Re: [pwm-general] 5016 ERROR_CANT_MATCH_USER

[Casey Jones]

Would anyone have a clue why I randomly get a CANT_MATCH_USER messages when logging in?  This issues comes and goes and for the life of me, I cannot figure out what is causing it.  See the log below, I have had successful logins with this user and then all of a sudden I get the 5016 error.

2017-03-24T12:23:33Z, DEBUG, ldap.UserSearchEngine, {4650} performing ldap search for user; searchID=14 profile=default base=DC=ncmcs,DC=org filter=SearchHelper: filter: (&(objectClass=person)(|(samAccountName=eszscaler))), scope: SUBTREE, attributes: [] maxCount=2 [10.1.x,x]
2017-03-24T12:23:33Z, DEBUG, provider.WatchdogWrapper, reopening ldap connection for CN=PWM-Proxy,OU=Generic Accounts,DC=ncmcs,DC=org
2017-03-24T12:23:33Z, DEBUG, provider.WatchdogWrapper, starting up LDAP Chai WatchdogWrapper timer thread, 5000ms check frequency
2017-03-24T12:23:35Z, ERROR, auth.SessionAuthenticator, {4650} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=14, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.1.x.x]
2017-03-24T12:23:35Z, DEBUG, event.AuditService, discarding event, INTRUDER_ATTEMPT are being ignored; event={"instance":"7314675ABFA9964","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"ad5f6bfe-04c1-4eb9-9af5-f2bc8a3768b0","timestamp":"2017-03-24T16:23:35Z","message":"{\"type\":\"ADDRESS\",\"subject\":\"10.1.x.x\"}"}
2017-03-24T12:23:36Z, DEBUG, event.AuditService, discarding event, INTRUDER_ATTEMPT are being ignored; event={"instance":"7314675ABFA9964","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"5156a9eb-44c4-44fe-be95-8f2e5ff97d93","timestamp":"2017-03-24T16:23:36Z","message":"{\"type\":\"USERNAME\",\"subject\":\"eszscaler\"}"}
2017-03-24T12:24:08Z, DEBUG, provider.WatchdogWrapper, ldap idle timeout detected, closing ldap connection for ChaiProvider #268 (JNDIProviderImpl), OPEN ldaps://domain.org:636 CN=PWM-Proxy,OU=Generic Accounts,DC=ncmcs,DC=org
2017-03-24T12:24:08Z, DEBUG, provider.WatchdogWrapper, ldap idle timeout detected, closing ldap connection for ChaiProvider #268 (JNDIProviderImpl), CLOSED 
2017-03-24T12:24:08Z, DEBUG, provider.WatchdogWrapper, exiting LDAP Chai WatchdogWrapper timer thread, no connections requiring monitoring are in use
2017-03-24T12:24:55Z, DEBUG, ldap.UserSearchEngine, {4650} beginning user search process [10.1.x.x]
2017-03-24T12:24:55Z, DEBUG, ldap.UserSearchEngine, {4650} performing ldap search for user; searchID=15 profile=default base=DC=ncmcs,DC=org filter=SearchHelper: filter: (&(objectClass=person)(|(samAccountName=eszscaler))), scope: SUBTREE, attributes: [] maxCount=2 [10.1.x.x]
2017-03-24T12:24:55Z, DEBUG, provider.WatchdogWrapper, reopening ldap connection for CN=PWM-Proxy,OU=Generic Accounts,DC=ncmcs,DC=org
2017-03-24T12:24:55Z, DEBUG, provider.WatchdogWrapper, starting up LDAP Chai WatchdogWrapper timer thread, 5000ms check frequency
2017-03-24T12:24:56Z, ERROR, auth.SessionAuthenticator, {4650} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=15, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.1.x.x]

[Jason Rivard]

It appears your LDAP server is returning a referral to PWM, and when PWM tries to connect to the referred server it is getting a connection refused.  The latest builds of PWM should include the server IP/name in this error so I'm guessing your running an older build.  If this is AD, understand that tends to return referrals to your top level DC entries so you may need to make domain.org an actual host entry on the PWM server to one of your AD servers.  Also make sure the FQDNs of your AD DC servers are resolvable by the PWM server.  AD tends to go nuts with referrals, but other LDAP servers can return them too.

[chj...@ncmcs.net]

So After a lot of trial and error, I found the problem. I had LDAP searching the entire domain which was causing the issue. I created some user selectable login contexts and have not had the problem since. Hopefully this will help someone in the future.

[BloodyIron]

Adding a single user selectable login context is what did the trick for me, thanks e-Stranger! Really appreciate you posting the fix :) (undocumented requirement it seems)

-BloodyIron

[Jason Rivard]

Setting a user selectable context is not a requirement.  It's a workaround for an improperly configured AD DNS/LDAP enviroment.  It's the most commonly discussed issue on this list.