Authentication with aliases is failing despite using alias class

  • 7015163
  • 10-Jun-2014
  • 10-Jun-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.x

Situation

Example scenario:

Real user object exists at cn=scott,o=test
alias object exists at cn=scottalias,o=novell

userstore Search context is setup to only include o=novell

Secure name password form method is assigned to alias class
(com.novell.nidp.authentication.local.AliasUserPasswordClass)

When attempting to login with chandualias it is failing.

See relevant snippet from logs in the Additional Information section.

Resolution


Create the following file on the IDP:

/opt/novell/nids/lib/webapp/WEB-INF/classes/jndi.properties

and add the following to it:

java.naming.ldap.derefAliases=never

Then need to add a search context to where the real object is, in this case
o=test

Once this was done aliases started working properly.

Additional Information


<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: AliasUserPasswordClass.findActualUserFromUserStore
Thread: http-bio-151.155.214.123-8443-exec-5
LDAP search string with return cn, aliasedObjectName attributes:
(cn=scottalias)  search context : o=novell </amLogEntry>

<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: AliasUserPasswordClass.handlePostedData
Thread: http-bio-151.155.214.123-8443-exec-5
Actual user: scott Alias User: scottalias </amLogEntry>


<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.authenticateWithPassword
Thread: http-bio-151.155.214.123-8443-exec-5
Attempted authenticateWithPassword - id = scott </amLogEntry>

<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Base context: o=novell, Filter: (&(cn=scott)(objectClass=User)), Scope: 1,
Request Controls: null, UserId: hsceaoeq70s11 </amLogEntry>

<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Connection: 226614ea-1af2-441b-bec6-a65e65fde99a, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://151.155.214.123:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: cn=admin,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
 </amLogEntry>

<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Try connection: ldaps://151.155.214.123 </amLogEntry>

<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Found 1 results! </amLogEntry>

<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Connection: 02ac025f-c29c-4bc8-a6cd-30b15d2e9d7c, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://151.155.214.123:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: ldaps:,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
 </amLogEntry>

<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5

//Notice the Key: java.naming.security.principal, Value: ldaps:,o=novell   (not
including cn=scott)

Exception while attempting to create ldap connection! </amLogEntry>

In ndstrace we see:

1904834304 LDAP: [2014/03/03 16:45:01.967] (151.155.214.123:47669)(0x0003:0x63)
Search request:
    base: "o=novell"
    scope:1  dereference:2  sizelimit:0  timelimit:0  attrsonly:0
    filter: "(cn=scottalias)"
    attribute: "cn"
    attribute: "aliasedObjectName"
1904834304 LDAP: [2014/03/03 16:45:01.967] (151.155.214.123:47669)(0x0003:0x63)
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
1904834304 LDAP: [2014/03/03 16:45:01.968] (151.155.214.123:47669)(0x0003:0x63)
Sending search result entry "cn=scottalias,o=novell" to connection 0xdf01c00

then

1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
DoSearch on connection 0xe000000
1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
Search request:
    base: "o=novell"
    scope:1  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
    filter: "(&(cn=scott)(objectClass=User))"
    attribute: "GUID"
    attribute: "fullname"
    attribute: "cn"
1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
1993504512 LDAP: [2014/03/03 16:45:02.23] (151.155.214.123:49703)(0x0002:0x63)
Sending search result entry "cn=scott,o=test" to connection 0xe000000

So we find the alias object, dereference it and then try to bind as it.....but
instead of binding as cn=scott,o=novell we see


2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
DoBind on connection 0xd764700
2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
Bind name:ldaps:,o=novell, version:3, authentication:simple
2202724096 LDAP: [2014/03/03 16:45:02.74] Illegal ndsname "ldaps:,o=novell" in
ldap2uNDSDN, err = 34 (0x22)
2202724096 LDAP: [2014/03/03 16:45:02.74] ldap2uNDSDN ldapDN =
"ldaps:,o=novell" - error 34 (0x22)
2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
Failed to convert LDAP DN "ldaps:,o=novell" in nds_back_bind, err = 34 (0x22)

Feedback service temporarily unavailable. For content questions or problems, please contact Support.