timeouts in jaas.config
IAM David Bantz
dabantz at alaska.edu
Thu Oct 22 17:56:52 UTC 2020
ShibUserPassAuth {
// userFilter enables user input to match either UA Username or UA ID#
// UA AD Auth
org.ldaptive.jaas.LdapLoginModule sufficient
ldapUrl="ldap://fbk....edu:3268 ldap://fbk....edu:3268"
baseDn="dc=ua,dc=ad,dc=alaska,dc=edu"
bindDn="cn=u...,dc=edu"
bindCredential="•••••••••"
subtreeSearch="true"
credentialConfig="{trustCertificates=file:/opt/shibboleth-idp/credentials/UA_AD_CA.pem}"
useSSL="false"
useStartTLS="true"
userFilter="(|(&(employeeNumber=*)(uaIdentifier={user}))(sAMAccountName={user}))"
connectTimeout="3000"
resultTimeout="3000"
;
// UA Authenticator proxy to AD allows some expired accounts to
authenticate
org.ldaptive.jaas.LdapLoginModule sufficient
ldapUrl="ldaps://cas-auth.alaska.edu:6361"
baseDn="dc=ua,dc=ad,dc=alaska,dc=edu"
bindDn="cn=...,dc=edu"
bindCredential="••••••••••"
subtreeSearch="true"
credentialConfig="{trustCertificates=file:/opt/shibboleth-idp/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"
useSSL="true"
useStartTLS="false"
userFilter="(|(&(employeeNumber=*)(uaIdentifier={user}))(sAMAccountName={user}))"
connectTimeout="3000"
resultTimeout="3000"
;
};
If the module returns failed authentication because of an expired account
or other conditions, the second module is exercised.
This happens many times per day.
Connection issues are uncommon so the timeout error is new this week,
triggered by DoS on the ldap (AD) server.
David
On Thu, Oct 22, 2020 at 9:48 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> In those cases, if you have two separate login modules in *separate* JAAS
> configuration sections, and the IdP is configured to run both using the
> non-default settings to tell it which ones to use, it will run both in a
> "try until one succeeds" fashion in V3. I ran that way for many years, so
> I'm very familiar with the behavior. If it's not trying the second one, you
> don't in fact have it set up that way.
>
> -- Scott
>
> On 10/22/20, 1:41 PM, "users on behalf of IAM David Bantz" <
> users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
>
> 13:22:11:543 INFO [137.229.114.251]
> net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS:255 >
> Profile Action ValidateUsernamePasswordAgainstJAAS: Login by 'dberry9' via
> 'ShibUserPassAuth' failedjavax.security.auth.login.LoginException:
> Authentication failed: [org.ldaptive.auth.AuthenticationResponse at 1572247851::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> ldapEntry=[dn=CN=dberry9,OU=userAccounts,DC=ua,DC=ad,DC=alaska,DC=edu[]],
> accountState=null, result=false, resultCode=LDAP_TIMEOUT,
> message=javax.naming.NamingException: LDAP response read timed out, timeout
> used:3000ms., controls=null] at
> org.ldaptive.jaas.LdapLoginModule.login(LdapLoginModule.java:160)
>
> 17:46:24:316 INFO [204.90.98.254]
> net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS:255 >
> Profile Action ValidateUsernamePasswordAgainstJAAS: Login by 'mcampbell10'
> via 'ShibUserPassAuth' failedjavax.security.auth.login.LoginException:
> Authentication failed: [org.ldaptive.auth.AuthenticationResponse at 1668002417::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> ldapEntry=[dn=CN=mcampbell10,OU=userAccounts,DC=ua,DC=ad,DC=alaska,DC=edu[]],
> accountState=null, result=false, resultCode=LDAP_TIMEOUT,
> message=javax.naming.NamingException: LDAP response read timed out, timeout
> used:3000ms., controls=null] at
> org.ldaptive.jaas.LdapLoginModule.login(LdapLoginModule.java:160)
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201022/32a64656/attachment.htm>
More information about the users
mailing list