Hello,

So, the customer has the following setup: 1 eDirectory with a replica,
idv1 and idv2. They also have IDM. They also have an Active Directory. I
have configured their AM to use Kerberos. This works fine, when you are
logged into the domain, of course. When logging in from outside, it
instead uses the PasswordFetch class, to retrieve the users password and
feed that to whatever application they are logging in to. This has
worked without problems for months. This tuesday however, they are
experiencing problems for users attempting to log in form the outside of
the domain.

The problem only occurs sometimes. Meaning a user can log in, log out,
attempt to log in, and then get this error: Error while retrieving the
password. It also happens when people attempt to log in the first time
of the day. It fails 1/3 of the time.

This is a successfull login:


Code:
--------------------

92399F934FA40656F7076A: Executing contract KerberosContract. </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Executing authentication method KerberosMethod </amLogEntry
>


<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Performing LDAP search (&(sAMAccountName=sorbn)(objectClass
=User)) in context com.novell.nam.common.ldap.jndi.JNDIUserStoreSearc hContext@b1b073b </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: LDAP search objects found: 1 </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z INFO NIDS Application: AM#500105014: AMDEVICEID#047CC991A3C20DE3: AMAUTHID#3F012203FB
92399F934FA40656F7076A: Attempting to authenticate user CN=sorbn,OU=IT_Drift_og_Support,OU=Center_for_Borg erservice_og
_Digitalisering,OU=Brugere,OU=LTKAdmin,OU=Lyngby,d c=ltk,dc=dk with provided credentials. </amLogEntry>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Authentication method KerberosMethod succeeded </amLogEntry
>

<amLogEntry> 2014-09-18T14:00:36Z VERBOSE NIDS Application: Performing LDAP search (&(cn=sorbn)(objectClass=User)) in c
ontext com.novell.nam.common.ldap.jndi.JNDIUserStoreSearc hContext@12aba1af </amLogEntry>

<amLogEntry> 2014-09-18T14:00:37Z VERBOSE NIDS Application: LDAP search objects found: 1 </amLogEntry>

<amLogEntry> 2014-09-18T14:00:37Z VERBOSE NIDS Application: Authentication method PasswordFetchMethod succeeded </amLog
Entry>

--------------------


As you can see, it attempts Kerberos first, when it is unable to
do(although it says success). It then tries the Passwordfetch method,
finds the users in idv1 and the users is logged in.

This is a failed attempt:


Code:
--------------------

<amLogEntry> 2014-09-18T14:35:10Z INFO NIDS Application: AM#500105009: AMDEVICEID#047CC991A3C20DE3: AMAUTHID#0E3A28ED0D
1B8933678A7C3EBCE70877: Executing contract KerberosContract. </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Executing authentication method KerberosMethod </amLogEntry
>


<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Performing LDAP search (&(sAMAccountName=sorbn)(objectClass
=User)) in context com.novell.nam.common.ldap.jndi.JNDIUserStoreSearc hContext@b1b073b </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: LDAP search objects found: 1 </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z INFO NIDS Application: AM#500105014: AMDEVICEID#047CC991A3C20DE3: AMAUTHID#0E3A28ED0D
1B8933678A7C3EBCE70877: Attempting to authenticate user CN=sorbn,OU=IT_Drift_og_Support,OU=Center_for_Borg erservice_og
_Digitalisering,OU=Brugere,OU=LTKAdmin,OU=Lyngby,d c=ltk,dc=dk with provided credentials. </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Authentication method KerberosMethod succeeded </amLogEntry
>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Executing authentication method PasswordFetchMethod </amLog
Entry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Performing LDAP search (&(cn=sorbn)(objectClass=User)) in c
ontext com.novell.nam.common.ldap.jndi.JNDIUserStoreSearc hContext@12aba1af </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: LDAP search objects found: 0 </amLogEntry>

<amLogEntry> 2014-09-18T14:35:10Z VERBOSE NIDS Application: Authentication method PasswordFetchMethod failed while exec
uting the class com.novell.nidp.authentication.local.PasswordFetch Class@c1943af </amLogEntry>

<amLogEntry> 2014-09-18T14:35:11Z VERBOSE NIDS Application: Session has consumed authentications: true </amLogEntry>

<amLogEntry> 2014-09-18T14:35:11Z VERBOSE NIDS Application: Session consumed authentications is 1 and is considered aut
henticated: true </amLogEntry>

<amLogEntry> 2014-09-18T14:35:41Z VERBOSE NIDS Application: Session has consumed authentications: true </amLogEntry>

<amLogEntry> 2014-09-18T14:35:41Z VERBOSE NIDS Application: Session consumed authentications is 1 and is considered aut
henticated: true </amLogEntry>

--------------------


As you can see, it does not find the user in the LDAP search for the
PasswordFetch attempt. It does exactly the same query. I have done
multiple ldapsearch queries from the IDS to see if I can get it to
return 0 results, but to no avail. The IDS uses SSL to do the LDAP
query. Again, this only happens sometimes. It is not a load problem,
since I am testing now, when everyone has went home.

The PasswordFetch class is configured to only retrieve the password from
idv1.

Any idea what might be going on? This also just started happening from
one day to the other. No changes to AM or IDM or their other components.

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=51779