Failure to return user's DN - Search result always empty

Guillaume Gilbert Gilbert.Guillaume at lacsq.org
Mon May 11 14:42:32 EDT 2015 

System : 
 
IDP 3.1.1 + ApacheDS 2.0.0
 
Problem :
 
Upon authentication, the user johndoe cannot log in due to the LDAP
provider (ApacheDS) returning an empty DN to IDP's request.
 
What you should know :
 
Using Apache Directory Studio (or ldapsearch) and the same search
parameters (base DN, filter, etc.), the LDAP provider return a record
(uid=johndoe,ou=users,ou=system).
>From the ApacheDS log, the request from ldapsearch, Apache Directory
Studio and the IDP are exactly the same.
I know this is not an ApacheDS mailing list. If you think that this is
most certainly an ApacheDS problem, just let me know.
 
My questions :
 
1. What could be the reason for ApacheDS to return different results to
what appear to be the same request ?
2. Is there any log I can enable to know more about the failed search
in the IDP ?
3. Do you see something in the request that could be the cause of the
empty search result ?
 
Regards,
 
Guillaume Gilbert
 
****
IDP log showing that the resolved dn=null for user=johndoe.
 
 
2015-05-11 14:11:18,162 - DEBUG
[net.shibboleth.idp.authn.AbstractExtractionAction:137] - Profile Action
ExtractUsernamePasswordFromFormRequest: Trimming whitespace of input
string 'johndoe'
2015-05-11 14:11:18,505 - DEBUG
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:175]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Attempting to
authenticate user johndoe
2015-05-11 14:11:18,505 - DEBUG
[org.ldaptive.auth.PooledSearchDnResolver:244] - resolve user=johndoe
2015-05-11 14:11:18,505 - DEBUG
[org.ldaptive.auth.PooledSearchDnResolver:310] - searching for DN using
userFilter
2015-05-11 14:11:18,521 - DEBUG [org.ldaptive.SearchOperation:138] -
execute
request=[org.ldaptive.SearchRequest at 120094930::baseDn=ou=users,ou=system,
searchFilter=[org.ldaptive.SearchFilter at -502823576::filter=(uid={user}),
parameters={user=johndoe}], returnAttributes=[1.1],
searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null,
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
followReferrals=false, intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 186870607::config=[org.ldaptive.ConnectionConfig at 766727255::ldapUrl=ldap://I061061:10389,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 1770781508::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 3d356e9c,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=true,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory at 1184190621::metadata=[ldapUrl=ldap://I061061:10389,
count=1], environment={com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1299702300::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 26fef221,
controlProcessor=org.ldaptive.provider.ControlProcessor at 57009b1,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null],
sslSocketFactory=[org.ldaptive.ssl.TLSSocketFactory at 1770893370::factory=sun.security.ssl.SSLSocketFactoryImpl at 1b98d815,
sslConfig=[org.ldaptive.ssl.SslConfig at 1770781508::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 3d356e9c,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null]], hostnameVerifier=null],
providerConnection=org.ldaptive.provider.jndi.JndiStartTLSConnection at 4aa64ebd]
2015-05-11 14:11:18,521 - DEBUG [org.ldaptive.SearchOperation:168] -
execute
response=[org.ldaptive.Response at 1447081603::result=[org.ldaptive.SearchResult at 4303153::entries=[],
references=[]], resultCode=SUCCESS, message=null, matchedDn=null,
responseControls=null, referralURLs=null, messageId=-1] for
request=[org.ldaptive.SearchRequest at 120094930::baseDn=ou=users,ou=system,
searchFilter=[org.ldaptive.SearchFilter at -502823576::filter=(uid={user}),
parameters={user=johndoe}], returnAttributes=[1.1],
searchScope=ONELEVEL, timeLimit=0, sizeLimit=0, derefAliases=null,
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
followReferrals=false, intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 186870607::config=[org.ldaptive.ConnectionConfig at 766727255::ldapUrl=ldap://I061061:10389,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 1770781508::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 3d356e9c,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=true,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory at 1184190621::metadata=[ldapUrl=ldap://I061061:10389,
count=1], environment={com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1299702300::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 26fef221,
controlProcessor=org.ldaptive.provider.ControlProcessor at 57009b1,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null],
sslSocketFactory=[org.ldaptive.ssl.TLSSocketFactory at 1770893370::factory=sun.security.ssl.SSLSocketFactoryImpl at 1b98d815,
sslConfig=[org.ldaptive.ssl.SslConfig at 1770781508::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 3d356e9c,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null]], hostnameVerifier=null],
providerConnection=org.ldaptive.provider.jndi.JndiStartTLSConnection at 4aa64ebd]
2015-05-11 14:11:18,521 - INFO
[org.ldaptive.auth.PooledSearchDnResolver:268] - search for user=johndoe
failed using
filter=[org.ldaptive.SearchFilter at -502823576::filter=(uid={user}),
parameters={user=johndoe}]
2015-05-11 14:11:18,521 - DEBUG
[org.ldaptive.auth.PooledSearchDnResolver:279] - resolved dn=null for
user=johndoe
2015-05-11 14:11:18,521 - DEBUG [org.ldaptive.auth.Authenticator:236] -
authenticate dn=null with
request=[org.ldaptive.auth.AuthenticationRequest at 702203685::user=johndoe,
retAttrs=[1.1, objectclass]]
2015-05-11 14:11:18,521 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:194]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'johndoe'
failed
2015-05-11 14:11:18,552 - DEBUG
[net.shibboleth.idp.ui.context.RelyingPartyUIContext:360] - found
matching schema, returning name of 'preprod.adfs.accescsq.ca'
2015-05-11 14:11:18,552 - DEBUG
[net.shibboleth.idp.ui.context.RelyingPartyUIContext:809] - No UIInfo or
logos returning null
2015-05-11 14:11:18,552 - DEBUG
[net.shibboleth.idp.ui.context.RelyingPartyUIContext:529] - No
description matching the languages found, returning null
 
