User authentication fails if the user look-up fetches more than one entry.
Article ID: KB0093635
Updated On:
| Products | Versions |
|---|---|
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | - |
| Not Applicable | - |
Description
Description:
LDAP Authentication Resource Template (RT) configuration needs to avoid user search ambiguity.
Symptoms:
com.tibco.governance.pa.action.security.SecurityException: Policy enforcement failed to authenticate the requestCaused by: javax.security.auth.login.LoginException: User CN=user1,.., DC=domain, DC=com found both as "CN=user1,.., DC=domain, DC=com" and "CN=ExchangeActiveSyncDevices,CN=user1,.., DC=domain, DC=com"; narrow the search by reconfiguring UserSearchExpression and/or UserSearchBase.
at com.tibco.trinity.runtime.core.provider.authn.ldap.LdapAuthNLoginModule.doLogin(LdapAuthNLoginModule.java:498)
at com.tibco.trinity.runtime.core.provider.authn.AbstractLoginModule.login(AbstractLoginModule.java:183)
at com.tibco.trinity.runtime.core.provider.authn.ldap.ConnectorManagedConnectionImpl.login(ConnectorManagedConnectionImpl.java:37)
at com.tibco.trinity.runtime.core.provider.authn.AuthNConnection.login(AuthNConnection.java:28)
at com.tibco.governance.pa.action.sharedresource.SharedResourceLoginModule.login(SharedResourceLoginModule.java:102)
Cause:
LDAP Authentication user lookup result set contains more than one LDAP entry.
LDAP Authentication Resource Template (RT) configuration needs to avoid user search ambiguity.
Symptoms:
com.tibco.governance.pa.action.security.SecurityException: Policy enforcement failed to authenticate the requestCaused by: javax.security.auth.login.LoginException: User CN=user1,.., DC=domain, DC=com found both as "CN=user1,.., DC=domain, DC=com" and "CN=ExchangeActiveSyncDevices,CN=user1,.., DC=domain, DC=com"; narrow the search by reconfiguring UserSearchExpression and/or UserSearchBase.
at com.tibco.trinity.runtime.core.provider.authn.ldap.LdapAuthNLoginModule.doLogin(LdapAuthNLoginModule.java:498)
at com.tibco.trinity.runtime.core.provider.authn.AbstractLoginModule.login(AbstractLoginModule.java:183)
at com.tibco.trinity.runtime.core.provider.authn.ldap.ConnectorManagedConnectionImpl.login(ConnectorManagedConnectionImpl.java:37)
at com.tibco.trinity.runtime.core.provider.authn.AuthNConnection.login(AuthNConnection.java:28)
at com.tibco.governance.pa.action.sharedresource.SharedResourceLoginModule.login(SharedResourceLoginModule.java:102)
Cause:
LDAP Authentication user lookup result set contains more than one LDAP entry.
Issue/Introduction
User authentication fails if the user look-up fetches more than one entry.
Resolution
1). If the LDAP provider supports it (i.e., an LDAP attribute containing the user's Distinguished Name (DN) exists), then a user search expression referencing the DN-storing attribute would lift the ambiguity.
For Active Directory: (distinguishedName={0})
Note that not all LDAP providers support such an attribute. If a user's DN cannot be queried, then perhaps a different filter expression (e.g., based on objectClass) can be devised after reviewing the attribute values for the LDAP search result set entries. If one of the DN values causing ambiguity contains CN=ExchangeActiveSyncDevices, then the problem-causing entry may correspond to a mobile device.
For Active Directory: (distinguishedName={0})
Note that not all LDAP providers support such an attribute. If a user's DN cannot be queried, then perhaps a different filter expression (e.g., based on objectClass) can be devised after reviewing the attribute values for the LDAP search result set entries. If one of the DN values causing ambiguity contains CN=ExchangeActiveSyncDevices, then the problem-causing entry may correspond to a mobile device.
2). Set a deeper User Base Search value so that the user lookup only returns the actual user result. This would only work if the ambiguity is not introduced by LDAP entries added under the user entries.
3). Restrict the LDAP search scope to one level by unchecking "Search Entire Subtree Starting at Base DN. This would only work if all users entries are located one level under the User Search Base DN.
For AMSG <= 3.1.5 the LDAP Authentication Resource Template re-installation would not suffice; the amx.bpm.app application would need to be re-started as well.
Feedback
Yes
No
Powered by
