Environment
Self Service Password Reset
SSPR 3.2
Active Directory environment
LDAP directory is AD
SSPR 3.2
Active Directory environment
LDAP directory is AD
Situation
LDAP search error when logging into SSPR
SSPR unable to find LDAP user on log in
Error 5016 Error_Cant_Match_User (an ldap user for username value 'whatever' was not found
Error 5016 Error_Cant_Match_User (ldap error during search: Unprocessed Continuation Reference(s)
SSPR unable to find LDAP user on log in
Error 5016 Error_Cant_Match_User (an ldap user for username value 'whatever' was not found
Error 5016 Error_Cant_Match_User (ldap error during search: Unprocessed Continuation Reference(s)
Resolution
Add (|(myCurrentName=%USERNAME%) to
Settings -> Profile -> LDAP Directory Profiles -> Username Search Filter
Default Value:
(&(objectClass=person)(|(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%)))
Value that worked:
(&(objectClass=person)(|(myCurrentName=%USERNAME%)(samAccountName=%USERNAME%)(cn=%USERNAME%)))
Settings -> Profile -> LDAP Directory Profiles -> Username Search Filter
Default Value:
(&(objectClass=person)(|(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%)))
Value that worked:
(&(objectClass=person)(|(myCurrentName=%USERNAME%)(samAccountName=%USERNAME%)(cn=%USERNAME%)))
Cause
LDAP Search attributes incorrectly or not adequately defined
SSPR debug.log includes the following:
... TRACE, ldap.UserSearchEngine, username 'whatever' does not appear to be a DN (does not start with configured ldap naming attribute 'cn')
... TRACE, ldap.UserSearchEngine, username 'something' does not appear to be a DN (does not start with configured ldap naming attribute 'uid')
SSPR debug.log includes the following:
... TRACE, ldap.UserSearchEngine, username 'whatever' does not appear to be a DN (does not start with configured ldap naming attribute 'cn')
... TRACE, ldap.UserSearchEngine, username 'something' does not appear to be a DN (does not start with configured ldap naming attribute 'uid')
Additional Information
Another user solved the problem by using "uid" instead of "cn" in
"Settings -> LDAP Directory -> LDAP Naming Attribute (advanced)" per this forum post:
https://code.google.com/p/pwm/issues/detail?id=570
Note that with v 3.2 this setting is found under "Profile -> LDAP Directory Profiles -> LDAP Naming Attribute"
"Settings -> LDAP Directory -> LDAP Naming Attribute (advanced)" per this forum post:
https://code.google.com/p/pwm/issues/detail?id=570
Note that with v 3.2 this setting is found under "Profile -> LDAP Directory Profiles -> LDAP Naming Attribute"