Active Directory login works via Basic Script but not via Casa

By: Christian Thiele user 24 Sep 2023 at 2:43 p.m. CDT

10 Responses
Christian Thiele gravatar
GrundlageFoundation. Gluu 4.5.1 should synchronise the users from an AD and use the login in Casa as a self-service. So first I set up the cash refresh. This also runs without problems. Then I set up the AD server under Manage Authentication. To test the construct up to this point, I activated the basic script for the login. This also works without problems. Here is a short extract from the oxauth.log: ``` 2023-09-24 19:32:55,700 DEBUG [qtp1199673596-16] [org.gluu.oxauth.service.common.UserService] (UserService.java:81) - Getting user information from LDAP: userId = test21 2023-09-24 19:32:55,702 DEBUG [qtp1199673596-16] [org.gluu.oxauth.service.common.UserService] (UserService.java:96) - Found 1 entries for user id = test21 ``` If I now set the registration to Casa, it comes: Authentication failed The LOG says the following: ``` 2023-09-24 19:38:54,983 TRACE [qtp1199673596-17] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:838) - Try to get session by id: 84054189-23ed-4cfd-b6c7-1ce05a06b169 ... 2023-09-24 19:38:54,983 TRACE [qtp1199673596-17] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:840) - Session dn: oxId=84054189-23ed-4cfd-b6c7-1ce05a06b169,ou=sessions,o=gluu 2023-09-24 19:38:54,983 TRACE [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:190) - Authenticating ... (interactive: true, skipPassword: false, credentials.username: test21) 2023-09-24 19:38:54,984 DEBUG [qtp1199673596-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:239) - Getting user information from LDAP: attributeName = 'samaccountname', attributeValue = 'test21' 2023-09-24 19:38:55,008 DEBUG [qtp1199673596-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:251) - Found '0' entries 2023-09-24 19:38:55,008 TRACE [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:339) - ######################################################################### 2023-09-24 19:38:55,008 TRACE [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:340) - ++++++++++++++++++++++++++++++++++++++++++CURRENT ACR:casa 2023-09-24 19:38:55,008 TRACE [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:341) - ++++++++++++++++++++++++++++++++++++++++++CURRENT STEP:1 2023-09-24 19:38:55,009 TRACE [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:344) - According to API version script supports steps overriding 2023-09-24 19:38:55,009 DEBUG [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:347) - Get next step from script: '-1' 2023-09-24 19:38:55,012 TRACE [qtp1199673596-17] [org.gluu.service.BaseCacheService] (BaseCacheService.java:84) - Put data, key 'oxId=84054189-23ed-4cfd-b6c7-1ce05a06b169,ou=sessions,o=gluu': 'SessionId {dn='oxId=84054189-23ed-4cfd-b6c7-1ce05a06b169,ou=sessions,o=gluu', id='84054189-23ed-4cfd-b6c7-1ce05a06b169', outsideSid='8cdd1c67-0c4c-4e32-94e9-23ce1a0021fe', lastUsedAt=Sun Sep 24 19:38:55 UTC 2023, userDn='null', authenticationTime=Sun Sep 24 19:38:24 UTC 2023, state=unauthenticated, expirationDate=Sun Sep 24 21:38:24 UTC 2023, sessionState='f7e243a6699fe3aebc959f7dcfbfd2030e906356cc36ba6c23ad36186067135b.cbfd48c0-539b-43e0-a5a0-feaae085adac', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={1001.4d30705e-869e-458a-8f6e-abbf7198b373=false}}, sessionAttributes={auth_external_attributes=[{"casa_logoUrl":"java.lang.String"},{"casa_faviconUrl":"java.lang.String"},{"casa_prefix":"java.lang.String"},{"casa_contextPath":"java.lang.String"},{}], opbs=37bb0b19-17de-49a4-ab1e-503ef33fc7cd, response_type=code, nonce=99a5fde9-c28d-4077-b055-0285536abfbf, client_id=1001.4d30705e-869e-458a-8f6e-abbf7198b373, auth_step=1, acr=casa, casa_logoUrl=/casa/images/logo.png, remote_ip=91.17.113.40, scope=openid profile email user_name, acr_values=casa, casa_faviconUrl=/casa/images/favicon.ico, redirect_uri=https://ident.ews.plus/identity/authcode.htm, state=4238d2dd-dc4e-4eb3-9d42-0251c7e5cc2b, casa_prefix=, casa_contextPath=/casa, casa_extraCss=null}, persisted=true}' 2023-09-24 19:38:55,012 INFO [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:226) - Authentication failed for 'test21' 2023-09-24 19:38:55,013 DEBUG [qtp1199673596-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:129) - authenticate resultCode: authentication_failed ``` Where is something going wrong here? regards Christian
Gluu 4.5 Ubuntu 22.04
closed

