timeouts in jaas.config

IAM David Bantz dabantz at alaska.edu
Thu Oct 22 17:56:52 UTC 2020


ShibUserPassAuth {

  // userFilter enables user input to match either UA Username or UA ID#

  // UA AD Auth
  org.ldaptive.jaas.LdapLoginModule sufficient
    ldapUrl="ldap://fbk....edu:3268 ldap://fbk....edu:3268"
    baseDn="dc=ua,dc=ad,dc=alaska,dc=edu"
    bindDn="cn=u...,dc=edu"
    bindCredential="•••••••••"
    subtreeSearch="true"

credentialConfig="{trustCertificates=file:/opt/shibboleth-idp/credentials/UA_AD_CA.pem}"
    useSSL="false"
    useStartTLS="true"

userFilter="(|(&(employeeNumber=*)(uaIdentifier={user}))(sAMAccountName={user}))"
    connectTimeout="3000"
    resultTimeout="3000"
    ;

  // UA Authenticator proxy to AD allows some expired accounts to
authenticate
  org.ldaptive.jaas.LdapLoginModule sufficient
    ldapUrl="ldaps://cas-auth.alaska.edu:6361"
    baseDn="dc=ua,dc=ad,dc=alaska,dc=edu"
    bindDn="cn=...,dc=edu"
    bindCredential="••••••••••"
    subtreeSearch="true"

credentialConfig="{trustCertificates=file:/opt/shibboleth-idp/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"
    useSSL="true"
    useStartTLS="false"

userFilter="(|(&(employeeNumber=*)(uaIdentifier={user}))(sAMAccountName={user}))"
    connectTimeout="3000"
    resultTimeout="3000"
    ;

};


If the module returns failed authentication because of an expired account
or other conditions, the second module is exercised.
This happens many times per day.

Connection issues are uncommon so the timeout error is new this week,
triggered by DoS on the ldap (AD) server.

David

On Thu, Oct 22, 2020 at 9:48 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> In those cases, if you have two separate login modules in *separate* JAAS
> configuration sections, and the IdP is configured to run both using the
> non-default settings to tell it which ones to use, it will run both in a
> "try until one succeeds" fashion in V3. I ran that way for many years, so
> I'm very familiar with the behavior. If it's not trying the second one, you
> don't in fact have it set up that way.
>
> -- Scott
>
> On 10/22/20, 1:41 PM, "users on behalf of IAM David Bantz" <
> users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
>
>     13:22:11:543  INFO [137.229.114.251]
> net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS:255 >
> Profile Action ValidateUsernamePasswordAgainstJAAS: Login by 'dberry9' via
> 'ShibUserPassAuth' failedjavax.security.auth.login.LoginException:
> Authentication failed: [org.ldaptive.auth.AuthenticationResponse at 1572247851::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> ldapEntry=[dn=CN=dberry9,OU=userAccounts,DC=ua,DC=ad,DC=alaska,DC=edu[]],
> accountState=null, result=false, resultCode=LDAP_TIMEOUT,
> message=javax.naming.NamingException: LDAP response read timed out, timeout
> used:3000ms., controls=null]        at
> org.ldaptive.jaas.LdapLoginModule.login(LdapLoginModule.java:160)
>
>     17:46:24:316  INFO [204.90.98.254]
> net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS:255 >
> Profile Action ValidateUsernamePasswordAgainstJAAS: Login by 'mcampbell10'
> via 'ShibUserPassAuth' failedjavax.security.auth.login.LoginException:
> Authentication failed: [org.ldaptive.auth.AuthenticationResponse at 1668002417::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
> ldapEntry=[dn=CN=mcampbell10,OU=userAccounts,DC=ua,DC=ad,DC=alaska,DC=edu[]],
> accountState=null, result=false, resultCode=LDAP_TIMEOUT,
> message=javax.naming.NamingException: LDAP response read timed out, timeout
> used:3000ms., controls=null]        at
> org.ldaptive.jaas.LdapLoginModule.login(LdapLoginModule.java:160)
>
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201022/32a64656/attachment.htm>


More information about the users mailing list