Cannot Find User error (5034 ERROR_INVALID_FORMID and 5016 ERROR_CANT_MATCH_USER)

[chj...@ncmcs.net]

So I have PWM up and running with successfull connections via LDAPs. Its able to save the security questions and reset passwords fine. The problem I have is that after a few logins, I start getting "cannot find user" error message with the same account that was successful previously. I have all of our domain controllers listed as LDAPs servers and verified that the connections are successful. Here is part of the log where it happens.

2017-03-08T08:48:21Z, FATAL, servlet.AbstractPwmServlet, 5034 ERROR_INVALID_FORMID (form nonce incorrect)
2017-03-08T08:48:21Z, ERROR, http.PwmResponse, {945} 5034 ERROR_INVALID_FORMID (form nonce incorrect) [10.1.3.27]
2017-03-08T08:48:31Z, WARN , http.PwmHttpResponseWrapper, attempt to write cookie 'SESSION' after response is committed
2017-03-08T08:49:09Z, ERROR, auth.SessionAuthenticator, {943} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=13, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.1.3.27]
2017-03-08T08:50:48Z, ERROR, auth.SessionAuthenticator, {943} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=14, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.1.3.27]
2017-03-08T08:50:58Z, ERROR, auth.SessionAuthenticator, {943} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=15, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.1.3.27]
2017-03-08T08:51:47Z, ERROR, auth.SessionAuthenticator, {944} ldap error during search: 5016 ERROR_CANT_MATCH_USER (ldap error during searchID=16, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: domain.org:636, cause:java.net.ConnectException: Connection refused: connect) [10.40.10.249]
2017-03-08T08:51:58Z, WARN , pwm.PwmApplication, shutting down

If I am already logged in to PWM, I can go into the configuration and test LDAPs, which is successful. If I reboot the server, the service comes back up and is good to go. If any other information is needed to help assist me on this, just let me know and I appreciate any help resolving this!

[chj...@ncmcs.net]

Just wanted to update this ticket. If I let the server sit for a period of time, it will start working again without a restart. I have adjusted the LDAP idle timeout option to see if that changes anything. I have also enabled LDAP wire trace to see if I can get some more information from the logs.

[chj...@ncmcs.net]

So I believe I have found a problem, Intruder Detection. Apparently it was hitting the threshold and locking the system out for 30 minutes. I disabled it and I am going to see if that resolves the problem. You can only see this error message if you put the logging to DEBUG mode. I also turned off Enable Form Nonce, which was causing the 5034 error and kicking me out of the system. I plan on tweaking the intruder detection piece and re-enabling it later.

[Casey Jones]

So after disabling Intruder Detection, I once again was locked out and had to reboot PWM.  

2017-03-10T15:27:08Z, DEBUG, event.AuditService, discarding event, INTRUDER_ATTEMPT are being ignored; event={"instance":"7314675ABFA9964","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"b4e8f195-6dfe-41a2-9b38-5f851d51e711","timestamp":"2017-03-10T20:27:08Z","message":"{\"type\":\"ADDRESS\",\"subject\":\"10.1.3.27\"}"}

Is there any other place that I need to disable this from?   

[chj...@ncmcs.net]

So After a lot of trial and error, I found the problem. I had LDAP searching the entire domain which was causing the issue. I created some user selectable login contexts and have not had the problem since. Hopefully this will help someone in the future.

[Scott Green]

Did the selectable login contexts also resolve the 5034 errors?  

Thanks,

Scott

[chj...@ncmcs.org]

Scott,

Its been a long time but changing LDAP from searching the entire domain to different login contexts for different OUs resolved everything for me.  The program has been working fine for the last few years.  The problem seemed to be related with the time it was taking to search the entire domain via ldaps and when I gave it less to search, by drilling to just specific user OUs, the 5034 messages went away.  There are still a lot of OUs underneath the ones I selected but a lot less than what it had to do from the root.

Thanks,