Active Directory LDAP authentication not contacting backend server

By: George Hanson user 15 Oct 2019 at 1:30 p.m. CDT

13 Responses
George Hanson gravatar
I'm having trouble setting up authentication through our existing Active Directory (AD) server. I got cache refresh set up and my users exist in gluu's local ldap server. Then I went to set up authentication in the Manage Configuration page. This is where my trouble started. No matter what I try, I'm getting authentication failed on the login page. The docs aren't that clear on how to set this up, so I tried many different ways of inputting the source server with no success. There's a video tutorial of version 3, but he edits the existing auth_ldap_server instead of adding a new source server. (tried that with no success) And this [page](https://gluu.org/docs/ce/4.0/admin-guide/oxtrust-ui/#manage-ldap-authentication) just describes the form fields. So I added an extra source server and put in my credentials but it doesn't seem to work. I make sure that Test LDAP Connection always succeeds but it seems to have no effect on login. Out of desperation, I did a packet capture and it does **not** contact the backend AD server when I attempt to log in with a user. So I'm not entirely sure if my settings are correct on the web gui. I'm sure that my user / passwords are correct and I've connected successfully with them through LDAP browsers. Anyway, here's my jetty log when I log in with just an extra source server added for my AD backend and a screenshot of the Manage LDAP Authentication tab. The rest of the tabs are default values. I'm new to this so it might be a simple mistake! Let me know if you have any suggestions. Thank you for your time. ``` 2019-10-15 18:01:17,516 INFO [Thread-171] [org.gluu.oxauth.service.AppInitializer] (AppInitializer.java:462) - Recreated instance persistenceAuthEntryManager: [org.gluu.persist.ldap.impl.LdapEntryManager@5fa33111, org.gluu.persist.ldap.impl.LdapEntryManager@1f81507] 2019-10-15 18:01:33,069 ERROR [qtp105704967-17] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:314) - Failed to find entries with baseDN: OU=MYORG,DC=MYORG,DC=LOC, filter: (&(&(objectClass=top))(&(sAMAccountName=usertest1))) org.gluu.persist.exception.EntryPersistenceException: Failed to find entries with baseDN: OU=MYORG,DC=MYORG,DC=LOC, filter: (&(&(objectClass=top))(&(sAMAccountName=usertest1))) at org.gluu.persist.ldap.impl.LdapEntryManager.findEntries(LdapEntryManager.java:441) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.impl.BaseEntryManager.findEntries(BaseEntryManager.java:172) ~[oxcore-persistence-core-4.0.rc1.jar:?] at org.gluu.persist.impl.BaseEntryManager.findEntries(BaseEntryManager.java:139) ~[oxcore-persistence-core-4.0.rc1.jar:?] at org.gluu.oxauth.service.AuthenticationService.getUserByAttribute(AuthenticationService.java:382) ~[classes/:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:283) [classes/:?] at org.gluu.oxauth.service.AuthenticationService.externalAuthenticate(AuthenticationService.java:201) [classes/:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:123) [classes/:?] at org.gluu.oxauth.service.external.internal.InternalDefaultPersonAuthenticationType.authenticate(InternalDefaultPersonAuthenticationType.java:38) [classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService.executeExternalAuthenticate(ExternalAuthenticationService.java:196) [classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService$Proxy$_$$_WeldClientProxy.executeExternalAuthenticate(Unknown Source) [classes/:?] at org.gluu.oxauth.auth.Authenticator.userAuthenticationInteractive(Authenticator.java:320) [classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticateImpl(Authenticator.java:203) [classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticate(Authenticator.java:132) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) [org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) [org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-web-3.1.1.Final.jar:3.1.1.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-web-3.1.1.Final.jar:3.1.1.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UICommand.broadcast(UICommand.java:315) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) [javax.faces-2.2.16.jar:2.2.16] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:876) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214) [websocket-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.gluu.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:67) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.Server.handle(Server.java:505) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222] Caused by: org.gluu.persist.exception.operation.SearchException: Failed to scroll to specified start at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.searchImpl(LdapOperationsServiceImpl.java:403) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.search(LdapOperationsServiceImpl.java:305) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.findEntries(LdapEntryManager.java:438) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] ... 67 more Caused by: com.unboundid.ldap.sdk.LDAPSearchException: The entry OU=MYORG,DC=MYORG,DC=LOC specified as the search base does not exist in the Directory Server at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3772) ~[unboundid-ldapsdk-4.0.7.jar:4.0.7] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.searchImpl(LdapOperationsServiceImpl.java:373) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.search(LdapOperationsServiceImpl.java:305) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.findEntries(LdapEntryManager.java:438) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] ... 67 more 2019-10-15 18:01:33,090 ERROR [qtp105704967-17] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:314) - Failed to authenticate DN: inum=0000!4F79.B927,ou=people,o=gluu org.gluu.persist.exception.AuthenticationException: Failed to authenticate DN: inum=0000!4F79.B927,ou=people,o=gluu at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:727) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:287) [classes/:?] at org.gluu.oxauth.service.AuthenticationService.externalAuthenticate(AuthenticationService.java:201) [classes/:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:123) [classes/:?] at org.gluu.oxauth.service.external.internal.InternalDefaultPersonAuthenticationType.authenticate(InternalDefaultPersonAuthenticationType.java:38) [classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService.executeExternalAuthenticate(ExternalAuthenticationService.java:196) [classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService$Proxy$_$$_WeldClientProxy.executeExternalAuthenticate(Unknown Source) [classes/:?] at org.gluu.oxauth.auth.Authenticator.userAuthenticationInteractive(Authenticator.java:320) [classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticateImpl(Authenticator.java:203) [classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticate(Authenticator.java:132) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) [org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) [org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-web-3.1.1.Final.jar:3.1.1.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-web-3.1.1.Final.jar:3.1.1.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UICommand.broadcast(UICommand.java:315) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [javax.faces-2.2.16.jar:2.2.16] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) [javax.faces-2.2.16.jar:2.2.16] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:876) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214) [websocket-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.gluu.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:67) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) [jetty-servlet-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.Server.handle(Server.java:505) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) [jetty-server-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917) [jetty-util-9.4.19.v20190610.jar:9.4.19.v20190610] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222] Caused by: org.gluu.persist.exception.operation.ConnectionException: Failed to authenticate dn at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.authenticate(LdapOperationsServiceImpl.java:214) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:725) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] ... 64 more Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid credentials at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2273) ~[unboundid-ldapsdk-4.0.7.jar:4.0.7] at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2228) ~[unboundid-ldapsdk-4.0.7.jar:4.0.7] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.authenticateBindConnectionPoolImpl(LdapOperationsServiceImpl.java:285) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.authenticateImpl(LdapOperationsServiceImpl.java:242) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationsServiceImpl.authenticate(LdapOperationsServiceImpl.java:212) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:725) ~[oxcore-persistence-ldap-4.0.rc1.jar:?] ... 64 more 2019-10-15 18:01:33,093 INFO [qtp105704967-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:223) - Authentication failed for 'usertest1' ``` ![](https://i.imgur.com/fCDiirD.png) ![](http://i.imgur.com/evs4Uoy.png)
Ubuntu 18.04
closed

