Created attachment 1290727 [details] log from aaa extension tool for successful login Description of problem: ovirt-engine-extensions-tool login is finished successfully while login to UI fails with error "Unexpected comma or semicolon found at the end of the DN string when login with AD account" Version-Release number of selected component (if applicable): rhevm-4.1.0.4-0.1.el7.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch How reproducible: everytime Steps to Reproduce: 1.install and setup engine 2.install and setup ovirt-engine-extension-aaa-ldap 3, properties file ------------------------------------------------------------- cat /etc/ovirt-engine/aaa/mjankula.test.properties include = <ad.properties> vars.domain = mjankula.test vars.user = CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test vars.password = password!23 pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = 10.34.86.202 pool.default.socketfactory.resolver.enableAddressOnly = true pool.default.dc-resolve.default.serverset.type = single pool.default.dc-resolve.serverset.single.server = 10.34.86.202 ----------------------------------------------------------------------------- Actual results: engine.log 2017-06-22 15:23:09,663+02 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-54) [] Ignoring records from pool: 'authz' 2017-06-22 15:23:09,664+02 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-54) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,664+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-54) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,665+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-54) [] Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:23:09,739+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-55) [] server_error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-64) [] Ignoring records from pool: 'authz' 2017-06-22 15:24:09,962+02 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-64) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-64) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-64) [] Unexpected comma or semicolon found at the end of the DN string. 2017-06-22 15:24:09,996+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] server_error: Unexpected comma or semicolon found at the end of the DN string. Expected results: as ovirt-engine-extension-tool succeeded to login to ad i would expect same from Web UI Additional info: i have tried following - again, login was successful in extension tool bot not in web UI vars.user = CN=Cloud\ Forms\ Service\ Acc2,CN=Users,DC=mjankula,DC=test vars.user = CN="Cloud Forms Service Acc2",CN=Users,DC=mjankula,DC=test
There is warning in the log : 2017-06-22 15:28:29 WARNING Exception: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1� When running: $ ldapsearch -D 'CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test' -w 'password!23' -h 10.34.86.202 -b '' -p 3268 It returns the same, so the username or password is incorrect I guess. Can you re-check?
Hi Marian, could you please provide non-working configuration Ondra requested in Comment 5?
Closing this as insufficient data, feel free to reopen once you get requested non-working configuration
I ran into this exact error message when trying to configure an AD connection via ldaps - switching to smartTLS resolved the error for me. Note: startTLS is not configured in AD by default, it would need to have been setup
We just ran into this error. However, we are using startTLS and our RHV 4 instance has been using the AAA extensions for a long time. ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7ev.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch The system has been up and not patched/changed since 7/26/17. The ovirt-engine service was bounced/restarted today and then the linkage/authentication with AD broke.
I think it's dup of #1465463 just check if all certs of all domain controllers are corect. We need to add better error message.