unexpected comma found at the end of DN string
--_000_CO2PR0801MB07430BD1B4EBE69A288FF50EA69B0CO2PR0801MB0743_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGVsbG8sDQoNCkdldHRpbmcgdGhpcyBhbmQgaGF2ZSBubyBpZGVhIHdoZXJlIHRvIGJlZ2luOg0K DQpzZXJ2ZXJfZXJyb3I6IFVuZXhwZWN0ZWQgY29tbWEgb3Igc2VtaWNvbG9uIGZvdW5kIGF0IHRo ZSBlbmQgb2YgdGhlIEROIHN0cmluZy4NCg0KU2VydmVyIGlzIHNldCB1cCB3aXRoIEFEIGZvciBh dXRoZW50aWNhdGlvbi4gVGhlIHByb2JsZW0gc3RhcnRlZCBhZnRlciBhdHRlbXB0aW5nIHRvIGNo YW5nZSBTU0wgY2VydGlmaWNhdGVzIHdpdGggb3VyIG93biBob3dldmVyLCB0aGF0IGZhaWxlZCBz byB3ZSByb2xsZWQgYmFjay4gTm93LCBhdXRoZW50aWNhdGlvbiBkb2VzbuKAmXQgd29yayBhbnlt b3JlIGFuZCB0aGUgZXJyb3IgaXMgdmFndWUuDQo= --_000_CO2PR0801MB07430BD1B4EBE69A288FF50EA69B0CO2PR0801MB0743_ Content-Type: text/html; charset="utf-8" Content-ID: <41DC910482B1F847AED60B21A5974043@sct-15-1-659-11-msonline-outlook-7ade0.templateTenant> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQouTXNv Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFnZSBXb3JkU2Vj dGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEu MGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHls ZT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0iIzk1NEY3 MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGVs bG8sPC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5HZXR0aW5nIHRoaXMgYW5kIGhhdmUgbm8gaWRlYSB3aGVyZSB0byBi ZWdpbjo8L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPnNlcnZlcl9lcnJvcjogVW5leHBlY3RlZCBjb21tYSBvciBzZW1p Y29sb24gZm91bmQgYXQgdGhlIGVuZCBvZiB0aGUgRE4gc3RyaW5nLjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U2Vy dmVyIGlzIHNldCB1cCB3aXRoIEFEIGZvciBhdXRoZW50aWNhdGlvbi4gVGhlIHByb2JsZW0gc3Rh cnRlZCBhZnRlciBhdHRlbXB0aW5nIHRvIGNoYW5nZSBTU0wgY2VydGlmaWNhdGVzIHdpdGggb3Vy IG93biBob3dldmVyLCB0aGF0IGZhaWxlZCBzbyB3ZSByb2xsZWQgYmFjay4gTm93LCBhdXRoZW50 aWNhdGlvbiBkb2VzbuKAmXQgd29yayBhbnltb3JlIGFuZCB0aGUgZXJyb3IgaXMgdmFndWUuDQo8 L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_CO2PR0801MB07430BD1B4EBE69A288FF50EA69B0CO2PR0801MB0743_--
Hi, could you please execute following command to get full logs from login flow and share those logs? ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=<PROFILE_NAME> --user-name=<USERNAME> Please replace <PROFILE_NAME> and <USERNAME> according to your setup. Thanks Martin Perina On Tue, Dec 13, 2016 at 9:03 AM, Bill Bill <jax2568@outlook.com> wrote:
Hello,
Getting this and have no idea where to begin:
server_error: Unexpected comma or semicolon found at the end of the DN string.
