ECS: Comma-separated values in domain attributes for S3 key self-service is not working

Customer is trying to simplify management by allowing login (and ultimately S3 self-service key creation) to using the AD attribute "sAMAccountName."
This is configured at namespace level (Manage > namespace).

Once two comma-separated values are configured, the key self-service is failing with below shown errors.
If they are used separately (only one value configured), each of them is working.



The first login is when there is only one entry (a Token is created):

[user@client ~]$ curl -I -s https://$MANAGEMENT_ENDPOINT/login -u "$MANAGEMENT_USER:$MANAGEMENT_PASSWORD"
HTTP/1.1 200 OK
Date: Fri, 17 May 2019 07:57:29 GMT
Content-Type: application/xml
Content-Length: 0
Connection: keep-alive
X-SDS-AUTH-TOKEN: BAAcbmZXWHBVcVh5U2UrNjY3YkFkNnJuRHV5a2xzPQMAjAQASHVybjpzdG9yYWdlb31YzNkMWYzYzRjMwIADTE1NTgwMzE5NjQyODMDAC51cm
46VG9rZW46Y2MzNTMwMT1M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjFmMTQyOTExLTM4NzktNGI3OC1hYWFkLTItMjA4Mi00OTRiLTlhMWUtOWRkZjBlMDQ2NjIwAgAC0A8=

The second one is when there is a comma separated values (not working, HTTP 500 Error):

[user@client ~]$ curl -I -s https://$MANAGEMENT_ENDPOINT/login -u "$MANAGEMENT_USER:$MANAGEMENT_PASSWORD"
HTTP/1.1 500 Internal Server Error
Date: Fri, 17 May 2019 07:57:49 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 261
Connection: keep-alive
Cache-Control: must-revalidate,no-cache,no-store

Third login is again only one entry, the 2nd one (a Token is created again):

[user@client ~]$ curl -I -s https://$MANAGEMENT_ENDPOINT/login -u "$MANAGEMENT_USER:$MANAGEMENT_PASSWORD"
HTTP/1.1 200 OK
Date: Wed, 22 May 2019 12:25:32 GMT
Content-Type: application/xml
Content-Length: 0
Connection: keep-alive
X-SDS-AUTH-TOKEN: BAAcWXV2QXpjTDVnd016dW9Tc3hWWXd6NUI4elBvPQMAjAQASHVybjpzdG9yYWdlb31YzNkMWYzYzRjMwIADTE1NTg0NjM5NjQzNzEDAC51cm
46VG9rZW46Nzc0NDI1MmUt1M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjFmMTQyOTExLTM4NzktNGI3OC1hYWFkLTIDQyNi00OGRlLWFhMTctNjMzZmNiNzY0NTJhAgAC0A8=

 

An issue has been discovered, causing S3 key self-service not working as expected when comma-separated values are used in domain attributes.

The root cause of the issue is not known and is under investigation by Dell ECS Development.

A workaround to mitigate the issue is to create an Active Directory (AD) group where users using ECS can be added.
Contact your AD admin or team to create an AD group that can be used and ensure that all appropriate users are added.

For adding this group to ECS:

1. Choose manage -> namespace -> edit
2. If not already done, click "Domain." 
3. Add the group name to the Groups field. As no attributes are needed, click the X next to the attributes field, and it closes.
4. Click Save.

After ECS namespace is configured with the group, users can be added or removed through AD group without any changes to ECS.

Subscribe to product updates.
You can subscribe to updates by following the instructions in the Knowledge Article below:
DELL: How to subscribe to Product Pages - Dell Support?