authentication failure reasons in IdP logs

Daniel Fisher dfisher at vt.edu
Fri Jun 20 15:06:48 EDT 2014


On Fri, Jun 20, 2014 at 12:34 PM, David Bantz <dabantz at alaska.edu> wrote:
>
> On Fri, 20 Jun 2014, at 06:34 , Daniel Fisher <dfisher at vt.edu> wrote:
>
> Are you certain those log messages were produced by the same thread?
>
>
> They are adjacent lines in the idp-process.log.
>

That just means they occurred around the same time. You'll see
interleaved logs for multiple threads at times of high concurrency.

> I'd like to see your login configuration, I'm confused as to what
> would produce this behavior.
>
>
>
> ShibUserPassAuth {
>
> // EDIR Auth
>    edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient
>
> // UA AD Auth
>    edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient

What you're seeing (I think) is the result of an invalid password. The
first module correctly resolves the DN, but the bind fails. The second
module cannot resolve the DN. So you should expect logs from both
modules anytime a user gives the wrong password. A user whose login
succeeds on the first module would only produce logs for that module.
A user whose login succeeds on the second module would produce logs
from both modules.

--Daniel Fisher


More information about the users mailing list