Server is set up with AD for authentication. The problem started after attempting to change SSL certificates with our own however, that failed so we rolled back. Now, authentication doesn’t work anymore and the error is vague.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.phx.ovirt.org/mailman/listinfo/users
--_000_CO2PR0801MB0743F2EF9B05536554E0BBE4A69B0CO2PR0801MB0743_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable I was actually able to resolve this by renaming the corresponding files in = the /etc/pki/ovirt-engine/aaa directory and the extentions.d directory. The= n, I simply ran the ovirt-engine-extension-aaa-ldap-setup command and re-ad= ded the AD back. The users were not affected since they were already in oVi= rt. I have found that in the properties file, it stores the login information I= used to set the connection up. If I remove those, the error is generated. = It seems as though unless there=92s a username/password stored in plain tex= t in that file, the AD connection will not work. Is this correct or are the= re some variables that can be entered to use the info from the login fields= ? From: Martin Perina<mailto:mperina@redhat.com> Sent: Tuesday, December 13, 2016 3:28 AM To: Bill Bill<mailto:jax2568@outlook.com> Cc: users@ovirt.org<mailto:users@ovirt.org>; Ondra Machacek<mailto:omachace= @redhat.com> Subject: Re: [ovirt-users] unexpected comma found at the end of DN string Hi, could you please execute following command to get full logs from login flow= and share those logs? ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --profil= e=3D<PROFILE_NAME> --user-name=3D<USERNAME> Please replace <PROFILE_NAME> and <USERNAME> according to your setup. Thanks Martin Perina On Tue, Dec 13, 2016 at 9:03 AM, Bill Bill <jax2568@outlook.com<mailto:jax2= 568@outlook.com>> wrote: Hello, Getting this and have no idea where to begin: server_error: Unexpected comma or semicolon found at the end of the DN stri= ng. Server is set up with AD for authentication. The problem started after atte= mpting to change SSL certificates with our own however, that failed so we r= olled back. Now, authentication doesn=92t work anymore and the error is vag= ue. _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.phx.ovirt.org/mailman/listinfo/users --_000_CO2PR0801MB0743F2EF9B05536554E0BBE4A69B0CO2PR0801MB0743_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> </head> <body> <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --></style> <div class=3D"WordSection1"> <p class=3D"MsoNormal">I was actually able to resolve this by renaming the = corresponding files in the /etc/pki/ovirt-engine/aaa directory and the exte= ntions.d directory. Then, I simply ran the ovirt-engine-extension-aaa-ldap-= setup command and re-added the AD back. The users were not affected since they were already in oVirt.</p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">I have found that in the properties file, it stores = the login information I used to set the connection up. If I remove those, t= he error is generated. It seems as though unless there=92s a username/passw= ord stored in plain text in that file, the AD connection will not work. Is this correct or are there some variabl= es that can be entered to use the info from the login fields?</p> <p class=3D"MsoNormal"><o:p> </o:p></p> <div style=3D"mso-element:para-border-div;border:none;border-top:solid #E1E= 1E1 1.0pt;padding:3.0pt 0in 0in 0in"> <p class=3D"MsoNormal" style=3D"border:none;padding:0in"><b>From: </b><a hr= ef=3D"mailto:mperina@redhat.com">Martin Perina</a><br> <b>Sent: </b>Tuesday, December 13, 2016 3:28 AM<br> <b>To: </b><a href=3D"mailto:jax2568@outlook.com">Bill Bill</a><br> <b>Cc: </b><a href=3D"mailto:users@ovirt.org">users@ovirt.org</a>; <a href= =3D"mailto:omachace@redhat.com"> Ondra Machacek</a><br> <b>Subject: </b>Re: [ovirt-users] unexpected comma found at the end of DN s= tring</p> </div> <p class=3D"MsoNormal"><o:p> </o:p></p> </div> <div> <div dir=3D"ltr"> <div style=3D"font-family:arial,helvetica,sans-serif" class=3D"gmail_defaul= t">Hi,<br> <br> </div> <div style=3D"font-family:arial,helvetica,sans-serif" class=3D"gmail_defaul= t">could you please execute following command to get full logs from login f= low and share those logs?