AD LDAP Pool
Mark Boyce
Mark.Boyce at ucop.edu
Mon May 16 19:21:14 EDT 2016
When pooling AD Domain Controllers and adding "connectionHandler="edu.vt.middleware.ldap.handler.DefaultConnectionHandler{{connectionStrategy=ACTIVE_PASSIVE}}"" (as prescribed at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass) I am seeing the following:
1) User enters bad password
2) Shibboleth (yes, it is the underlying edu.vt.middleware.ldap.jaas.LdapLoginModule) attempts to authenticate the user at each DC in the pool; having failed to bind as the user, it would appear that edu.vt.middleware.ldap.jaas.LdapLoginModule is interpreting this as a failure of the server and promptly moving on to the next server in the pool
3) The user account lockout threshold is reached and the user is locked out
My question is:
1) Is it possible to have edu.vt.middleware.ldap.jaas.LdapLoginModule understand a bad password as opposed to a server failure and act upon same
Or
2) Will a connection strategy of "default" result in an authentication service failure should one of the AD DC in the pool become unavailable?
Thanks,
Mark
Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
415 20th Street
Oakland, CA 94612
Office: 510.987.9681
Cell: 209.851.0196
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160516/0923239d/attachment.html>
More information about the users
mailing list