Can't retrieve attributes at Authentication phase

Ranil De Silva ranil.desilva at industrieit.com
Fri May 1 08:15:41 EDT 2015 

Hi

I am trying to retrieve the user's mobile number at the authentication
phase. We have an Active Directory LDS server. In my previous experience AD
servers didn't need any special permissions to read the directory but AD
LDS has three roles - admin, readers and users. Users can't retrieve
anything from the LDAP but can authenticate against it. While readers can
read the LDAP and attributes and admins have full access. So once I created
a reader user and configured its credentials, I am now getting attributes
from the LDAP at the attribute resolution phase but nothing at the
authentication phase.

I initially thought the problem might be the fact I was
using adAuthenticator and that did not seem to set the bind credentials (so
that we use the reader credentials) so I switched to using the
bindSearchAuthenticator but still not getting anything returned. Logs are
shown below. I am checking the LdapEntry within the LDAPResponseContext for
the attributes.

Any help or hints would be much appreciated!

Thanks
Ranil

2015-05-01 21:47:37,895 - DEBUG [org.ldaptive.SearchOperation:138] -
execute request=[org.ldaptive.SearchRequest at -1419595123::baseDn=CN=De
Silva\, Ranil (Industrie IT),CN=Users,CN=WIN-GVB9BF0AETR,DC=local,
searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*),
parameters={}], returnAttributes=[mobile,  userPrincipalName],
searchScope=OBJECT, timeLimit=0, sizeLimit=0, derefAliases=null,
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
followReferrals=false, intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1083387473
::config=[org.ldaptive.ConnectionConfig at 356447101::ldapUrl=ldap://localhost:389,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 241911687
::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 680ec918,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 2108005285::metadata=[ldapUrl=ldap://localhost:389,
count=1], environment={com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 554515992::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 5a74ae5a,
controlProcessor=org.ldaptive.provider.ControlProcessor at 7c2f21d9,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 681d415b]
2015-05-01 21:47:37,915 - DEBUG [org.ldaptive.auth.Authenticator:381] -
entry resolution failed for
resolver=[org.ldaptive.auth.SearchEntryResolver at 2011441867::factory=null,
baseDn=, userFilter=null, userFilterParameters=null,
allowMultipleEntries=false, subtreeSearch=false, derefAliases=null,
followReferrals=false, searchEntryHandlers=null]
org.ldaptive.LdapException: javax.naming.NameNotFoundException: [LDAP:
error code 32 - 0000208D: NameErr: DSID-031522DA, problem 2001 (NO_OBJECT),
data 0, best match of:
'CN=WIN-GVB9BF0AETR,DC=local'
 ]; remaining name 'CN=De Silva\, Ranil (Industrie
IT),CN=Users,CN=WIN-GVB9BF0AETR,DC=local'
at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 -
0000208D: NameErr: DSID-031522DA, problem 2001 (NO_OBJECT), data 0, best
match of:
'CN=WIN-GVB9BF0AETR,DC=local'
 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
2015-05-01 21:47:37,917 - INFO [org.ldaptive.auth.Authenticator:259] -
Authentication succeeded for dn: CN=De Silva\, Ranil (Industrie
IT),CN=Users,CN=WIN-GVB9BF0AETR,DC=local
2015-05-01 21:47:37,918 - DEBUG [org.ldaptive.auth.Authenticator:284] -
authenticate
response=[org.ldaptive.auth.AuthenticationHandlerResponse at 1895928734
::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1083387473
::config=[org.ldaptive.ConnectionConfig at 356447101::ldapUrl=ldap://localhost:389,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 241911687
::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 680ec918,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 2108005285::metadata=[ldapUrl=ldap://localhost:389,
count=1], environment={com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 554515992::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 5a74ae5a,
controlProcessor=org.ldaptive.provider.ControlProcessor at 7c2f21d9,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 681d415b],
result=true, resultCode=SUCCESS, message=null, controls=null] for dn=CN=De
Silva\, Ranil (Industrie IT),CN=Users,CN=WIN-GVB9BF0AETR,DC=local with
request=[org.ldaptive.auth.AuthenticationRequest at 1271068359::user=
ranil.desilva at industrieit.com, retAttrs=[mobile,  userPrincipalName]]
2015-05-01 21:47:37,919 - INFO
[net.shibboleth.idp.twofactor.impl.ValidateUsernamePasswordAgainstLDAP:183]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '
ranil.desilva at industrieit.com' succeeded
2015-05-01 21:47:37,920 - DEBUG
[net.shibboleth.idp.authn.AbstractValidationAction:274] - Profile Action
ValidateUsernamePasswordAgainstLDAP: Adding custom Principal(s) defined on
underlying flow descriptor

-- 

This email is confidential and intended solely for the person(s) to whom it 
is addressed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150501/be19ad98/attachment.html>

More information about the users mailing list