Where do I troubleshoot ldap connections in mutli auth situations?

By: Patrick Ethier user 08 Feb 2017 at 9:36 a.m. CST

8 Responses
Patrick Ethier gravatar
Hi, I've configured Multi-Auth custom script as per [https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/basic.multi_auth_conf](Basic Multi Auth). I'm running through all the Jetty logs, but other than oxauth.log reporting I can't seem to find anything else where it attempts to query the remote LDAP server. (I haven't run any tcpdump from the cli, but cache refresh seems to be working with the same settings no problem). ``` oxauth.log:2017-02-08 15:29:37,298 INFO [qtp1100439041-12] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:155) - Authentication failed for '<user>' ``` It doesn't seem to be authenticating my users from Active Directory. Here is a copy of my /etc/certs/multi_auth_conf.json file (which is owned by jetty:jetty on the file system) ``` { "ldap_configuration":[ { "configId":"ad_1", "servers":["<server:port> same as used for cache refresh"], "bindDN":"<same dn as used for cache refresh>", "bindPassword":"<same bind password as for cache refresh>", "useSSL":false, "maxConnections":3, "baseDNs":["<dn 1, same as the DN for cache refresh", "<dn 2 same as DN for cache refresh"], "loginAttributes":["sAMAccountName"], "localLoginAttributes":["uid"] }, { "configId":"gluu_1", "servers":["localhost:1636"], "bindDN":"cn=directory manager,o=gluu", "bindPassword":"<same password as admin user in web UI>", "useSSL":true, "maxConnections":3, "baseDNs":["o=gluu"], "loginAttributes":["uid"], "localLoginAttributes":["uid"] } ] } ```
OS Version : N/A
closed

Answers

By Aliaksandr Samuseu staff 08 Feb 2017 at 11:13 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Patrick. Regarding the `bindPassword` element in configuration json file - I believe you need to encode your clear-text password first before placing it there, like this: `# /opt/gluu/bin/encode.py YOUR_PASS_IN_CLEARTEXT`. I think our docs miss this step. Answering your question - to troubleshoot custom auth script you should check logs under `/opt/gluu/jetty/oxauth/logs/`, specifically `oxauth_script.log` and `oxauth.log`, there should be some clues at least. Please try to encode your passwords as specified above, meanwhile I'll try to check basic multi-auth script myself, and will get back to you.

By Aliaksandr Samuseu staff 08 Feb 2017 at 11:24 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Just a couple more suggestions that may help to troubleshoot in your case. 1. Using tools like tcpdump or Wireshark, while disabling SSL in your json file may help to observe what is being passed over the wire. Or those tools may confirm that nothing is being passed at all. 2. Changing location of your custom script from "Ldap" to "File" and adding debugging points printing some output to stdout may help to understand where exactly script fails. Output printed in script should appear in `oxauth_script.log`

By Patrick Ethier user 08 Feb 2017 at 11:41 a.m. CST

Copy
Patrick Ethier gravatar
Encoding the password hasn't changed much. Also, after a few minutes, my browser seems to be redirected to an error when I go the https://<gluu-server>/... https://<gluu-server>/oxauth/error?cid=<some incremental number> The page says: Failed to Authenticate BUT, tail -f on most of the logs in /opt/gluu/jetty/oxauth/logs doesn't add any entries when I refresh and/or reload the page (I'm closing Firefox and reloading with a "Private" tab). I'll attempt the script debug message as you mention above to see if that changes anything. tcpdump (wireshark) doesn't see anything going to the ldap server so there must be an error in the script (I triple-checked the copy/paste? Maybe there's a difference between 2.4.4 and 3.0.0 that hasn't been tested?)

By Patrick Ethier user 08 Feb 2017 at 1:18 p.m. CST

Copy
Patrick Ethier gravatar
Ok, adding a bunch of try/except loops and prints, something breaks at line 203 of https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/basic.multi_auth_conf/BasicMultiAuthConfExternalAuthenticator.py It looks like a "seam" component isn't initializing properly. I'm not a Java Seam guru, I'll keep digging but this is how far I got.

By Patrick Ethier user 08 Feb 2017 at 2:05 p.m. CST

Copy
Patrick Ethier gravatar
Ok, I'm hacking at this point, but in this file: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/basic.multi_auth_conf/BasicMultiAuthConfExternalAuthenticator.py ``` from org.jboss.seam import Component # Then at line 204 (was 203 but we added above) appInitializer = Component.getInstance(AppInitializer) ``` It still doesn't work, but at least it's now prompting for a username/password.

By Patrick Ethier user 08 Feb 2017 at 2:15 p.m. CST

Copy
Patrick Ethier gravatar
Correction, with the code change above, once I restart the oxauth service things seem to now work fine. Shall I do a pull request on Github?

By Aliaksandr Samuseu staff 08 Feb 2017 at 2:20 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Sorry, Patrick, have been a bit too busy lately, didn't have time to check it yet. That's great news, indeed! Thank you for doing all the work debugging the script. Yes, please feel free to pull it at github if you have some time, I'll also ask the developer of the script to have a look at this ticket.

By Aliaksandr Samuseu staff 28 Feb 2017 at 4:10 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Closing the ticket as fix seems to be added to master branch already. Thanks, again, Patrick, for all the efforts you invested!

Post an answer