Answers

By Aliaksandr Samuseu staff 15 Oct 2019 at 1:57 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, George. Try to open `/etc/gluu/conf/ox-ldap.properties` file inside container and comment out next 3 lines like this: ``` #ssl.trustStoreFile: /etc/certs/opendj.pkcs12 #ssl.trustStorePin: k/U7HlS1c46TQxNBM6e8DQ== #ssl.trustStoreFormat: pkcs12 ``` Then restart "oxauth" service and check whether the issue still exists. Let me know how it goes.

By George Hanson user 15 Oct 2019 at 2:19 p.m. CDT

Copy
George Hanson gravatar
Sure thing. That file does not exist, but `/etc/gluu/conf/gluu-ldap.properties` does. When I comment out those lines, I get the same result, authentication failed and the log messages are the same. :( I did another capture and it does not seem to contact the AD ldap server when I log in with my test user on the website.

By Aliaksandr Samuseu staff 15 Oct 2019 at 2:32 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Yes, forgot the file name was changed in 4.0, sorry. Do you reference your AD isntance by DNS name, or ip address when configuring authentication? If it's the former, are you sure that DNS name is resolvable **from inside the container**? In addition, please dump your current CR and authentication settings and share with us: 1. Move into Gluu's container 2. Put your LDAP password in `/tmp/.dpw` (it's the same as default admin's password was right after installation) 3. Dump the CR's properties: `# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '(&(objectclass=oxtrustconfiguration))' oxTrustConfCacheRefresh` 4. Dump auth settings: `# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '&(objectclass=gluuConfiguration)' oxIDPAuthentication`

