Bug 1464140
| Summary: | RHV: Unexpected comma or semicolon found at the end of the DN string when login with AD account | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Marian Jankular <mjankula> | ||||
| Component: | ovirt-engine-extension-aaa-ldap | Assignee: | Ondra Machacek <omachace> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Gonza <grafuls> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 4.1.0 | CC: | abradshaw, audgiri, bazulay, lsurette, mgoldboi, mjankula, mperina, omachace, pbrilla, Rhev-m-bugs, tmichett, troels, ykaul | ||||
| Target Milestone: | ovirt-4.1.6 | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-17 12:12:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
There is warning in the log : 2017-06-22 15:28:29 WARNING Exception: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1� When running: $ ldapsearch -D 'CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test' -w 'password!23' -h 10.34.86.202 -b '' -p 3268 It returns the same, so the username or password is incorrect I guess. Can you re-check? Hi Marian, could you please provide non-working configuration Ondra requested in Comment 5? Closing this as insufficient data, feel free to reopen once you get requested non-working configuration I ran into this exact error message when trying to configure an AD connection via ldaps - switching to smartTLS resolved the error for me. Note: startTLS is not configured in AD by default, it would need to have been setup We just ran into this error. However, we are using startTLS and our RHV 4 instance has been using the AAA extensions for a long time. ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7ev.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch The system has been up and not patched/changed since 7/26/17. The ovirt-engine service was bounced/restarted today and then the linkage/authentication with AD broke. I think it's dup of #1465463 just check if all certs of all domain controllers are corect. We need to add better error message. |
Created attachment 1290727 [details] log from aaa extension tool for successful login Description of problem: ovirt-engine-extensions-tool login is finished successfully while login to UI fails with error "Unexpected comma or semicolon found at the end of the DN string when login with AD account" Version-Release number of selected component (if applicable): rhevm-4.1.0.4-0.1.el7.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch How reproducible: everytime Steps to Reproduce: 1.install and setup engine 2.install and setup ovirt-engine-extension-aaa-ldap 3, properties file ------------------------------------------------------------- cat /etc/ovirt-engine/aaa/mjankula.test.properties include = <ad.properties> vars.domain = mjankula.test vars.user = CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test vars.password = password!23 pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = 10.34.86.202 pool.default.socketfactory.resolver.enableAddressOnly = true pool.default.dc-resolve.default.serverset.type = single pool.default.dc-resolve.serverset.single.server = 10.34.86.202 ----------------------------------------------------------------------------- Actual results: engine.log 2017-06-22 15:23:09,663+02 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-54) [] Ignoring records from pool: 'authz' 2017-06-22 15:23:09,664+02 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-54) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,664+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-54) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,665+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-54) [] Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,739+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-55) [] server_error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-64) [] Ignoring records from pool: 'authz' 2017-06-22 15:24:09,962+02 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-64) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-64) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-64) [] Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,996+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] server_error: Unexpected comma or semicolon found at the end of the DN string. Expected results: as ovirt-engine-extension-tool succeeded to login to ad i would expect same from Web UI Additional info: i have tried following - again, login was successful in extension tool bot not in web UI vars.user = CN=Cloud\ Forms\ Service\ Acc2,CN=Users,DC=mjankula,DC=test vars.user = CN="Cloud Forms Service Acc2",CN=Users,DC=mjankula,DC=test