Answers

By Michael Schwartz Account Admin 24 Sep 2023 at 2:44 p.m. CDT

Copy
Michael Schwartz gravatar
Raju, can you help on this one?

By Md Mostafejur Rahman staff 25 Sep 2023 at 9:40 a.m. CDT

Copy
Md Mostafejur Rahman gravatar
@Michael.Schwartz let me see.

By Md Mostafejur Rahman staff 26 Sep 2023 at 3:19 p.m. CDT

Copy
Md Mostafejur Rahman gravatar
Hello Christian Thiele, Did you follow [cache refresh docs](https://gluu.org/docs/gluu-server/4.5/user-management/ldap-sync/)? Bellow info indicate that about an attribute mapping. Could you check please your attribute mapping source to destination is ok? >``` 2023-09-24 19:38:54,984 DEBUG [qtp1199673596-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:239) - Getting user information from LDAP: attributeName = 'samaccountname', attributeValue = 'test21' ``` Also could you check `oxauth_script.log` if Casa script is responsible for this definitly we get hints why is that. Could you please attached the logs. `oxauth.log` and `oxauth_script.log` regards~ Mostafejur Rahman

By Christian Thiele user 27 Sep 2023 at 9:13 a.m. CDT

Copy
Christian Thiele gravatar
Yes I followed these instructions and installed the Cache Refresh. It works because the users are in the system and I can log in with the basic authentication method. If I understand correctly, a functioning cache refresh and a correct LDAP config are necessary for this, or? regards Christian

By Md Mostafejur Rahman staff 27 Sep 2023 at 9:24 a.m. CDT

Copy
Md Mostafejur Rahman gravatar
>> If I understand correctly, a functioning cache refresh and a correct LDAP config are necessary for this, or? Yes,

By Christian Thiele user 27 Sep 2023 at 9:30 a.m. CDT

Copy
Christian Thiele gravatar
Okay. The basic authentication method works without problems for all users that have been synchronised via the LDAP. Now you need these log files: oxauth.log and oxauth_script.log, also the casa log?

By Md Mostafejur Rahman staff 27 Sep 2023 at 9:49 a.m. CDT

Copy
Md Mostafejur Rahman gravatar
Yes, how to do it 1. Please keep log level `Trace` mode. 2. Then Reproduce the issue for both case. and share the log `oxauth.log` and `oxauth_script.log`

By Md Mostafejur Rahman staff 27 Sep 2023 at 9:58 a.m. CDT

Copy
Md Mostafejur Rahman gravatar
Yes also `casa.log`.

By Christian Thiele user 27 Sep 2023 at 10:31 a.m. CDT

Copy
Christian Thiele gravatar
[oxauth.log](https://nextcloud.mission-leben.de/index.php/s/Dfko5EMQn4LRWq5) [oxauth_script.log](https://nextcloud.mission-leben.de/index.php/s/BGkC3nxeFyFHBdc) [casa.log](https://nextcloud.mission-leben.de/index.php/s/t5jPxGLJ3PY68bn)

By Md Mostafejur Rahman staff 27 Sep 2023 at 10:36 a.m. CDT

Copy
Md Mostafejur Rahman gravatar
Thanks. Let me check I come to you soon.

Post an answer