Products | Versions |
---|---|
TIBCO Streaming | 10.6 and later |
Login to TIBCO Artifact Management Server fails with the error message:
"Authentication Failed. Please retry or contact the administrator."
2021-10-01 07:41:11.967 DEBUG (qtp1558127130-52) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'CN=User One,OU=Users,DC=example,DC=com': javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563] 2021-10-01 10:41:23.405 DEBUG (qtp1938456924-47) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'uid=user1,ou=users,ou=system': javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=user1,ou=users,ou=system]In the two messages above, we can see that the user's full distinguished name (DN) is found in the LDAP system, but the credentials could not be verified.
2021-10-01 10:42:19.411 DEBUG (qtp1938456924-74) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'user3': javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : user3 (0x75 0x73 0x65 0x72 0x33 ) is invalid]This message reveals that AMS could not resolve the user's full DN, as only the username 'user3' is being identified in the log message. In this case, 'user3' did not actually exist in the LDAP system.
2021-10-01 10:43:47.058 DEBUG (qtp2121754508-52) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]Again, this message reveals that AMS could not resolve the user's full DN. However in this case, 'user1' is a valid LDAP user. Here, shortening the principalRoot is expected to resolve this issue. For example, change principalRoot from "ou=User Group A,dc=example,dc=com" to just "dc=example,dc=com".
2021-10-01 08:58:49.692 WARN (qtp1630986748-52) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1), [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=example,DC=com' ] javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=example,DC=com' ]Here, we see a 'NameErr', indicating that the value of principalRoot is wrong (and does not exist in LDAP).
2021-10-01 10:45:13.682 WARN (qtp903663666-52) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - user1, rememberMe=true (0:0:0:0:0:0:0:1), [LDAP: error code 32 - NO_SUCH_OBJECT: failed for MessageType : SEARCH_REQUEST Message ID : 2 SearchRequest baseDn : 'ou=sysstem' filter : '(&(objectClass=*)(uid=user1))' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : deref Always attributes : org.apache.directory.api.ldap.model.message.SearchRequestImpl@80e86995: ERR_268 Cannot find a partition for ou=sysstem]Here, we see a different format for the same LDAP error code (32), which clearly shows the typo in the baseDN (i.e. the value should be 'ou=system', not 'ou=sysstem').
2021-10-01 09:44:49.329 WARN (qtp1161209621-54) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1), number exceeds argument list: 1Here, the selected principalSearch attribute is incorrectly bound using ={1}, meaning it will be bound to a corresponding distinguished name (DN). For this LDAP system, the principalSearch value should use ={0} instead. For example:
principalSearch = "mail{0}"
2021-10-01 10:46:56.986 DEBUG (qtp1938456924-50) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]Similar to the case shown above, this message reveals that AMS could not resolve the user's full DN, even though 'user1' is a valid LDAP user. If you've already verified that the principalRoot value is correct, try setting principalSearch to a different attribute (such as 'mail', 'uid', or 'cn'). Consult with your LDAP administrator as needed.
2021-10-01 10:58:10.174 DEBUG (qtp1630986748-54) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]A typo in the principalSearch value causes the same behavior in the above cases, and results in the same log message.
2021-10-01 09:17:06.638 DEBUG (qtp903663666-50) com.tibco.ep.ams.auth.AMSAuthenticationFilter:468 - login failed with token org.apache.shiro.authc.UsernamePasswordToken - user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1)Here, the AMSAuthenticationFilter class is emitting the message, which means the LDAP search filter being used is incorrect. In this case, that is due to a typo in the roleRoot value.
2021-10-01 11:05:42.414 DEBUG (qtp1289213409-51) com.tibco.ep.ams.auth.AMSAuthenticationFilter:468 - login failed with token org.apache.shiro.authc.UsernamePasswordToken - user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1)Again, the AMSAuthenticationFilter class is emitting the message, which means the LDAP search filter being used is incorrect. In this case, the roleAttribute needed to be changed.