By: Yunus Raza user 03 Sep 2020 at 3:48 a.m. CDT

2 Responses
Yunus Raza gravatar
# Environment Development # Authentication Microsoft LDAP Profile in use: OpenID # Cache refresh settings sAMAccountName <---> uid sn <--->sn mail <----> mail # Issue: In microsoft active directory, the users are created with the setting "user must change the password at next logon". However during authentication for such users, we get a message "Failed to authenticate". It looks like Gluu is not able to understand the setting in AD or some additional config is required which i am not aware as i am evaluating the product and do not know everything about it. oxauth.log has not been much helpful with DEBUG mode on. ``` 2020-09-03 08:31:04,935 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:393) - Attempting to find userDN by primary key: 'uid' and key value: 'demo', credentials: '1058391464' 2020-09-03 08:31:04,935 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:496) - Getting user information from LDAP: attributeName = 'uid', attributeValue = 'demo' 2020-09-03 08:31:04,935 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:511) - Searching user by attributes: '[Attribute [name=uid, values=[demo]]]', baseDn: 'ou=people,o=gluu' 2020-09-03 08:31:04,946 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:513) - Found '1' entries 2020-09-03 08:31:04,959 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:416) - Attempting to authenticate userDN: inum=0000!29EA.069E,ou=people,o=gluu 2020-09-03 08:31:04,965 ERROR [qtp1157726741-16] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:444) - Failed to authenticate DN: inum=0000!29EA.069E,ou=people,o=gluu org.gluu.persist.exception.AuthenticationException: Failed to authenticate DN: inum=0000!29EA.069E,ou=people,o=gluu at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:745) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.oxauth.service.AuthenticationService.authenticateImpl(AuthenticationService.java:417) ~[classes/:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:363) ~[classes/:?] at org.gluu.oxauth.service.AuthenticationService.externalAuthenticate(AuthenticationService.java:296) ~[classes/:?] at org.gluu.oxauth.service.AuthenticationService.authenticate(AuthenticationService.java:135) ~[classes/:?] at org.gluu.oxauth.service.external.internal.InternalDefaultPersonAuthenticationType.authenticate(InternalDefaultPersonAuthenticationType.java:38) ~[classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService.executeExternalAuthenticate(ExternalAuthenticationService.java:210) ~[classes/:?] at org.gluu.oxauth.service.external.ExternalAuthenticationService$Proxy$_$$_WeldClientProxy.executeExternalAuthenticate(Unknown Source) ~[classes/:?] at org.gluu.oxauth.auth.Authenticator.userAuthenticationInteractive(Authenticator.java:320) ~[classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticateImpl(Authenticator.java:203) ~[classes/:?] at org.gluu.oxauth.auth.Authenticator.authenticate(Authenticator.java:127) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) ~[org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) ~[org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) ~[weld-web-3.1.4.Final.jar:3.1.4.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) ~[weld-web-3.1.4.Final.jar:3.1.4.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:89) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.application.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:90) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.application.ActionListenerImpl.getNavigationOutcome(ActionListenerImpl.java:106) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:95) ~[javax.faces-2.4.0.jar:2.4.0] at javax.faces.component.UICommand.broadcast(UICommand.java:246) ~[javax.faces-2.4.0.jar:2.4.0] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:871) ~[javax.faces-2.4.0.jar:2.4.0] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1419) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) ~[javax.faces-2.4.0.jar:2.4.0] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:201) ~[javax.faces-2.4.0.jar:2.4.0] at javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:731) ~[javax.faces-2.4.0.jar:2.4.0] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:475) ~[javax.faces-2.4.0.jar:2.4.0] at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1395) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:226) ~[websocket-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.gluu.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:67) ~[classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1596) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590) ~[jetty-security-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at java.lang.Thread.run(Thread.java:834) [?:?] Caused by: org.gluu.persist.exception.operation.ConnectionException: Failed to authenticate dn at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.authenticate(LdapOperationServiceImpl.java:212) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:743) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] ... 70 more Caused by: com.unboundid.ldap.sdk.LDAPBindException: invalid credentials at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2304) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2259) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.authenticateBindConnectionPoolImpl(LdapOperationServiceImpl.java:288) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.authenticateImpl(LdapOperationServiceImpl.java:245) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapOperationServiceImpl.authenticate(LdapOperationServiceImpl.java:210) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate(LdapEntryManager.java:743) ~[oxcore-persistence-ldap-4.2.0.Final.jar:?] ... 70 more 2020-09-03 08:31:05,039 INFO [qtp1157726741-16] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:223) - Authentication failed for 'demo' 2020-09-03 08:31:05,051 DEBUG [qtp1157726741-16] [org.gluu.service.ExternalResourceHandler] (ExternalResourceHandler.java:68) - Found overriden resource: /login.xhtml 2020-09-03 08:31:05,051 DEBUG [qtp1157726741-16] [org.gluu.service.ExternalResourceHandler] (ExternalResourceHandler.java:68) - Found overriden resource: /WEB-INF/incl/layout/login-template.xhtml 2020-09-03 08:31:11,691 DEBUG [oxAuthScheduler_Worker-3] [org.gluu.service.timer.RequestJobListener] (RequestJobListener.java:53) - Bound request started 2020-09-03 08:31:11,691 DEBUG [oxAuthScheduler_Worker-3] [org.gluu.service.timer.TimerJob] (TimerJob.java:36) - Fire timer event [org.gluu.service.cdi.event.LoggerUpdateEvent] with qualifiers [@org.gluu.service.cdi.event.Scheduled()] from instance 1115946674 2020-09-03 08:31:11,692 DEBUG [oxAuthScheduler_Worker-3] [org.gluu.service.timer.RequestJobListener] (RequestJobListener.java:63) - Bound request ended 2020-09-03 08:31:11,738 INFO [Thread-634] [org.gluu.service.logger.LoggerService] (LoggerService.java:165) - Updated log level of '124' loggers to DEBUG 2020-09-03 08:31:22,568 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.common.UserService] (UserService.java:78) - Getting user information from LDAP: userId = null 2020-09-03 08:31:22,575 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 1501.dd897108-a9e7-474f-967e-c82d9eacc7cd 2020-09-03 08:31:22,601 DEBUG [qtp1157726741-16] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 1502.3fbc550a-481d-42df-a9b7-2acaa27e4d1c 2020-09-03 08:31:26,683 DEBUG [oxAuthScheduler_Worker-2] [org.gluu.service.timer.RequestJobListener] (RequestJobListener.java:53) - Bound request started 2020-09-03 08:31:26,684 DEBUG [oxAuthScheduler_Worker-2] [org.gluu.service.timer.TimerJob] (TimerJob.java:36) - Fire timer event [org.gluu.service.cdi.event.ConfigurationEvent] with qualifiers [@org.gluu.service.cdi.event.Scheduled()] from instance 757929668 ```

By Michael Schwartz Account Admin 03 Sep 2020 at 10:30 a.m. CDT

Michael Schwartz gravatar
Not a feature we will address.

By Yunus Raza user 04 Sep 2020 at 1:31 a.m. CDT

Yunus Raza gravatar
HI Michael, So there is no way out of it? This would be a blocker for my evaluation because accounts are always created with a temp password for the user which they must change at the first logon.