LDAPException resultCode=49 (invalid credentials)

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAPException resultCode=49 (invalid credentials)

Chris
Hi all,

I have struggled on this for a couple of days. I used Shibboleth Idp with
open ldap as backend db for the authentication of a user. After everything
set up, my SP could send a request for SSO and let me log in through the
login web page of shibboleth, however after i input my test credential, I
keep getting the error ```Login Failure: Pool is empty and connection
creation failed```. According to the the log, it seems that I have an
invalid credential to connect my ldap server. So I tired to use the same
credential to search the ldap and I can get  the information below:
ldapsearch -H ldap://localhost:10389 -b "dc=ldap,dc=localhost" -D
"cn=admin,dc=ldap,dc=localhost" -w <admin password>

# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=localhost> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ldap.localhost
dn: dc=ldap,dc=localhost
objectClass: top
objectClass: dcObject
objectClass: organization
o: test
dc: ldap

# admin, ldap.localhost
dn: cn=admin,dc=ldap,dc=localhost
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9dWluemgyR3l1SFBIOXZ5S2lVb3NlLy81c09hRmZGR3g=

# test, ldap.localhost
dn: cn=test,dc=ldap,dc=localhost
objectClass: inetOrgPerson
cn: test
uid: test
userPassword:: MTIz
sn: test

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

This is so confused since I dont think my configure for the ldap.properties
is incorrect. Below is my ldap.perperties:
```
idp.authn.LDAP.authenticator        = bindSearchAuthenticator
idp.authn.LDAP.ldapURL               = ldap://localhost:10389
idp.authn.LDAP.useStartTLS         = false
idp.authn.LDAP.useSSL                = false
idp.authn.LDAP.returnAttributes   = uid
idp.authn.LDAP.baseDN               = dc=ldap,dc=localhost
dp.authn.LDAP.subtreeSearch      = false
idp.authn.LDAP.userFilter            = (uid={user})
idp.authn.LDAP.bindDN               = cn=admin,dc=ldap,dc=localhost
idp.authn.LDAP.bindDNCredential =<admin password>
idp.authn.LDAP.dnFormat            = uid=%s,dc=ldap,dc=localhost
```

