Providing a custom UnknownUsername message with a ldap directAuthenticator
max.spicer at york.ac.uk
Mon Jun 19 13:02:48 UTC 2023
I'm experimenting with the ldap directAuthenticator in order to remove a
redundant search from our current config that uses the
This seems to work well, but I've found that I am now getting the generic
idp.message ("unidentified error") error when entering an invalid username
at login, instead of the bad-username.message value.
My ldap logs show the following when I try to log in with a non-existent
[B317AAA859732FEA20EE2117476E074A 192.168.1.1] - Credential Validator ldap:
Login by 'foobarfoo' failed
org.ldaptive.LdapException: LDAPException(resultCode=32 (no such object),
errorMessage='no such object', matchedDN='ou=people,dc=example,dc=org',
I've fixed this by adding "LDAPException(resultCode=32 (no such object)"
as a value for <entry key="UnknownUsername"> in
the shibboleth.authn.Password.ClassifiedMessageMap map
This took a bit of experimentation as I'm not sure how these values are
actually matched against the errors. I originally tried just "no such
object" but this had no effect.
Are the values simple string prefix matches or something else? Is there a
better (more resilient?) way to set up this mapping?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users