stackoom
  简体   繁体   中英

LDAP/AD authentication random error

 原文  2016-07-18 10:07:37       java/ active-directory/ ldap/ jaas

Question

I am integrating an application with AD/LDAP authentication via JAAS, and while this interface is working fine 90% of the time, occassionally I am getting technical errors when users try to log in. The errors in the logs are like : 

INFO -[LdapLoginModule] user provider: ldaps://<AD server>:636/DC=global,DC=mycompany,DC=com
INFO -[LdapLoginModule] searching for entry belonging to user: <user name>
INFO -[LdapLoginModule] authentication failed
INFO -[LdapLoginModule] aborted authentication

When enabling additional logs, I can see the below exception : 

javax.security.auth.login.FailedLoginException: Cannot find user's LDAP entry

(This is not a credentials issue - as I explained it is occurring randomly and if user tries to login with same creds a few more times it will eventually succeed)
Checking the LdapLoginModule.java code from the below link, I am trying to follow the logs output in the code to understand where exactly this occurs but I am not able to understand exactly why the "authentication failed" output is reached/thrown : LdapLoginModule.java

Could someone please help me understand what might be causing this random issue and point me to the right direction ? Could it be an issue on AD side or on JAAS config ?

Below some additional info :

  • SSL is enabled
  • "AD server" is not a domain controller but rather a DNS method of load balancing
  • Using anonymous binding (search-first) mode

JAAS config : 

LDAP_AD {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldaps://<AD server>:636/DC=global,DC=mycompany,DC=com"
userFilter="(&(sAMAccountName={USERNAME})(objectcategory=user)(memberof=CN=aGroup,OU=Security Groups,OU=Groups,OU=Geneva,OU=Switzerland,OU=EMEA,DC=global,DC=mycompany,DC=com))"
useSSL=true
debug=true;
};

Any idea on the root cause of this would be much appreciated.

Many thanks, George

1 answers

solution1
 0 ACCPTED  2016-07-19 17:54:17

As you note there is a load balancer in the way, your symptoms suggest you are getting load balanced to a node that is not in sync. Which is unlikely, but more likely is an AD DC that is not happy with your config, but the others are ok with it.

On a new user, or a newly changed user, the replication delay would be a common example of this problem in real life.

On existing users, this seems less likely.

It also may have something to do with the memberOf attribute which is not a static attribute, rather it is a dynamic query that is evaluated when you query for it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question LDAP Authentication to AD error code Spring security ldap ad authentication Ldap AD Authentication in Spring Security LDAP Authentication Error AD authentication with one LDAP failed but passed with another LDAP LDAP authentication for Tomcat - 403 error Spring Security LDAP authentication user must be a member of an AD group Random “Cannot parse url” using LDAP authentication in Java Spring ldap authentication failed error codes MobileFirst 8.0 user authentication LDAP error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM