By: Tejesh Khimani user 11 Mar 2019 at 4:41 a.m. CDT

12 Responses
Tejesh Khimani gravatar
Hi Team, We have configured Cache Refresh & backend LDAP. And for Users to login, we have configured backend LDAP in Managed Authentication. Oftentimes, we are getting Proxy Error while User tries to login. After few tries User is able to login. I'm wondering what would be the issue here. Points I would like to hilght is that: 1.In Cache Refresh, I have set 15 minutes polling interval. 2.In Managed Authentication, I haven't replaced the Gluus's default LDAP, instead i have added extrenal LDAP as addtional Server. So both LDAP's are in place. 3.In managed authentication->Default Authentication Method selected are "Default acr=basic" & "oxTrust acr=auth_ldap_server". 4.Cache refresh is working fine. Whenever, i add any new users in external LDAP, those are getting syncd & can be seen in Manage People. 5. file descriptors is 65k 6. have enough memory allocations for identity, oxauth and idp. They are in /etc/defaults/ inside container. Please let me know ,if you can identify the issue based on the provided details & help me to resolve the issue. Thanks

By Michael Schwartz staff 11 Mar 2019 at 9 p.m. CDT

Michael Schwartz gravatar
Can you check the logs from /opt/gluu/jetty/oxauth/logs and and /opt/gluu/jetty/identity/logs and also the apache httpd logs and see if you can find anything unusual? The proxy error seems to indicate a problem between the apache server and the oxauth jetty process.

By Tejesh Khimani user 12 Mar 2019 at 1:44 a.m. CDT

Tejesh Khimani gravatar
Hi Michael, From below httpd.log, i could see some proxy error. but not sure what exactly the issue is. Could you please help to fix? **oxauth.log** 2019-03-12 11:45:59,921 ERROR [qtp2008017533-597321] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:517) - Failed to get attributes from session 2019-03-12 11:46:50,987 ERROR [qtp2008017533-566671] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:47:57,971 ERROR [qtp2008017533-597321] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:50:17,953 ERROR [qtp2008017533-589617] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:00,958 ERROR [qtp2008017533-355162] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!3506.99E6,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:24,452 ERROR [qtp2008017533-597320] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!3506.99E6,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:28,030 ERROR [qtp2008017533-566689] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Failed to get session attributes 2019-03-12 11:51:28,031 INFO [qtp2008017533-566689] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for **httpd.log** [Tue Mar 12 11:51:30.976406 2019] [proxy_http:error] [pid 432] (70007)The timeout specified has expired: [client 210.212.xx.xx:31403] AH01102: error reading status line from remote server localhost:8081, referer: https://gluu/oxauth/login [Tue Mar 12 11:51:30.976495 2019] [proxy:error] [pid 432] [client 210.212.xx.xx:31403] AH00898: Error reading from remote server returned by /oxauth/login, referer: https://gluu/oxauth/login [Tue Mar 12 11:51:54.456332 2019] [proxy_http:error] [pid 13794] (70007)The timeout specified has expired: [client 210.212.xx.xx:17471] AH01102: error reading status line from remote server localhost:8081, referer: https://sso.sify.net/oxauth/login [Tue Mar 12 11:51:54.456422 2019] [proxy:error] [pid 13794] [client 210.212.xx.xx:17471] AH00898: Error reading from remote server returned by /oxauth/login, referer: https://gluu/oxauth/login ~

By Michael Schwartz staff 12 Mar 2019 at 7:40 a.m. CDT

Michael Schwartz gravatar
Anything in the cache refresh or identity log? Also, what about the logs on the remote ldap server?

By Tejesh Khimani user 12 Mar 2019 at 12:28 p.m. CDT

Tejesh Khimani gravatar
Hi Michael, I don't find any errors in cache refresh & identity log files. And w.r.t ldap, we are not capturing any logs.. I will configure to capture the logs. We are facing intermittent proxy error while login. sometimes we are able to login & some times proxy error occurs. could you please help to resolve? Thanks

By Tejesh Khimani user 12 Mar 2019 at 1:43 p.m. CDT

Tejesh Khimani gravatar
What i observe is when user password doesn't match with local gluu ldap then request is sent to external ldap. while that time it is failing oftentimes. I verified that there is no packet drop or any network connectivity issues. Wondering what can be the issue.

By Aliaksandr Samuseu staff 12 Mar 2019 at 4:04 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Tejesh. Just for you information: >What i observe is when user password doesn't match with local gluu ldap then request is sent to external ldap. If you configure Gluu to use external LDAP server for authentication on "Manager authentication" page, and without any custom scripts involved, local password will never be checked, all submitted credentials will be verified using the external server. Thus I'm not sure what you could mean in this particular case. Gluu will still check the local user entry, as it needs it to be present anyway, but its password will not be used for authentication.

By Tejesh Khimani user 12 Mar 2019 at 9:45 p.m. CDT

Tejesh Khimani gravatar
Hi Aliaksandr, I have not written any custom script, but before redirecting the to external LDAP, i could see authentication failure entry in oxauth.log & then the redirection is happening to external LDAP. You can check the above logs. My settings under "Manage Authetication->Default Authetication Method" is **Default acr**: basic **oxTrust acr**: auth_ldap_server And under "Manage Authetication->Manage LDAP Authetication", i have two LDAP configured, one gluu default & another external LDAP. Names for both the LDAP server is same "auth_ldap_server", gluu doesn't allow me to change. Please let me know if this is correct settings. Thanks

By Michael Schwartz staff 12 Mar 2019 at 10:31 p.m. CDT

Michael Schwartz gravatar
Set the Default acr to `basic_auth_ldap` too... If you want to use an external LDAP server for passwords, specify that in the form under Manage Authentication

By Tejesh Khimani user 13 Mar 2019 at 2:26 a.m. CDT

Tejesh Khimani gravatar
Hi Michael, Do you mean to say, to set "auth_ldap_server" for Default acr? In the drop down i cant find "basic_auth_ldap". Thanks

By Mohib Zico staff 20 Mar 2019 at 10:22 a.m. CDT

Mohib Zico gravatar
>> Do you mean to say, to set "auth_ldap_server" for Default acr? Correct.

By Tejesh Khimani user 28 Mar 2019 at 7:54 a.m. CDT

Tejesh Khimani gravatar
Thanks Mohib. I have set "auth_ldap_server" for Default acr. however, still issue persist. As i mentioned earlier, I have two ldap one is gluu default & other is our own internal ldap. Will this cause the issue? coz I have password available only in our internal ldap and not in gluu ldap. Should i remove gluu default ldap from Manage Authentication settings & keep only our internal ldap? Kindly assist to resolve this issue.

By Mohib Zico staff 29 Mar 2019 at 2:32 p.m. CDT

Mohib Zico gravatar
`auth_ldap_server` should point to one ldap server; either Gluu's internal ldap or your remote ldap server.