By George Hanson user 15 Oct 2019 at 3:18 p.m. CDT

Copy
George Hanson gravatar
Absolutely, here is the output of those commands. I'm using an IP so I think we can rule out DNS. ``` root@login:~# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '(&(objectclass=oxtrustconfiguration))' oxTrustConfCacheRefresh dn: ou=oxtrust,ou=configuration,o=gluu oxTrustConfCacheRefresh: {"sourceConfigs":[{"configId":"MYORGAD","bindDN":"CN=Service LDAP,CN=Managed Service Accounts,DC=MYORG,DC=LOC","bindPassword":"MY_PW_1","servers":["10.10.30.27:389"],"maxConnections":5,"useSSL":false,"baseDNs":["OU=MYORG,DC=MYORG,DC=LOC"],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":false,"version":0,"level":0}],"inumConfig":{"configId":"local_inum","bindDN":"cn=directory manager","bindPassword":"MY_PW_2","servers":["localhost:1636"],"maxConnections":10,"useSSL":true,"baseDNs":["ou=cache-refresh,o=site"],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":true,"version":0,"level":0},"targetConfig":{"configId":null,"bindDN":null,"bindPassword":null,"servers":[],"maxConnections":0,"useSSL":false,"baseDNs":[],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":false,"version":0,"level":0},"ldapSearchSizeLimit":1000,"keyAttributes":["sAMAccountName"],"keyObjectClasses":["user"],"sourceAttributes":["cn","sn","mail","givenName","company","c","displayName"],"customLdapFilter":"","updateMethod":"copy","defaultInumServer":false,"keepExternalPerson":true,"useSearchLimit":false,"attributeMapping":[{"source":"sAMAccountName","destination":"uid"},{"source":"c","destination":"c"},{"source":"sn","destination":"sn"},{"source":"mail","destination":"mail"},{"source":"givenName","destination":"givenName"},{"source":"displayName","destination":"displayName"},{"source":"company","destination":"o"},{"source":"co","destination":"co"}],"snapshotFolder":"/var/gluu/identity/cr-snapshots","snapshotMaxCount":20} root@login:~# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '&(objectclass=gluuConfiguration)' oxIDPAuthentication dn: ou=configuration,o=gluu oxIDPAuthentication: {"type":"auth","name":"MYORGAD","level":0,"priority":0,"enabled":true,"version":1,"fields":[],"config":{"configId":"MYORGAD","bindDN":"CN=Service LDAP,CN=Managed Service Accounts,DC=MYORG,DC=LOC","bindPassword":"MY_PW_1","servers":["10.10.30.27:389"],"maxConnections":10,"useSSL":false,"baseDNs":["OU=MYORG,DC=MYORG,DC=LOC"],"primaryKey":"sAMAccountName","localPrimaryKey":"uid","useAnonymousBind":false,"enabled":true,"version":0,"level":0}} oxIDPAuthentication: {"type":"auth","name":"auth_ldap_server","level":0,"priority":0,"enabled":true,"version":1,"fields":[],"config":{"configId":"auth_ldap_server","bindDN":"cn=directory manager","bindPassword":"MY_PW_2","servers":["localhost:1636"],"maxConnections":1000,"useSSL":true,"baseDNs":["ou=people,o=gluu"],"primaryKey":"uid","localPrimaryKey":"uid","useAnonymousBind":false,"enabled":true,"version":0,"level":0}} ``` Proof of the container reaching the backend AD server: ``` root@login:~# /opt/opendj/bin/ldapsearch -h 10.10.30.27 -p 389 -s sub -X -D 'CN=Service LDAP,CN=Managed Service Accounts,DC=MYORG,DC=LOC' -w 'MY_PW_3' -b 'OU=MYORG,DC=MYORG,DC=LOC' -z 3 '(&(&(objectClass=top))(&(sAMAccountName=testacct1)))' sAMAccountName dn: CN=Test Acct1,OU=Users,OU=MYORG,DC=MYORG,DC=LOC sAMAccountName: testacct1 ``` My hunch is that it's not even trying to reach the backend ldap server when a user attempts to sign in. I could be wrong. :)

By Aliaksandr Samuseu staff 16 Oct 2019 at 6:41 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, George. I don't think I've seen a multivalue `oxIDPAuthentication` attribute before. How does your configuration on "Manage authentication" page look like at the moment? Please provide a screenshot to us. You mentioned before that at some point you tried to add more than one server at that page - did you remove that extra server after that?

By George Hanson user 16 Oct 2019 at 9:34 a.m. CDT

Copy
George Hanson gravatar
A screenshot of the tab can be found in the first post. What I tried first was adding the remote ldap server (via the Add source LDAP server button) in addition to the local server that was already populated. That did not work and gives me the same errors as in the first post. Based on the video linked in the docs, it looks like you replace the default auth_ldap_server with your remote server in v3. I tried that too just now with no luck. (authentication failed with the same error messages). In addition the local admin account no longer works :(. At least I got the oxIDPAuthentication dumped above so I should be able to restore that attribute, restart, and get back in. I think it's worth noting that a packet capture doesn't see any attempt to reach the remote ldap server when trying to sign in as a user from the web login page.

