login.errorSessionInvalidMessage after adding AD Authentication Server

By: Kee Wee Wong Account Admin 24 Oct 2019 at 3:43 a.m. CDT

8 Responses
Kee Wee Wong gravatar
Hi Support, We noticed that we are getting a "OOPS An unexpected error has occured at null login.errorSessionInvalidMessage" error message on the login page after adding and activating an AD Authentication server to LDAP Authentication. Upon troubleshooting, we noticed that when we click "Activate" on the AD server in "Manage LDAP Authentication", the auth_ldap_server is automatically deactivated. When we inspected the ou=configuration entry in the ldap server, it shows that the default ldap server, auth_ldap_server has been disabled and the oxAuthenticationMode and oxTrustAuthenticationMode are still the default entry "simple_password_auth". In the "Default Authentication Method" tab, the Default acr and oxTrust acr are both still the new authenticator even when the ou=configuration is still showing the default entry. Once we click update in "Default Authentication Method", the AuthenticationMode are updated and we are able to access the login page. I have attached the ldif of ou=configuration from before adding the AD server, after adding the AD server and after updating the Default Authentication Method. Is this the correct behaviour for adding LDAP servers?
Gluu 4.0 CentOS 7.7
closed

Answers

By Mohib Zico staff 25 Oct 2019 at 4:04 a.m. CDT

Copy
Mohib Zico gravatar
Hi, You might need to hit 'Update' twice ( one after changing Manage Authentication value + one after changing Default authentication method ). Check out Part 3 video from our new [Cache Refresh](https://gluu.org/docs/ce/4.0/user-management/ldap-sync/) doc.

By Kee Wee Wong Account Admin 28 Oct 2019 at 10:44 p.m. CDT

Copy
Kee Wee Wong gravatar
Hi Mohib, I have watched the Cache Refresh video. In the video, the instructor replaces the default LDAP with the new external LDAP. What I am doing is adding an additional LDAP server in addition to the built-in LDAP as we wish to retain the admin user for logins. This is not the behaviour in Gluu 3.1.6 SP1 though, I just tested with a fresh install. When I added the new external LDAP, the internal LDAP is not deactivated and I need not perform any additional steps to authenticate with the external LDAP server. And I do not get the "OOPS" error after add an external LDAP server.

By Mohib Zico staff 29 Oct 2019 at 2:18 a.m. CDT

Copy
Mohib Zico gravatar
>> In the video, the instructor replaces the default LDAP with the new external LDAP Right. Authentication will happen "against" backend AD/external LDAP. BUT, note that: default LDAP is "never" replaced or Deactivated by anything... internal LDAP is "always" inside Gluu Server to store data. Just 'Manage Authentication' is changed to external LDAP because we did not pull 'userPasswor' in Cache Refresh so this password not stored inside internal LDAP in this case. >> What I am doing is adding an additional LDAP server in addition to the built-in LDAP as we wish to retain the admin user for logins. That wasn't included in your primary comment.. or did I miss anything? >> This is not the behaviour in Gluu 3.1.6 SP1 though, I just tested with a fresh install. When I added the new external LDAP, the internal LDAP is not deactivated and I need not perform any additional steps to authenticate with the external LDAP server. You can't run two LDAP server ( internal + external ) for "authentication" ( note down: authentication) together without using custom script; that's not possible, not even in any version of Gluu.

By Kee Wee Wong Account Admin 29 Oct 2019 at 3:06 a.m. CDT

Copy
Kee Wee Wong gravatar
Hi Mohib, My original post mentioned > adding and activating an AD Authentication server to LDAP Authentication. Sorry if I wasn't clear in my original post. > You can't run two LDAP server ( internal + external ) for "authentication" ( note down: authentication) together without using custom script; that's not possible, not even in any version of Gluu. In that case, have I been configuring Gluu wrongly in 3.1.6? (see attachment) Anyway, my point is, once I have configured an additional LDAP server (in this case an AD server), I am getting an "OOPS" error during login. And until I go into Default Authentication Method and click update, it breaks the login page. This step wasn't documented and it doesn't seem intuitive when adding an external server.
1

By Mohib Zico staff 29 Oct 2019 at 3:33 a.m. CDT

Copy
Mohib Zico gravatar
>> In that case, have I been configuring Gluu wrongly in 3.1.6? (see attachment) wow! Does it even work? I never tried that. I always used [basic_multi_auth](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/basic.multi_auth_conf) script for multiple backend AD authentication. >> And until I go into Default Authentication Method and click update, it breaks the login page. You mean.. until and unless you hit "Update" in "Default Authentication" page, it's not working?

By Kee Wee Wong Account Admin 29 Oct 2019 at 4:59 a.m. CDT

Copy
Kee Wee Wong gravatar
>You mean.. until and unless you hit "Update" in "Default Authentication" page, it's not working? Yes, that is correct. I am able to reproduce it consistently in a new install. Perhaps we can arrange a zoom session and I can show it to you?

By Mohib Zico staff 29 Oct 2019 at 6:26 a.m. CDT

Copy
Mohib Zico gravatar
Sure, that will be great! Here is where you can book a call: https://gluu.org/book-support

By Mohib Zico staff 06 Nov 2019 at 2:14 a.m. CST

Copy
Mohib Zico gravatar
Hello Kee Wee, I have prepared some snapshots and texts and supplied that to doc team so they can add it there in 'AD/LDAP Synchronization' page. Thanks much for your suggestion. I'll update you when new doc is pushed.

Post an answer