Can you check the logs from /opt/gluu/jetty/oxauth/logs and and /opt/gluu/jetty/identity/logs and also the apache httpd logs and see if you can find anything unusual? The proxy error seems to indicate a problem between the apache server and the oxauth jetty process.

Hi Michael, From below httpd.log, i could see some proxy error. but not sure what exactly the issue is. Could you please help to fix? **oxauth.log** 2019-03-12 11:45:59,921 ERROR [qtp2008017533-597321] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:517) - Failed to get attributes from session 2019-03-12 11:46:50,987 ERROR [qtp2008017533-566671] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:47:57,971 ERROR [qtp2008017533-597321] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:50:17,953 ERROR [qtp2008017533-589617] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!D02D.9681,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:00,958 ERROR [qtp2008017533-355162] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!3506.99E6,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:24,452 ERROR [qtp2008017533-597320] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:288) - Failed to authenticate dn: inum=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F!0000!3506.99E6,ou=people,o=@!BAA8.AE4B.37F0.D70E!0001!58FC.ED2F,o=gluu 2019-03-12 11:51:28,030 ERROR [qtp2008017533-566689] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Failed to get session attributes 2019-03-12 11:51:28,031 INFO [qtp2008017533-566689] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for **httpd.log** [Tue Mar 12 11:51:30.976406 2019] [proxy_http:error] [pid 432] (70007)The timeout specified has expired: [client 210.212.xx.xx:31403] AH01102: error reading status line from remote server localhost:8081, referer: https://gluu/oxauth/login [Tue Mar 12 11:51:30.976495 2019] [proxy:error] [pid 432] [client 210.212.xx.xx:31403] AH00898: Error reading from remote server returned by /oxauth/login, referer: https://gluu/oxauth/login [Tue Mar 12 11:51:54.456332 2019] [proxy_http:error] [pid 13794] (70007)The timeout specified has expired: [client 210.212.xx.xx:17471] AH01102: error reading status line from remote server localhost:8081, referer: https://sso.sify.net/oxauth/login [Tue Mar 12 11:51:54.456422 2019] [proxy:error] [pid 13794] [client 210.212.xx.xx:17471] AH00898: Error reading from remote server returned by /oxauth/login, referer: https://gluu/oxauth/login ~

Anything in the cache refresh or identity log? Also, what about the logs on the remote ldap server?

Hi Michael, I don't find any errors in cache refresh & identity log files. And w.r.t ldap, we are not capturing any logs.. I will configure to capture the logs. We are facing intermittent proxy error while login. sometimes we are able to login & some times proxy error occurs. could you please help to resolve? Thanks

What i observe is when user password doesn't match with local gluu ldap then request is sent to external ldap. while that time it is failing oftentimes. I verified that there is no packet drop or any network connectivity issues. Wondering what can be the issue.

Hi, Tejesh. Just for you information: >What i observe is when user password doesn't match with local gluu ldap then request is sent to external ldap. If you configure Gluu to use external LDAP server for authentication on "Manager authentication" page, and without any custom scripts involved, local password will never be checked, all submitted credentials will be verified using the external server. Thus I'm not sure what you could mean in this particular case. Gluu will still check the local user entry, as it needs it to be present anyway, but its password will not be used for authentication.

Hi Aliaksandr, I have not written any custom script, but before redirecting the to external LDAP, i could see authentication failure entry in oxauth.log & then the redirection is happening to external LDAP. You can check the above logs. My settings under "Manage Authetication->Default Authetication Method" is **Default acr**: basic **oxTrust acr**: auth_ldap_server And under "Manage Authetication->Manage LDAP Authetication", i have two LDAP configured, one gluu default & another external LDAP. Names for both the LDAP server is same "auth_ldap_server", gluu doesn't allow me to change. Please let me know if this is correct settings. Thanks

Set the Default acr to `basic_auth_ldap` too... If you want to use an external LDAP server for passwords, specify that in the form under Manage Authentication

Hi Michael, Do you mean to say, to set "auth_ldap_server" for Default acr? In the drop down i cant find "basic_auth_ldap". Thanks

>> Do you mean to say, to set "auth_ldap_server" for Default acr? Correct.

Thanks Mohib. I have set "auth_ldap_server" for Default acr. however, still issue persist. As i mentioned earlier, I have two ldap one is gluu default & other is our own internal ldap. Will this cause the issue? coz I have password available only in our internal ldap and not in gluu ldap. Should i remove gluu default ldap from Manage Authentication settings & keep only our internal ldap? Kindly assist to resolve this issue.

`auth_ldap_server` should point to one ldap server; either Gluu's internal ldap or your remote ldap server.