Error: "Denied user X509 authentication based on Login Policy Check LDAP Extension evaluation for user" during OAuth or x509 login

  • 7018903
  • 11-May-2017
  • 11-May-2017

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.3

Situation

Access Manager setup and working well where users are able to authenticate against the Identity Server and single sign on to back end services behind the Access Gateway or remote SAML/WS-FED Service Providers.

To enhance security within a specific department, x509 based mutual authentication was rolled out for a new group of users. When testing with one such user, we found that the login failed.The LDAP validation with the user store, done using the LDAP proxy user defined for that user store, appeared to have insufficient rights to complete the transaction. The following entries were shown in the IDP catalina log file when INFO level logging was enabled:

<amLogEntry> 2015-06-11T01:34:08Z INFO NIDS Application: AM#500105003: AMDEVICEID#CD1414323A935B41: Denied user X509 authentication based on Login Policy Check LDAP Extension evaluation for user CN=test, O=novell on user store Cluster001. </amLogEntry>

<amLogEntry> 2015-06-11T01:34:08Z SEVERE NIDS Application: AM#100105005: AMDEVICEID#CD1414323A935B41: Error updating user accout status after calling Login Policy Check LDAP Extension for user CN=test, O=novell on user store Cluster001. Error code: -1659. </amLogEntry>

The same error is also seen with OAuth based logins, which also do the NMAS login policy check using the LDAP proxy user.

When using an admin equivalent user as the LDAP proxy user, everything works fine ... so it's an issue with right. When the 'write' rights are removed for the LDAP proxy user trustee object on cn=test,o=novel, the error occurs each time.

Resolution

For checking User's login Policy restrictions, the IDP uses thr LDAP proxy admin user as a service account for authenticating to eDir and making NMAS calls. The Service Account that the IDP uses should have "write" rights on the users who are authenticating. The Access Manager Doc explicitly states about this requirement of having write ACL rights for Admin object on a user object, for x509 authentication to succeed at https://www.netiq.com/documentation/access-manager-43/admin/data/b1tvhkg.html#x509validation

" For the LDAP extension to work, the proxy user requires write rights on the ACL. Administrator-level rights are required for setting up a user store. This ensures read/write access to all objects used by Access Manager."

OAuth also uses LDAP extensions to talk to user store and may also require this.