search

vatesfr / xen-orchestra

The global orchestration solution to manage and backup XCP-ng and XenServer.
https://xen-orchestra.com
Other
789 stars 267 forks source link

LDAP plugin AcceptSecurityContext error #3846

Closed lravelo closed 1 year ago

lravelo commented 5 years ago

Context

Expected behavior

I am expecting that after supplying my AD domain controller as an URI, a bind user with read access to entire domain, base at the root of the domain (i.e., dc=domain,dc=net), and filter as (sAMAccountName={{name}}) that supplying some test credentials would work.

Current behavior

When supplying test credentials, I get a popup saying the following:

Code: -32000 Message: unknown error from the peer

Checking the logs provides this message:

80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

Here are the details of the log:

plugin.test
{
  "id": "auth-ldap",
  "data": {
    "username": "username",
    "password": "* obfuscated *"
  }
}
{
  "message": "80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\u0000",
  "stack": "InvalidCredentialsError: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\u0000
    at messageCallback (/etc/xo/xo-builds/xen-orchestra-201909010936/node_modules/ldapjs/lib/client/client.js:1419:45)
    at Parser.onMessage (/etc/xo/xo-builds/xen-orchestra-201909010936/node_modules/ldapjs/lib/client/client.js:1089:14)
    at emitOne (events.js:116:13)
    at Parser.emit (events.js:211:7)
    at Parser.patchedEmit [as emit] (/etc/xo/xo-builds/xen-orchestra-201909010936/@xen-orchestra/log/src/configure.js:93:16)
    at Parser.write (/etc/xo/xo-builds/xen-orchestra-201909010936/node_modules/ldapjs/lib/messages/parser.js:111:8)
    at Socket.onData (/etc/xo/xo-builds/xen-orchestra-201909010936/node_modules/ldapjs/lib/client/client.js:1076:22)
    at emitOne (events.js:116:13)
    at Socket.emit (events.js:211:7)
    at Socket.patchedEmit [as emit] (/etc/xo/xo-builds/xen-orchestra-201909010936/@xen-orchestra/log/src/configure.js:93:16)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)
    at Socket.Readable.push (_stream_readable.js:208:10)
    at TCP.onread (net.js:601:20)",
  "lde_message": "80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\u0000",
  "lde_dn": null
}

I've triple checked to make sure that the credentials I'm using are correct. The only thing I can think of is that the bind user has to have permissions that exceed "read" but I am not sure.

jcharaoui commented 5 years ago

I encountered this problem too, but found out it's not a bug in Xen Orchestra. The service account was simply locked. I hadn't realized that my browser had filled the password field automatically, with the wrong password of course. After a few tests the service account became locked.

It would be a nice improvement to have XO display a clearer message when it can't bind with the LDAP service account.

olivierlambert commented 1 year ago

We have a test CLI for this. Closing.