Bug 1464140 - RHV: Unexpected comma or semicolon found at the end of the DN string when login with AD account [NEEDINFO]
RHV: Unexpected comma or semicolon found at the end of the DN string when log...
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
4.1.0
Unspecified Unspecified
high Severity medium
: ovirt-4.1.6
: ---
Assigned To: Ondra Machacek
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 09:49 EDT by Marian Jankular
Modified: 2017-09-29 04:49 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-17 08:12:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
omachace: needinfo? (mjankula)
mperina: needinfo? (mjankula)


Attachments (Terms of Use)
log from aaa extension tool for successful login (4.91 MB, text/plain)
2017-06-22 09:49 EDT, Marian Jankular
no flags Details

  None (edit)
Description Marian Jankular 2017-06-22 09:49:42 EDT
Created attachment 1290727 [details]
log from aaa extension tool for successful login

Description of problem:
ovirt-engine-extensions-tool login is finished successfully while login to UI fails with error "Unexpected comma or semicolon found at the end of the DN string when login with AD account"

Version-Release number of selected component (if applicable):
rhevm-4.1.0.4-0.1.el7.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch

How reproducible:
everytime

Steps to Reproduce:
1.install and setup engine
2.install and setup ovirt-engine-extension-aaa-ldap
3, properties file
-------------------------------------------------------------
cat /etc/ovirt-engine/aaa/mjankula.test.properties 
include = <ad.properties>

vars.domain = mjankula.test
vars.user = CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test
vars.password = password!23

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = 10.34.86.202
pool.default.socketfactory.resolver.enableAddressOnly = true
pool.default.dc-resolve.default.serverset.type = single
pool.default.dc-resolve.serverset.single.server = 10.34.86.202
-----------------------------------------------------------------------------



Actual results:
engine.log
2017-06-22 15:23:09,663+02 WARN  [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-54) [] Ignoring records from pool: 'authz'
2017-06-22 15:23:09,664+02 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-54) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:23:09,664+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-54) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:23:09,665+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-54) [] Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:23:09,739+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-55) [] server_error: Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:24:09,962+02 WARN  [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-64) [] Ignoring records from pool: 'authz'
2017-06-22 15:24:09,962+02 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-64) [] [ovirt-engine-extension-aaa-ldap.authn::mjankula.test-authn] Cannot initialize LDAP framework, deferring initialization. Error: Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-64) [] Internal Server Error: Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:24:09,962+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-64) [] Unexpected comma or semicolon found at the end of the DN string.
2017-06-22 15:24:09,996+02 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] server_error: Unexpected comma or semicolon found at the end of the DN string.


Expected results:
as ovirt-engine-extension-tool succeeded to login to ad i would expect same from Web UI


Additional info:
i have tried following - again, login was successful in extension tool bot not in web UI
vars.user = CN=Cloud\ Forms\ Service\ Acc2,CN=Users,DC=mjankula,DC=test
vars.user = CN="Cloud Forms Service Acc2",CN=Users,DC=mjankula,DC=test
Comment 1 Ondra Machacek 2017-06-22 10:42:39 EDT
There is warning in the log :

 2017-06-22 15:28:29 WARNING Exception: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1�

When running:

  $ ldapsearch -D 'CN=Cloud Forms Service Acc2,CN=Users,DC=mjankula,DC=test' -w 'password!23' -h 10.34.86.202 -b '' -p 3268

It returns the same, so the username or password is incorrect I guess. Can you re-check?
Comment 6 Martin Perina 2017-08-03 08:38:14 EDT
Hi Marian, could you please provide non-working configuration Ondra requested in Comment 5?
Comment 7 Martin Perina 2017-08-17 08:12:51 EDT
Closing this as insufficient data, feel free to reopen once you get requested non-working configuration
Comment 8 Ade Bradshaw 2017-09-15 14:24:48 EDT
I ran into this exact error message when trying to configure an AD connection via ldaps - switching to smartTLS resolved the error for me.

Note: startTLS is not configured in AD by default, it would need to have been setup
Comment 9 Travis Michette 2017-09-27 16:41:08 EDT
We just ran into this error. However, we are using startTLS and our RHV 4 instance has been using the AAA extensions for a long time.

ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7ev.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch

The system has been up and not patched/changed since 7/26/17.


The ovirt-engine service was bounced/restarted today and then the linkage/authentication with AD broke.
Comment 10 Ondra Machacek 2017-09-29 04:49:50 EDT
I think it's dup of #1465463 just check if all certs of all domain controllers are corect. We need to add better error message.

Note You need to log in before you can comment on or make changes to this bug.