- Home
- Q&A
- Journey Platform
- How to Diagnose LDAP Authentication Failures
Hi
I'm getting a Bad Credentials Error when authenticating to an ldap (Active Directory) server from an ldap authenticator in Journey Manager. I can write custom groovy code that runs from the Journey Manager console to authenticate (bind) successfully but the same parameters don't work from the authenticator. How can I enable debugging/logging for this module in standalone.xml?
This has worked on previous TM versions.
Matt
I'm getting a Bad Credentials Error when authenticating to an ldap (Active Directory) server from an ldap authenticator in Journey Manager. I can write custom groovy code that runs from the Journey Manager console to authenticate (bind) successfully but the same parameters don't work from the authenticator. How can I enable debugging/logging for this module in standalone.xml?
This has worked on previous TM versions.
Matt
Accepted Answer
0
Undo
Votes
It turns out that this was due to the lookup user not being found for the given ldapSearchBase. Unfortunately TM gives you the same error 'Bad Credentials' for both an incorrect service account username/password combo and also for a user not being found against a search Base, this took some time to get to the bottom of as I thought that the service account was failing for some reason.
Can I suggest as a future update that Manager be more explicit in the error messages about what is failing and why, specifically to distinguish between the service account bind failing vs the user not being located due to an invalid search base.
Matt
Can I suggest as a future update that Manager be more explicit in the error messages about what is failing and why, specifically to distinguish between the service account bind failing vs the user not being located due to an invalid search base.
Matt
- Chris Eagar
- 6 months ago
- #33
Thanks Matthew, we'll raise that with the Dev team. Really appreciate the update and feedback, thanks.
There are no comments made for this post yet
0
Undo
Votes
Hi Matt,
What's the current Journey Manager version and what's the JM version where LDAP used to work?
Have you checked error logs?
Have you selected "Enable Logging" on Security Manager tab?
Have you checked all Parameters in your Authentication Provider are correct?
Have you tried to bind to your LDAP using a command line client to ensure your configuration is correct?
Regards,
What's the current Journey Manager version and what's the JM version where LDAP used to work?
Have you checked error logs?
Have you selected "Enable Logging" on Security Manager tab?
Have you checked all Parameters in your Authentication Provider are correct?
Have you tried to bind to your LDAP using a command line client to ensure your configuration is correct?
Regards,
0
Undo
Votes
Hi Sergey
Journey Manager is 21.5.1 in our dev env. Prod and Test with working LDAP are 5.1.10. I've managed to turn on debug logging and get this:
2021-10-21T15:04:40.748AEDT DEBUG [com.avoka.fc.core.security.LdapUserDetailsAuthenticationProvider] (default task-1) Authentication for *********** failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
The DN and password are definitely correct as I've tested them in multiple other applications.
Matt
Journey Manager is 21.5.1 in our dev env. Prod and Test with working LDAP are 5.1.10. I've managed to turn on debug logging and get this:
2021-10-21T15:04:40.748AEDT DEBUG [com.avoka.fc.core.security.LdapUserDetailsAuthenticationProvider] (default task-1) Authentication for *********** failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
The DN and password are definitely correct as I've tested them in multiple other applications.
Matt
0
Undo
Votes
I can successfully bind to the ldap server using the same credentials using code inside the groovy console. The windows account that the groovy code runs as is the 'computer account', e.g. myhost$
Is it possible that the code in the ldap authenticator is running under the 'system' account (because JM is installed as a service and runs as system) and that this account is not allowed to bind to AD regardless of the credentials supplied.
If someone from Temenos could confirm that groovy code executes as a different account than JM java code that would be helpful in troubleshooting this.
Matt
Is it possible that the code in the ldap authenticator is running under the 'system' account (because JM is installed as a service and runs as system) and that this account is not allowed to bind to AD regardless of the credentials supplied.
If someone from Temenos could confirm that groovy code executes as a different account than JM java code that would be helpful in troubleshooting this.
Matt
Accepted Answer
0
Undo
Votes
It turns out that this was due to the lookup user not being found for the given ldapSearchBase. Unfortunately TM gives you the same error 'Bad Credentials' for both an incorrect service account username/password combo and also for a user not being found against a search Base, this took some time to get to the bottom of as I thought that the service account was failing for some reason.
Can I suggest as a future update that Manager be more explicit in the error messages about what is failing and why, specifically to distinguish between the service account bind failing vs the user not being located due to an invalid search base.
Matt
Can I suggest as a future update that Manager be more explicit in the error messages about what is failing and why, specifically to distinguish between the service account bind failing vs the user not being located due to an invalid search base.
Matt
- Chris Eagar
- 6 months ago
- #33
Thanks Matthew, we'll raise that with the Dev team. Really appreciate the update and feedback, thanks.
There are no comments made for this post yet
Matthew White
selected the reply #14275 as the answer for this post — 6 months ago
- Page :
- 1
There are no replies made for this post yet.
Be one of the first to reply to this post!
Be one of the first to reply to this post!
Q&A Forum - Tips
The purpose of the Temenos Journey Manager platform (TJM) Q&A forum is for all clients and partners to seek help...
Not a member?
Register to ask a question and access to more content.