<br> <br> ovirt-engine-extensions-tool --log-level=3DFINEST aaa login-user --p= rofile=3D<PROFILE_NAME> --user-name=3D<USERNAME><br> <br> </div> <div style=3D"font-family:arial,helvetica,sans-serif" class=3D"gmail_defaul= t">Please replace <PROFILE_NAME> and <USERNAME> according to yo= ur setup.<br> <br> </div> <div style=3D"font-family:arial,helvetica,sans-serif" class=3D"gmail_defaul= t">Thanks<br> <br> </div> <div style=3D"font-family:arial,helvetica,sans-serif" class=3D"gmail_defaul= t">Martin Perina<br> <br> </div> </div> <div class=3D"gmail_extra"><br> <div class=3D"gmail_quote">On Tue, Dec 13, 2016 at 9:03 AM, Bill Bill <span= dir=3D"ltr"> <<a href=3D"mailto:jax2568@outlook.com" target=3D"_blank">jax2568@outloo= k.com</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> <div link=3D"blue" vlink=3D"#954F72" lang=3D"EN-US"> <div class=3D"m_1628617985248980709WordSection1"> <p class=3D"MsoNormal">Hello,</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">Getting this and have no idea where to begin:</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">server_error: Unexpected comma or semicolon found at= the end of the DN string.</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">Server is set up with AD for authentication. The pro= blem started after attempting to change SSL certificates with our own howev= er, that failed so we rolled back. Now, authentication doesn=92t work anymo= re and the error is vague. </p> </div> </div> <br> ______________________________<wbr>_________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br> <a href=3D"http://lists.phx.ovirt.org/mailman/listinfo/users" rel=3D"norefe= rrer" target=3D"_blank">http://lists.phx.ovirt.org/<wbr>mailman/listinfo/us= ers</a><br> <br> </blockquote> </div> <br> </div> </div> </body> </html> --_000_CO2PR0801MB0743F2EF9B05536554E0BBE4A69B0CO2PR0801MB0743_--
Good that you make it work. AFAIK in Active Directory is very rarely used anonymous bind, so you should always use the username/password configuration in your properties files. Or properly setup the anonymous bind, because according to logs there are some ldap attributes with strange values. The aaa-ldap doesn't use the user from the login fields, as it's not correct. You should have setup some search user which does authorization, it should not be performed by user which is trying to login. On Tue, Dec 13, 2016 at 9:35 PM, Bill Bill <jax2568@outlook.com> wrote:
I was actually able to resolve this by renaming the corresponding files in the /etc/pki/ovirt-engine/aaa directory and the extentions.d directory. Then, I simply ran the ovirt-engine-extension-aaa-ldap-setup command and re-added the AD back. The users were not affected since they were already in oVirt.
I have found that in the properties file, it stores the login information I used to set the connection up. If I remove those, the error is generated. It seems as though unless there’s a username/password stored in plain text in that file, the AD connection will not work. Is this correct or are there some variables that can be entered to use the info from the login fields?
*From: *Martin Perina <mperina@redhat.com> *Sent: *Tuesday, December 13, 2016 3:28 AM *To: *Bill Bill <jax2568@outlook.com> *Cc: *users@ovirt.org; Ondra Machacek <omachace@redhat.com> *Subject: *Re: [ovirt-users] unexpected comma found at the end of DN string
Hi,
could you please execute following command to get full logs from login flow and share those logs?
ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --profile=<PROFILE_NAME> --user-name=<USERNAME>
Please replace <PROFILE_NAME> and <USERNAME> according to your setup.
Thanks
Martin Perina
On Tue, Dec 13, 2016 at 9:03 AM, Bill Bill <jax2568@outlook.com> wrote:
Hello,
Getting this and have no idea where to begin:
server_error: Unexpected comma or semicolon found at the end of the DN string.
Server is set up with AD for authentication. The problem started after attempting to change SSL certificates with our own however, that failed so we rolled back. Now, authentication doesn’t work anymore and the error is vague.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.phx.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.phx.ovirt.org/mailman/listinfo/users
participants (3)
-
Bill Bill -
Martin Perina -
Ondra Machacek