By: Yunus Raza user 09 Sep 2020 at 2:53 a.m. CDT

7 Responses
Yunus Raza gravatar
## Issue When an administrator resets the password for the user in microsoft active directory, then when the user tries to login with the new password , Gluu server returns error 500 ## Log ``` 2020-09-09 07:45:13,528 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:187) - Found '1' entries 2020-09-09 07:45:13,563 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:78) - Getting user information from LDAP: userId = labuser77 2020-09-09 07:45:13,569 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:87) - Found 1 entries for user id = labuser77 2020-09-09 07:45:13,583 DEBUG [qtp1157726741-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:344) - Get next step from script: '-1' 2020-09-09 07:45:13,590 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:491) - Changing session id from 91870673-e332-4c61-abe9-0f95dc929391 to fe9f679a-79d9-4809-abc1-0dc5ddade483 ... 2020-09-09 07:45:13,602 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.SessionIdService] (SessionIdService.java:502) - Session identifier changed from 91870673-e332-4c61-abe9-0f95dc929391 to fe9f679a-79d9-4809-abc1-0dc5ddade483 . 2020-09-09 07:45:13,603 DEBUG [qtp1157726741-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:429) - Sending event to trigger user redirection: 'labuser77' 2020-09-09 07:45:13,603 INFO [qtp1157726741-17] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:684) - Attempting to redirect user: SessionUser: SessionId {dn='oxId=fe9f679a-79d9-4809-abc1-0dc5ddade483,ou=sessions,o=gluu', id='fe9f679a-79d9-4809-abc1-0dc5ddade483', lastUsedAt=Wed Sep 09 07:45:13 UTC 2020, userDn='inum=0000!EFCA.0CCE,ou=people,o=gluu', authenticationTime=Wed Sep 09 07:45:13 UTC 2020, state=authenticated, sessionState='dc9d18b73988f603934ed25e61af983f4d52c383369603fa45535557ed33219c.44b546f1-0fe5-4d91-a603-8321d8705853', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={59e0f691-9185-4e4d-b6c6-a6cfa1a544d2=false}}, sessionAttributes={auth_step=1, acr=basic_lock, remote_ip=192.168.1.40, auth_external_attributes=null, opbs=21e1b017-c066-4ff5-98aa-8dea40e6bd1c, scope=openid, response_type=code, redirect_uri=https://mylabgw.local/oauth/login, state=b2F1dGhhY3Q9T0lEQy1TUC1nbHV1ALWHWF8K8oe1dGFyZ2V0PWh0dHBzOi8vYWN1c2xhYmd3LmFjdXNsYWIubG9jYWwvbmYvYXV0aC9kb09BdXRoP2FjdD1PSURDLVNQLWdsdXU7bmY9O3d2PTA=, client_id=59e0f691-9185-4e4d-b6c6-a6cfa1a544d2, auth_user=labuser77}, persisted=true} 2020-09-09 07:45:13,606 INFO [qtp1157726741-17] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:692) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@589ccb1b 2020-09-09 07:45:13,608 INFO [qtp1157726741-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:432) - Authentication success for User: 'labuser77' 2020-09-09 07:45:13,793 DEBUG [qtp1157726741-18] [org.gluu.service.ExternalResourceHandler] (ExternalResourceHandler.java:68) - Found overriden resource: /authorize.xhtml 2020-09-09 07:45:13,794 DEBUG [qtp1157726741-18] [org.gluu.service.ExternalResourceHandler] (ExternalResourceHandler.java:68) - Found overriden resource: /authorize.xhtml 2020-09-09 07:45:13,800 DEBUG [qtp1157726741-18] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-09-09 07:45:13,800 DEBUG [qtp1157726741-18] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid] 2020-09-09 07:45:13,803 DEBUG [qtp1157726741-18] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:90) - Granted scopes: [openid] 2020-09-09 07:45:13,829 DEBUG [qtp1157726741-18] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-09-09 07:45:13,829 DEBUG [qtp1157726741-18] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:87) - Validating redirection URI: clientIdentifier = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2, redirectionUri = https://mylabgw.local/oauth/login, found = 2 2020-09-09 07:45:13,830 DEBUG [qtp1157726741-18] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:109) - Comparing https://mylabgw.local/oauth/login == https://mylabgw.local/oauth/login 2020-09-09 07:45:13,838 DEBUG [qtp1157726741-18] [org.gluu.service.ExternalResourceHandler] (ExternalResourceHandler.java:68) - Found overriden resource: /authorize.xhtml 2020-09-09 07:45:18,171 DEBUG [qtp1157726741-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:78) - Getting user information from LDAP: userId = null ```

