Environment
Access Manager 4.3.1
Access Manager 4.3.2
Access Manager 4.3.2
Situation
- NetIQ Access manager 4.3.x IDP server cluster configured for OAuth
- Access Token request fails as soon as the client will get switched between cluster nodes reporting the error:
HTTP Status 400 - Bad Request
type Status report
message Bad Request
description The request sent by the client was syntactically incorrect. - The NIDP Server catalina.out reports
<amLogEntry> 2017-09-13T12:07:51Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-16
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>
<amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Application: AM#100105005: AMDEVICEID#9CBE4302EF3DDAA3: Error updating user accout status after calling Login Policy Check LDAP Extension for user cn=admin,o=novell on user store DUS-LAB-NPS. Error code: -1659. </amLogEntry>
<amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Session Logger: com.novell.nam.nidp.oauth.core.TokenEndpoint: null </amLogEntry>
<amLogEntry> 2017-09-13T12:07:51Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.OAuthApplication: 88 * Server responded with a response on thread ajp-bio-127.0.0.1-9019-exec-16
88 < 400
88 < Content-Type: text/plain
Resolution
Configure an LDAP proxy user with admin rights to the LDAP userstore
Cause
The LDAP proxy user used to access the userstore does not have admit rights to the tree which are required with the current version of NAM
Additional Information
Troubleshooting:
Enable OAuth debug logging:
- enable the following NIDP cluster logging options:
Enable File Logging
Echo To Console,
Component File logger Levels:
"Application:" + "OAuth & OpenID Connect:" = debug"- edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/log4j.properties and apply the following settings:
==========================================================
# Set root logger priority to FATAL and its only appender to CONSOLE.
#log4j.rootCategory=FATAL, CONSOLE
log4j.rootCategory=DEBUG, CONSOLE
# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
#log4j.appender.CONSOLE.Threshold=FATAL
log4j.appender.CONSOLE.Threshold=DEBUG
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
#
# added for OAuth debugging
log4j.logger.org.brickred.socialauth=DEBUG
log4j.logger.org.brickred.socialauth.provider=DEBUG
==========================================================