devel
Hopefully that helps
Peter Howard
Oct 7, 2018, 5:34:45 PM10/7/18
to Review Board Community
In the end it was SELinux . . . The various guides out there refer to the settings that are always needed:
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_network_memcache 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_unified 1However for LDAP/AD authentication you also need
setsebool -P httpd_can_connect_ldap 1
Once I'd worked out that no request was actually leaving the machine it was easy enough to work back to the problem. Note to self for future reference: "getsebool -a" is your friend.
Stephen Gallagher
Oct 8, 2018, 8:14:47 AM10/8/18
to revie...@googlegroups.com
On Sun, Oct 7, 2018 at 5:34 PM Peter Howard <p...@northern-ridge.com.au> wrote:
>
> In the end it was SELinux . . . The various guides out there refer to the settings that are always needed:
>
> setsebool -P httpd_can_sendmail 1 setsebool -P httpd_can_network_memcache 1
> setsebool -P httpd_can_network_connect_db 1 setsebool -P httpd_unified 1
>
> However for LDAP/AD authentication you also need
>
> setsebool -P httpd_can_connect_ldap 1
>
> Once I'd worked out that no request was actually leaving the machine it was easy enough to work back to the problem. Note to self for future reference: "getsebool -a" is your friend.
>
>
Thanks for catching that, Peter. Looks like I missed that one on
>
> In the end it was SELinux . . . The various guides out there refer to the settings that are always needed:
>
> setsebool -P httpd_can_sendmail 1 setsebool -P httpd_can_network_memcache 1
> setsebool -P httpd_can_network_connect_db 1 setsebool -P httpd_unified 1
>
> However for LDAP/AD authentication you also need
>
> setsebool -P httpd_can_connect_ldap 1
>
> Once I'd worked out that no request was actually leaving the machine it was easy enough to work back to the problem. Note to self for future reference: "getsebool -a" is your friend.
>
>
https://www.reviewboard.org/docs/manual/dev/admin/installation/creating-sites/
I've just sent a review request at
https://reviews.reviewboard.org/r/10201/ to get that boolean added to
the official documentation.
Reply all
Reply to author
Forward
0 new messages