By Michael Schwartz Account Admin 09 Sep 2020 at 12:36 p.m. CDT

Michael Schwartz gravatar
Interesting. Not sure how we can replicate this problem.

By Yunus Raza user 10 Sep 2020 at 2:03 a.m. CDT

Yunus Raza gravatar
Does Gluu fully support active directory as backend or is it only suited with non-microsoft based LDAP? I am almost done with the evaluation part but unfortunately stuck with few things like this one that i mentioned and other one when the user is created in active directory with a temp password and then when they login they are then supposed to change the password. For the latter part you already responded that Gluu will not add that feature but this one i need to sort out else it wont check all of my requirements to recommend this for production setup.

By Aliaksandr Samuseu staff 10 Sep 2020 at 12:04 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Yunus. Gluu can use any LDAP server as backend. LDAP protocol is an industry standard, so anything that adhere to it will do. But Gluu Server doesn't support any AD's proprietary interfaces, so there is no full integration into AD environment. It just can pull users from AD and verify their credentials (with LDAP bind), that's it. Regarding the original issue, just an idea: are you sure you use AD for authentication in Gluu? Basically, you need to configure two things in Gluu: Cache Refresh to pull in users from AD, and add your AD server at Manage Authentication page in web UI so it could be used for authentication as well. Is that what you do? Could you provide screenshots of your CR and Manage Authentication UI pages with all settings visible?

By Yunus Raza user 11 Sep 2020 at 6:27 a.m. CDT

Yunus Raza gravatar
Hi Mike, Yes thats what i have done by following the documentation and youtube videos and its connected well to our lab active directory and can pull the records and the authentication is working perfectly. This issue i just resolved by turning on "Pre-authorization" setting under the OIDC that netscaler is using. So one less thing to worry about. I am only stuck with the following: -> When a user's account is locked in AD then we get failed authentication message and i want to convert that to actual error which is "user account is locked" -> when a user's account is disabled then its the same behavior -> when a user's account is created with a temp password and the option "user must change their password at next logon" is selected then user cannot login. Basically i want it to accept the password and then let user change the password. Its fine if we need to redirect to another URL. I believe for all the above i need to use a custom script. And for that script to work i need to ensure that userAccountControl attribute from active directory is part of the cache refresh. I am still trying to see how to do that in opendj but once that attribute is propagated to Gluu then maybe i need to figureout how to use that in custom script. I am not familiar with python/jython so will do some research and see if i can make it work.

By Michael Schwartz Account Admin 11 Sep 2020 at 1:36 p.m. CDT

Michael Schwartz gravatar
Yes, I think you're on exactly the right track. If you can manipulate the data correctly in the AD LDAP, I think it will work out. This would be a cool script. I'm assigning Madhu, one of our engineers to help you if you have any questions about scripting. It is a pain in the neck... if you can get remote debugging enabled from Eclipse, that helps a lot. Also, there are many script examples [in Github](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations) I would check out the multi-ldap script, password update, and register scripts.

By Yunus Raza user 13 Sep 2020 at 11:24 p.m. CDT

Yunus Raza gravatar
Thanks Mike, I was also looking at one of the sample script in Github. At the moment i am trying to understand the code.

By Michael Schwartz Account Admin 14 Sep 2020 at 11:20 a.m. CDT

Michael Schwartz gravatar
If you need help with this, we can introduce you to one of Gluu's partners. These scripts can be tricky to write.