LDAP: error code 32 on logging in against AD LDS directory if alwaysUseProxy = false
989 views
Skip to first unread message
Graz
Sep 12, 2012, 9:56:11 AM9/12/12
to pwm-g...@googlegroups.com
We have configured PWM to work with an AD-LDS directory as described in the Admin Guide.
We have found that we can only log in with our users if we set ldap.alwaysUseProxy = true
So in the config.xml we need to set:
<setting key="ldap.alwaysUseProxy" syntax="BOOLEAN">
<label>Always use proxy</label>
<value><![CDATA[true]]></value>
</setting>
If we set this to false, when we try to log in we get LDAP error code 32 indicating that the user cannot be found:
(Note that the comment about ERROR_WRONGPASSWORD in the logs is misleading - it occurs for a range of problems, not just wrong password, eg this also occurs for invalid user)
Wed Sep 12 11:50:24 BST 2012, INFO , password.pwm.AuthenticationFilter, login attempt for CN=TestUser1,OU=Test Objects,OU=Root,DC=Jet failed: 5001 ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=Jet'
We are definitely using the correct password, and are able to authenticate as TestUser1 via LDP.
In the section of the config screen where ldap.alwaysUseProxy is set, there are a number of warnings about what can happen if it is set to true:
Authentication will be performed using ldap compare operation instead of bind
All read/write operations will require permission of the proxy user
Security is managed exclusively by PWM, any defects or "security holes" in pwm would result in an exploitable security breach
Password change operations are performed using the proxy user connection
User grace logins will not be decremented
The default setting is false. You should carefully consider the security impacts before setting this to true.
To avoid any of those security problems, we would want to set this to false, but then we are not able to log-in.
Can you tell us how we can configure PWM to allow login to work against AD LDS without requiring ldap.alwaysUseProxy = true.
Thanks
We have found that we can only log in with our users if we set ldap.alwaysUseProxy = true
So in the config.xml we need to set:
<setting key="ldap.alwaysUseProxy" syntax="BOOLEAN">
<label>Always use proxy</label>
<value><![CDATA[true]]></value>
</setting>
If we set this to false, when we try to log in we get LDAP error code 32 indicating that the user cannot be found:
(Note that the comment about ERROR_WRONGPASSWORD in the logs is misleading - it occurs for a range of problems, not just wrong password, eg this also occurs for invalid user)
Wed Sep 12 11:50:24 BST 2012, INFO , password.pwm.AuthenticationFilter, login attempt for CN=TestUser1,OU=Test Objects,OU=Root,DC=Jet failed: 5001 ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=Jet'
We are definitely using the correct password, and are able to authenticate as TestUser1 via LDP.
In the section of the config screen where ldap.alwaysUseProxy is set, there are a number of warnings about what can happen if it is set to true:
Authentication will be performed using ldap compare operation instead of bind
All read/write operations will require permission of the proxy user
Security is managed exclusively by PWM, any defects or "security holes" in pwm would result in an exploitable security breach
Password change operations are performed using the proxy user connection
User grace logins will not be decremented
The default setting is false. You should carefully consider the security impacts before setting this to true.
To avoid any of those security problems, we would want to set this to false, but then we are not able to log-in.
Can you tell us how we can configure PWM to allow login to work against AD LDS without requiring ldap.alwaysUseProxy = true.
Thanks
Jason Rivard
Sep 12, 2012, 10:02:28 AM9/12/12
to pwm-g...@googlegroups.com
PWM has not been well tested by the developers against AD in general. Many sites have had success deploying PWM against AD, some have not. PWM has general support for LDAP functionality and unfortunately AD's behavior is often bizarre compared to most other "normal" ldap servers. This will improve in future releases, as AD is being used more often during development testing these days.
You'll want to start by googling each part of the AD ldap error numbers to see if you can figure out what AD is complaining about.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/RfAcOLqqaQYJ.
For more options, visit https://groups.google.com/groups/opt_out.
Menno Pieters
Sep 12, 2012, 10:39:24 AM9/12/12
to pwm-g...@googlegroups.com
Wed Sep 12 11:50:24 BST 2012, INFO , password.pwm.AuthenticationFilter, login attempt for CN=TestUser1,OU=Test Objects,OU=Root,DC=Jet failed: 5001 ERROR_WRONGPASSWORD (ldap error during password check: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=Jet'
Wild guess: anonymous search is not allowed? It looks like, with the option set to false, PWM is unable to search for the user.
Regards,
Menno
Jason Rivard
Sep 12, 2012, 10:43:27 AM9/12/12
to pwm-g...@googlegroups.com
It should be doing search over the proxy connection, although with always use proxy turned on I woulndt be shocked if there was a glitch. My guess is the username search filter isn't right, or ldap naming attribute isn't right...
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages