Providing a custom UnknownUsername message with a ldap directAuthenticator

Max Spicer max.spicer at york.ac.uk
Mon Jun 19 13:02:48 UTC 2023


I'm experimenting with the ldap directAuthenticator in order to remove a
redundant search from our current config that uses the
bindSearchAuthenticator.

This seems to work well, but I've found that I am now getting the generic
idp.message ("unidentified error") error when entering an invalid username
at login, instead of the bad-username.message value.

My ldap logs show the following when I try to log in with a non-existent
user:

INFO [net.shibboleth.idp.authn.impl.LDAPCredentialValidator:202]
[B317AAA859732FEA20EE2117476E074A 192.168.1.1] - Credential Validator ldap:
Login by 'foobarfoo' failed
org.ldaptive.LdapException: LDAPException(resultCode=32 (no such object),
errorMessage='no such object', matchedDN='ou=people,dc=example,dc=org',
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb)

I've fixed this by adding "LDAPException(resultCode=32 (no such object)"
as a value for <entry key="UnknownUsername"> in
the shibboleth.authn.Password.ClassifiedMessageMap map
in templates/shibboleth/conf/authn/password-authn-config.xml.

This took a bit of experimentation as I'm not sure how these values are
actually matched against the errors. I originally tried just "no such
object" but this had no effect.

Are the values simple string prefix matches or something else? Is there a
better (more resilient?) way to set up this mapping?

Thanks,

Max Spicer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230619/2140c7a6/attachment.htm>


More information about the users mailing list