Below is the error log:
``` ERROR [org.ldaptive.pool.BlockingConnectionPool:457] -
[org.ldaptive.pool.BlockingConnectionPool@393536240::name=search-pool,
poolConfig=[org.ldaptive.pool.PoolConfig@669828906::minPoolSize=3,
maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false,
validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S],
activator=null, passivator=null,
validator=[org.ldaptive.pool.SearchValidator@1715213301::searchRequest=[org.ldaptive.SearchRequest@1459134737::baseDn=,
searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*),
parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S,
sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null,
sortBehavior=UNORDERED, searchEntryHandlers=null,
searchReferenceHandlers=null, controls=null, referralHandler=null,
intermediateResponseHandlers=null]]
pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@108542064::prunePeriod=PT5M,
idleTime=PT10M], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory@901450092::provider=org.ldaptive.provider.unboundid.UnboundIDProvider@72470c13,
config=[org.ldaptive.ConnectionConfig@1960974869::ldapUrl=ldap://localhost:10389,
connectTimeout=PT3S, responseTimeout=PT3S,
sslConfig=[org.ldaptive.ssl.SslConfig@362723157::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig@40be5fe5,
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer@1998369709::bindDn=cn=admin,dc=ldap,dc=localhost,
bindSaslConfig=null, bindControls=null],
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@7a6964b8]],
initialized=true, availableCount=0, activeCount=0] unable to connect to the
ldap
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid
credentials), errorMessage='invalid credentials', ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb)```

Any suggestion will be appreciated.

Best

Chris



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Cantor, Scott E.
An occasional problem is a lack of escaping of characters in properties, such as colons or other characters Java doesn't allow in property values.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
Hi Scott,

Thanks for your reply. It seems that the idp.authn.LDAP.bindDNCredential
under {idp.home}/credentials/secrets.properties will overwrite the configure
in ldap.properties. I have comment out that and this problem is gone.

Hope this will help the other people.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Cantor, Scott E.
On 2/19/20, 11:26 AM, "users on behalf of Chris" <[hidden email] on behalf of [hidden email]> wrote:

> Thanks for your reply. It seems that the idp.authn.LDAP.bindDNCredential
> under {idp.home}/credentials/secrets.properties will overwrite the configure
> in ldap.properties. I have comment out that and this problem is gone.

There is no such file in V3 unless you created it. If you're talking about V4, that's fine, but upgrading V3 to V4 will NOT do that. There would be no secrets.properties created (or shouldn't be) on an upgrade, that's strictly done for new installs. If there was, that's a bug we need to know about.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
I build the code from source code, it seems like my build is under v4. That
may explain why I have that file after the installation.

Best,

Chris



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Cantor, Scott E.
On 2/19/20, 11:35 AM, "users on behalf of Chris" <[hidden email] on behalf of [hidden email]> wrote:

> I build the code from source code, it seems like my build is under v4. That
> may explain why I have that file after the installation.

But did you start with an existing configuration or did the fresh install contain the property in both places? If the former, did you install it on top of the existing configuration (that's how you have to do it) or did you do something else?

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
As far as I know, I think the fresh install include this file.
All I do is to build from the source code and then switch to the
idp-distribution/target/shibboleth-identity-provider-4.0.0-SNAPSHOT/bin to
install shibboleth. After that I will have that secret.properties file in
the folder of credentials under the idp.home directory.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Cantor, Scott E.
On 2/19/20, 11:54 AM, "users on behalf of Chris" <[hidden email] on behalf of [hidden email]> wrote:

> As far as I know, I think the fresh install include this file.
> All I do is to build from the source code and then switch to the
> idp-distribution/target/shibboleth-identity-provider-4.0.0-SNAPSHOT/bin to
> install shibboleth. After that I will have that secret.properties file in
> the folder of credentials under the idp.home directory.

Sorry, I mean the other property. You claimed it "overrode" the ldap.properties setting. The V4 version of ldap.properties does NOT have that property in it, at least not that I can see.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
I C, I think the ldap.properties does not have
idp.authn.LDAP.bindDNCredential property, it is only included in the
secrets.properties. I just follow some tutorial online and have all my ldap
configure in the ldap.properties including the
idp.authn.LDAP.bindDNCredential. And it turns out that the password I give
under ldap.properties will not work unless I comment out the code in
secret.properities.

Hope this helps.

Chris



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Cantor, Scott E.
On 2/19/20, 12:05 PM, "users on behalf of Chris" <[hidden email] on behalf of [hidden email]> wrote:

> I just follow some tutorial online and have all my ldap
> configure in the ldap.properties including the
> idp.authn.LDAP.bindDNCredential. And it turns out that the password I give
> under ldap.properties will not work unless I comment out the code in
> secret.properities.

Well, the point of the change is so you can check in ldap.properties into a configuration management system without accidentally checking in a password, so I wouldn't advise not taking advantage of the change.

But you answered my question. I was afraid you were upgrading improperly or more importantly that we had a bug and the latter is what I really care about right now.

This is something that people who upgrade improperly are going to hit, however.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: LDAPException resultCode=49 (invalid credentials)

Rod Widdowson
In reply to this post by Chris
In the beta the installer logs to stdio at debug you should find it instructive to look at that closely.

>             log.debug("No relying-party.xml file detetected.  Inferring a clean install");
....
>             log.debug("Detected a new Install.  Creating secrets.properties.");

If you are running from a snapshot which is more recent that the beta you should edit install-log.xml in the bin directory.  



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Peter Schober
In reply to this post by Chris
* Chris <[hidden email]> [2020-02-19 17:35]:
> I build the code from source code

* Chris <[hidden email]> [2020-02-19 18:06]:
> I just follow some tutorial online

Those are 2 red flags right there.

Glad you still got it to work and the above doesn't mean one can't get
a working install. Those are just things that signal "arbitrary
software or configuiration differences may exist, possibly unadvised"
to me.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
TBH, it is hard to find a good official tutorial to set up the whole infrastructure for shibboleth. This is why online tutorial is the only way to help me learn the whole work flow, but some tutorial is outdated which many cause some issue.

Best,

Chris

On Thu, Feb 20, 2020 at 2:56 AM Peter Schober <[hidden email]> wrote:
* Chris <[hidden email]> [2020-02-19 17:35]:
> I build the code from source code

* Chris <[hidden email]> [2020-02-19 18:06]:
> I just follow some tutorial online

Those are 2 red flags right there.

Glad you still got it to work and the above doesn't mean one can't get
a working install. Those are just things that signal "arbitrary
software or configuiration differences may exist, possibly unadvised"
to me.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Best Regards,
Chris

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LDAPException resultCode=49 (invalid credentials)

Chris
In reply to this post by Peter Schober
TBH, it is hard to find an official tutorial to learn the whole work flow and
set up the infrastructure. This explains why online tutorial is the only way
to help me understand those. Even though some of the tutorial are outdated.

Best,

Chris



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]