Passwdfetch class/method failing when "\" is part of the Dirxml-ADContext attrib-value.

  • Document ID:7010883
  • Creation Date:06-Oct-2012
  • Modified Date:10-Jan-2013
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 3.2

NetIQ Access Manager 3.1

Situation

PasswordFetch method being used as a post authentication method to the Kerberos method to retrieve password from eDirectory to allow single sign on to applications that require Kerberos Authentication. Object can not be found in eDirectory because value contains a literal “\” and the query was not properly escaping this character.

Errors in catalina.out:

Found 0 results

Resolution

Updated nidp.jar provided from engineering to properly escape “/” in eDirectory value. This fix will be in an upcoming version of NAM (v. 3.1.5. If this fix is required earlier than the public release please contact Novell Technical Services.

Cause

IDM was used to import Active Directory users into eDirectory to be used with the passwordfetch class/method. Some mistake was made in the logic of the IDM driver. A s a result an explicit backslash was added between first and last name on the Dirxml-ADContext value. When the Identity server performs an ldap query the Dirxml-ADContext attribute was being used to obtain the FQDN of the Active Directory user. When this query was made the “\” needed to be escaped to retain the literal “\” character. The problem was found to be in the nidp.jar on the Identity Server.

Additional Information

Example:

 

Active Directory user CN:

CN=Boehm Achim,OU=Users,OU=Corp,dc=dev-perseco,dc=com

 

Migrated eDirectory Dirxml-ADContext for same user

Dirxml-ADContext=CN=Boehm\,

Achim,OU=Users,OU=Corp,dc=dev-perseco,dc=com

 

Snippet from catalina.out from Identity Server when performing ldap query.

 

<amLogEntry> 2012-06-15T03:28:48Z DEBUG NIDS Application:

Method: JNDILogEventListener.accept

Thread: http-10.10.58.140-8443-Processor5

Closing LDAP connection due to connection timeout! Interval: 92668, Timeout:

10000, Connection: Id: 7dbc96a2-59f0-473a-80e3-d889f316a927, host:

ldaps://10.10.58.137 </amLogEntry>

<amLogEntry> 2012-06-15T03:28:48Z DEBUG NIDS Application:

 

Method: JNDILogEventListener.accept

Thread: http-10.10.58.140-8443-Processor5

Connection: c67512ee-f418-4502-a627-882480ff7108, Environment Parameters for

InitialDirContext() method call:

Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory

Key: java.naming.provider.url, Value: ldaps://10.10.58.137:636

Key: com.sun.jndi.ldap.connect.timeout, Value: 0

Key: java.naming.security.principal, Value: cn=admin,ou=services,o=havigs

Key: java.naming.security.authentication, Value: simple

Key: java.naming.security.credentials, Value: *****

Key: java.naming.security.protocol, Value: ssl

Key: java.naming.ldap.factory.socket, Value:

com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory

</amLogEntry>

 

<amLogEntry> 2012-06-15T03:28:48Z DEBUG NIDS Application:

Method: JNDILogEventListener.accept

Thread: http-10.10.58.140-8443-Processor5

Try connection: ldaps://10.10.58.137 </amLogEntry>

 

<amLogEntry> 2012-06-15T03:28:48Z DEBUG NIDS Application:

Method: JNDILogEventListener.accept

Thread: http-10.10.58.140-8443-Processor5

Found 0 results! </amLogEntry>