authentication failure reasons in IdP logs

David Bantz dabantz at alaska.edu
Thu Jun 19 18:09:33 EDT 2014


On Thu, 19 Jun 2014, at 13:37 , Christopher Bongaarts <cab at umn.edu> wrote:

> The "invalid dn" is from VT-LDAP, and indicates that the search for the user failed (i.e. the userFilter did not match any users).  Nothing to do with the bindDn (unless the issue is that the bindDn doesn't have sufficient access to see the target user).

That’s what I said to myself, but then read the logs more closely to see that the dn being used is the dn AD returned in the search for the user.  That is, 
	the user provides an identifier
	IdP does a search for the record
	AD provides a fully qualified dn [it ain’t provided by the user, the IdP doesn’t know how to build it from scratch, so I am assuming it was returned by AD]
	IdP attempts (via VT-LDAP) to bind using that dn and the user-provided password
	Then I see the message “Cannot authenticate dn, invalid dn” 

Here’s an example from an apparently resourceful user who after one failure tried again providing a different identifier; the two different identifiers both correctly result in the same correct dn.
And in case you’re wondering, yes, both identifiers are correct and both were validated by direct inspection of the AD record.

12:32:23.457 - INFO [edu.vt.middleware.ldap.jaas.JaasAuthenticator:180] - Authentication failed for dn: CN=jlrosenthal,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
12:32:23.460 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176] - User authentication for jlrosenthal failed
javax.security.auth.login.LoginException: Cannot authenticate dn, invalid dn

13:33:42.494 - INFO [edu.vt.middleware.ldap.jaas.JaasAuthenticator:180] - Authentication failed for dn: CN=jlrosenthal,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
13:33:42.497 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176] - User authentication for 31115951 failed
javax.security.auth.login.LoginException: Cannot authenticate dn, invalid dn


This failure mode is entirely different from another scenario occasionally seen:
	the user provides an identifier
	IdP does a search for the record
	No record is found using the user-provided identifier and IdP configured search
	Then I see the message “Search for user: {identifier} failed using filter…”

14:38:37.369 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] - Search for user: cmatth15 failed using filter: (|(sAMAccountName={0})(uaIdentifier={0}))


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140619/122f4897/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140619/122f4897/attachment-0001.bin 


More information about the users mailing list