Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.x
NetIQ Access Manager 4.x
Situation
Example scenario:
Real user object exists at cn=scott,o=test
alias object exists at cn=scottalias,o=novell
userstore Search context is setup to only include o=novell
Secure name password form method is assigned to alias class
(com.novell.nidp.authentication.local.AliasUserPasswordClass)
When attempting to login with chandualias it is failing.
See relevant snippet from logs in the Additional Information section.
Real user object exists at cn=scott,o=test
alias object exists at cn=scottalias,o=novell
userstore Search context is setup to only include o=novell
Secure name password form method is assigned to alias class
(com.novell.nidp.authentication.local.AliasUserPasswordClass)
When attempting to login with chandualias it is failing.
See relevant snippet from logs in the Additional Information section.
Resolution
Create the following file on the IDP:
/opt/novell/nids/lib/webapp/WEB-INF/classes/jndi.properties
and add the following to it:
java.naming.ldap.derefAliases=never
Then need to add a search context to where the real object is, in this case
o=test
Once this was done aliases started working properly.
Additional Information
<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: AliasUserPasswordClass.findActualUserFromUserStore
Thread: http-bio-151.155.214.123-8443-exec-5
LDAP search string with return cn, aliasedObjectName attributes:
(cn=scottalias) search context : o=novell </amLogEntry>
<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: AliasUserPasswordClass.handlePostedData
Thread: http-bio-151.155.214.123-8443-exec-5
Actual user: scott Alias User: scottalias </amLogEntry>
<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.authenticateWithPassword
Thread: http-bio-151.155.214.123-8443-exec-5
Attempted authenticateWithPassword - id = scott </amLogEntry>
<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Base context: o=novell, Filter: (&(cn=scott)(objectClass=User)), Scope: 1,
Request Controls: null, UserId: hsceaoeq70s11 </amLogEntry>
<amLogEntry> 2014-03-03T23:45:01Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Connection: 226614ea-1af2-441b-bec6-a65e65fde99a, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://151.155.214.123:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: cn=admin,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
</amLogEntry>
<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Try connection: ldaps://151.155.214.123 </amLogEntry>
<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Found 1 results! </amLogEntry>
<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
Connection: 02ac025f-c29c-4bc8-a6cd-30b15d2e9d7c, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://151.155.214.123:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: ldaps:,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
</amLogEntry>
<amLogEntry> 2014-03-03T23:45:02Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-bio-151.155.214.123-8443-exec-5
//Notice the Key: java.naming.security.principal, Value: ldaps:,o=novell (not
including cn=scott)
Exception while attempting to create ldap connection! </amLogEntry>
In ndstrace we see:
1904834304 LDAP: [2014/03/03 16:45:01.967] (151.155.214.123:47669)(0x0003:0x63)
Search request:
base: "o=novell"
scope:1 dereference:2 sizelimit:0 timelimit:0 attrsonly:0
filter: "(cn=scottalias)"
attribute: "cn"
attribute: "aliasedObjectName"
1904834304 LDAP: [2014/03/03 16:45:01.967] (151.155.214.123:47669)(0x0003:0x63)
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
1904834304 LDAP: [2014/03/03 16:45:01.968] (151.155.214.123:47669)(0x0003:0x63)
Sending search result entry "cn=scottalias,o=novell" to connection 0xdf01c00
then
1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
DoSearch on connection 0xe000000
1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
Search request:
base: "o=novell"
scope:1 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(cn=scott)(objectClass=User))"
attribute: "GUID"
attribute: "fullname"
attribute: "cn"
1993504512 LDAP: [2014/03/03 16:45:02.22] (151.155.214.123:49703)(0x0002:0x63)
nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
1993504512 LDAP: [2014/03/03 16:45:02.23] (151.155.214.123:49703)(0x0002:0x63)
Sending search result entry "cn=scott,o=test" to connection 0xe000000
So we find the alias object, dereference it and then try to bind as it.....but
instead of binding as cn=scott,o=novell we see
2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
DoBind on connection 0xd764700
2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
Bind name:ldaps:,o=novell, version:3, authentication:simple
2202724096 LDAP: [2014/03/03 16:45:02.74] Illegal ndsname "ldaps:,o=novell" in
ldap2uNDSDN, err = 34 (0x22)
2202724096 LDAP: [2014/03/03 16:45:02.74] ldap2uNDSDN ldapDN =
"ldaps:,o=novell" - error 34 (0x22)
2202724096 LDAP: [2014/03/03 16:45:02.74] (151.155.214.123:47175)(0x0001:0x60)
Failed to convert LDAP DN "ldaps:,o=novell" in nds_back_bind, err = 34 (0x22)