Providing a custom UnknownUsername message with a ldap directAuthenticator

Max Spicer max.spicer at
Mon Jun 19 13:02:48 UTC 2023

I'm experimenting with the ldap directAuthenticator in order to remove a
redundant search from our current config that uses the

This seems to work well, but I've found that I am now getting the generic
idp.message ("unidentified error") error when entering an invalid username
at login, instead of the bad-username.message value.

My ldap logs show the following when I try to log in with a non-existent

INFO [net.shibboleth.idp.authn.impl.LDAPCredentialValidator:202]
[B317AAA859732FEA20EE2117476E074A] - Credential Validator ldap:
Login by 'foobarfoo' failed
org.ldaptive.LdapException: LDAPException(resultCode=32 (no such object),
errorMessage='no such object', matchedDN='ou=people,dc=example,dc=org',
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb)

I've fixed this by adding "LDAPException(resultCode=32 (no such object)"
as a value for <entry key="UnknownUsername"> in
the shibboleth.authn.Password.ClassifiedMessageMap map
in templates/shibboleth/conf/authn/password-authn-config.xml.

This took a bit of experimentation as I'm not sure how these values are
actually matched against the errors. I originally tried just "no such
object" but this had no effect.

Are the values simple string prefix matches or something else? Is there a
better (more resilient?) way to set up this mapping?


Max Spicer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list