 
****
ApacheDS log when the request comes from Apache Directory Studio (or
ldapsearch) :
 
[14:23:34] DEBUG [org.apache.directory.api.CODEC_LOG] - Decoded
LdapMessage : MessageType : SEARCH_REQUEST
Message ID : 14
    SearchRequest
	    baseDn : 'ou=users,ou=system'
	    filter : '(uid=johndoe)'
	    scope : single level
	    typesOnly : false
	    Size Limit : no limit
	    Time Limit : no limit
	    Deref Aliases : never Deref Aliases
	    attributes : '1.1', 'objectClass'
org.apache.directory.api.ldap.model.message.SearchRequestImpl at 2fa1713a
[14:23:34] DEBUG [org.apache.directory.api.CODEC_LOG] - Encoded message

 MessageType : SEARCH_RESULT_ENTRY
Message ID : 14
    Search Result Entry
Entry
    dn[n]: uid=johndoe,ou=users,ou=system
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: extensibleObject
[14:23:34] DEBUG [org.apache.directory.api.CODEC_LOG] - Encoded message

 MessageType : SEARCH_RESULT_DONE
Message ID : 14
    Search Result Done
	    Ldap Result
		    Result code : (SUCCESS) success
		    Matched Dn : 'null'
		    Diagnostic message : 'null'
 
***
ApacheDS log when the request comes from Apache Directory Studio :
 
[14:27:27] DEBUG [org.apache.directory.api.CODEC_LOG] - Decoded
LdapMessage : MessageType : SEARCH_REQUEST
Message ID : 6
    SearchRequest
	    baseDn : 'ou=users,ou=system'
	    filter : '(uid=johndoe)'
	    scope : single level
	    typesOnly : false
	    Size Limit : no limit
	    Time Limit : no limit
	    Deref Aliases : never Deref Aliases
	    attributes : '1.1'
org.apache.directory.api.ldap.model.message.SearchRequestImpl at e1e168f8
[14:27:27] DEBUG [org.apache.directory.api.CODEC_LOG] - Encoded message

 MessageType : SEARCH_RESULT_DONE
Message ID : 6
    Search Result Done
	    Ldap Result
		    Result code : (SUCCESS) success
		    Matched Dn : 'null'
		    Diagnostic message : 'null'
 
***
ldap.configuration
 
# LDAP authentication configuration, see authn/ldap-authn-config.xml
 
## Authenticator strategy, either anonSearchAuthenticator,
bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator				   =
anonSearchAuthenticator
 
## Connection properties ##
idp.authn.LDAP.ldapURL						  =
ldap://I061061:10389
#idp.authn.LDAP.useStartTLS					 = true
#idp.authn.LDAP.useSSL						  =
false
#idp.authn.LDAP.connectTimeout				  = 3000
 
## SSL configuration, either jvmTrust, certificateTrust, or
keyStoreTrust
#idp.authn.LDAP.sslConfig					   =
certificateTrust
## If using certificateTrust above, set to the trusted certificate's
path
idp.authn.LDAP.trustCertificates			    =
%{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
idp.authn.LDAP.trustStore					   =
%{idp.home}/credentials/ldap-server.truststore
 
## Return attributes during authentication
## NOTE: this is not used during attribute resolution; configure that
directly in the
## attribute-resolver.xml configuration via a DataConnector's
<dc:ReturnAttributes> element
idp.authn.LDAP.returnAttributes				 =
cn,sn,mail
 
## DN resolution properties ##
 
# Search DN resolution, used by anonSearchAuthenticator,
bindSearchAuthenticator
idp.authn.LDAP.baseDN						   =
ou=users,ou=system
#idp.authn.LDAP.subtreeSearch				    = false
idp.authn.LDAP.userFilter					   =
(uid={user})
# bind search configuration
idp.authn.LDAP.bindDN						   =
uid=admin,ou=system
idp.authn.LDAP.bindDNCredential				 =
********
 
# Format DN resolution, used by directAuthenticator, adAuthenticator
idp.authn.LDAP.dnFormat						
= uid=%s
 
# LDAP attribute configuration, see attribute-resolver.xml
idp.attribute.resolver.LDAP.ldapURL			 =
%{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN			  =
%{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN			  =
%{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential    =
%{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS		 =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   =
%{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter	    =
(uid=$requestContext.principalName)
 

-----Avis relatif à la confidentialité----- 

Le présent courriel et toutes les pièces jointes peuvent contenir de
l'information confidentielle. Toute utilisation ou distribution non
autorisée du contenu de ce courriel est interdite. Si vous n'êtes pas le
destinataire de ce message, veuillez, s'il-vous-plaît, le supprimer et
en informer immédiatement l'expéditeur. 
This email communication, including all attachments, may contain
confidential information. Any unauthorized use or distribution of the
contents of this email is prohibited. If you are not the intended
recipient of this email, please delete it and notify the sender
immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/577e497e/attachment-0001.html>

More information about the users mailing list