By Aliaksandr Samuseu staff 16 Oct 2019 at 9:45 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
So, you currently still have 2 LDAP servers defined on "Manage authentication" page? I wouldn't really recommend this, in fact I don't think we've dealt with such configuration lately (last time I saw something like this was in times of 2.x packages). Unless you really need to have 2 different LDAP servers (i.e. your userbase is spread across several servers), I wouldn't do this. >it looks like you replace the default auth_ldap_server with your remote server Right, that's the usual way to do it. In your case, I would try to restore original configuration (remove your remote server from there, and restore original state of "auth_ldap_server" entry), make sure you can log in with your default "admin" user now - and then just update the "auth_ldap_server" entry to point to your remote server. If it won't still help, please dump the auth settings again and share with us (using the same filter `'&(objectclass=gluuConfiguration)' oxIDPAuthentication`).

By George Hanson user 16 Oct 2019 at 12:19 p.m. CDT

Copy
George Hanson gravatar
Thanks, but still no luck. Just so we are on the same page, there is only one auth ldap server and it's called auth_ldap_server. When I attempt to log in, I get authentication failed and I don't see any contact with my remote ldap server (10.10.30.27). Here is the value of oxIDPAuthentication and a screenshot below. Not sure what to try next. ``` dn: ou=configuration,o=gluu oxIDPAuthentication: {"type":"auth","name":"auth_ldap_server","level":0,"priority":0,"enabled":true,"version":1,"fields":[],"config":{"configId":"auth_ldap_server","bindDN":"CN=Service LDAP,CN=Managed Service Accounts,DC=MYORG,DC=LOC","bindPassword":"MY_PW_HASH","servers":["10.10.30.27:389"],"maxConnections":1000,"useSSL":false,"baseDNs":["OU=MYORG,DC=MYORG,DC=LOC"],"primaryKey":"sAMAccountName","localPrimaryKey":"uid","useAnonymousBind":false,"enabled":true,"version":0,"level":0}} ``` ![](http://i.imgur.com/BLHguNB.png)

By Aliaksandr Samuseu staff 16 Oct 2019 at 1:44 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
I see, thanks Just to be sure: are you using the most latest release? Please check which version exactly: `# apt list --installed | grep -i gluu` If it's not the latest RC package - please install one and re-try.

By George Hanson user 16 Oct 2019 at 1:55 p.m. CDT

Copy
George Hanson gravatar
I think so, I set up the VM last week. Well I could nuke the whole installation try again. I'll do that and let you know how it goes. If you think of anything to try just let me know, thanks. My version of gluu-server is: `gluu-server/now 4.0-rc1-88~bionic+Ub18.04 amd64 [installed,local]`

By Aliaksandr Samuseu staff 16 Oct 2019 at 2:33 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Yes, I think clean re-install may be the best option here, if you haven't invested some time into it. I'll try to reproduce it locally meanwhile.

By George Hanson user 18 Oct 2019 at 1:14 p.m. CDT

Copy
George Hanson gravatar
I'm afraid I get the same result "Failed to authenticate." for any of my active directory (AD) users. Additionally, when I modify auth_ldap_server to point to my backend AD server, it locks me out of any local and admin accounts. So I can't log into my local or remote accounts, very odd. (Probably because it's using the AD base DN on the local ldap server, if I had to guess..) Log messages are the same as in the first post. I tried two times to set it up as minimally as possible. I follow the steps of the video, just setting up cache refresh from my AD server to the local ldap importing just three attributes: samaccountname -> uid, cn -> cn, sn -> sn. That succeeds with no errors and the users exist in gluu. Then I set up auth by modifying auth_ldap_server with my AD server. Packet capture does not pick up any activity to the AD server during user authentication. Still puzzled on what to try next... I guess I could downgrade to version 3 and try that. Any ideas? Thanks so much for the assistance.

By George Hanson user 23 Oct 2019 at 2:13 p.m. CDT

Copy
George Hanson gravatar
Downgrading to version gluu-server-3.1.6.sp1 fixes my issue and now my active directory users can log in. Anything I can do to help you narrow down the problem on v4? Edit: Ah, I see you created an [issue](https://github.com/GluuFederation/oxAuth/issues/1180) on github for me. Glad you were able to reproduce. Edit2: I downloaded [this](https://repo.gluu.org/ubuntu/pool/main/bionic/gluu-server_4.0~bionic_amd64.deb) version of v4 updated 2019-10-20 and it seems to work now.. Confused as hell but I'm happy to move forward. ``` root@gluu:~# md5sum gluu-server_4.0~bionic_amd64.deb 54ee9df6209786bd4d867bc36e7e6d33 gluu-server_4.0~bionic_amd64.deb ```

Post an answer