authentication failure reasons in IdP logs
David Bantz
dabantz at alaska.edu
Thu Jun 19 18:09:33 EDT 2014
On Thu, 19 Jun 2014, at 13:37 , Christopher Bongaarts <cab at umn.edu> wrote:
> The "invalid dn" is from VT-LDAP, and indicates that the search for the user failed (i.e. the userFilter did not match any users). Nothing to do with the bindDn (unless the issue is that the bindDn doesn't have sufficient access to see the target user).
That’s what I said to myself, but then read the logs more closely to see that the dn being used is the dn AD returned in the search for the user. That is,
the user provides an identifier
IdP does a search for the record
AD provides a fully qualified dn [it ain’t provided by the user, the IdP doesn’t know how to build it from scratch, so I am assuming it was returned by AD]
IdP attempts (via VT-LDAP) to bind using that dn and the user-provided password
Then I see the message “Cannot authenticate dn, invalid dn”
Here’s an example from an apparently resourceful user who after one failure tried again providing a different identifier; the two different identifiers both correctly result in the same correct dn.
And in case you’re wondering, yes, both identifiers are correct and both were validated by direct inspection of the AD record.
12:32:23.457 - INFO [edu.vt.middleware.ldap.jaas.JaasAuthenticator:180] - Authentication failed for dn: CN=jlrosenthal,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
12:32:23.460 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176] - User authentication for jlrosenthal failed
javax.security.auth.login.LoginException: Cannot authenticate dn, invalid dn
13:33:42.494 - INFO [edu.vt.middleware.ldap.jaas.JaasAuthenticator:180] - Authentication failed for dn: CN=jlrosenthal,OU=userAccounts,dc=ua,dc=ad,dc=alaska,dc=edu
13:33:42.497 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:176] - User authentication for 31115951 failed
javax.security.auth.login.LoginException: Cannot authenticate dn, invalid dn
This failure mode is entirely different from another scenario occasionally seen:
the user provides an identifier
IdP does a search for the record
No record is found using the user-provided identifier and IdP configured search
Then I see the message “Search for user: {identifier} failed using filter…”
14:38:37.369 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] - Search for user: cmatth15 failed using filter: (|(sAMAccountName={0})(uaIdentifier={0}))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140619/122f4897/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://shibboleth.net/pipermail/users/attachments/20140619/122f4897/attachment-0001.bin
More information about the users
mailing list