Unable to retrieve Universal Password from eDirectory using PasswordFetchClass

  • 7007114
  • 28-Oct-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1.2.328
PaswordFetchClass

Situation

Purpose

Configure the PasswordFetchClass to retrieve users Universal Passwords from an eDirectory User Store

Symptoms

Method configured to use PasswordFetchClass fails to retrieve the password.

If the option "Ignore password retrieval failure"is not enabled in the class configuration, the protected resource cannot be reached and the message:

"Error: Error while retrieving the password"

is shown to the end user.

If the Application log level is set to Verbose or Debug, in the catalina.out of the Identity Server the following error can be seen:

Warning: Invalid resource key: Password Fetch Class: Principal username is : . No prefix!
<amLogEntry> 2010-10-28T08:57:57Z DEBUG NIDS Application: Password Fetch Class: Principal username is :  </amLogEntry>

<amLogEntry> 2010-10-28T08:57:57Z WARNING NIDS Application: NIDPLOGGING.200104063 : com.novell.security.nmas.mgmt.NMASPwdException</amLogEntry>

<amLogEntry> 2010-10-28T08:57:57Z VERBOSE NIDS Application: Authentication method PWFetchTestMethod failed. </amLogEntry>

where "PWFetchTestMethod" is the name you chosen for the defined method.

Resolution

In order to allow PasswordFetchClass to successfully retrieve the password, the Universal Password policy defined in the user store, and associated to the user authenticating, MUST be configured to allow the retrieval of the passwords from the user configured in the Identity Server for the connection with the User Store.

If you configured the Identity Server to use Admin to connect to the User Store, then you can enable the option "Allow Admin to retrieve passwords" as shown below:



In case you created and configured a specific user for the Identity Server connection with the User Store, then you can select "Allow the following to retrieve passwords" and specify your defined user.

Additional Information

Other common issues that may occur while retrieving passwords using PasswordFetchClass are the following:

  1. Identity Server is configured to connect to the User Store replicas in LDAP clear text on port 389;
  2. PasswordFetchClass is configured to retrieve Simple Password, but the Simple Password for the user is not set.
Currently the password retrieval via PasswordFetchClass supports only LDAP SSL connection to port 636 for the Identity Server connection to the User Store replicas. If the connection is set to clear text, users will get the error:

"LDAP connection failure"

while accessing the protected resource and you will notice the following error in the catalina.out of the Identity Server:

javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]

When the Simple Password retrieval is configured but the Simple Password itself is not set for the user authenticating, the following error can be seen in the catalina.out of the Identity Server:

<amLogEntry> 2010-10-28T09:41:17Z WARNING NIDS Application: NIDPLOGGING.200104064 </amLogEntry>