Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13316

LDAP Decision Node does not return Inactive Account result correctly in eDirectory



    • AM Sustaining Sprint 53
    • 5
    • Yes
    • Yes
    • No
    • Yes but I used my own steps. (If so, please add them in a new comment)


      Bug description

      When using NDS eDirectory and if the bind authentication on a Disable/Expired Account is done, the LDAP auth tree return fails as "Fail" and not with the "Expired" result. In fact the error trace show "Server Error" (Ldap error 53 : Unwilling to Perform)

      amAuth:07/05/2018 03:26:10:587 PM MDT: Thread[http-nio-8080-exec-5,5,main]: TransactionId[b448cd5c-27c4-4556-b12c-0870b66e4106-20396]
      ERROR: Retying user authentication due to err(Unwilling to Perform) 'Unwilling to Perform: NDS error: log account expired (-220)'
      amAuth:07/05/2018 03:26:19:553 PM MDT: Thread[http-nio-8080-exec-5,5,main]: TransactionId[b448cd5c-27c4-4556-b12c-0870b66e4106-20396]
      ERROR: Connection failed.
      org.forgerock.openam.ldap.LDAPUtilException: Connection failed.
          at org.forgerock.openam.ldap.LDAPAuthUtils.authenticate(LDAPAuthUtils.java:909)
          at org.forgerock.openam.ldap.LDAPAuthUtils.authenticateUser(LDAPAuthUtils.java:367)
          at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:279)
          at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
          at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:143)
          at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:377)
          at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:234)
          at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:203)
      Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: LDAP server error.
       at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:303)
       at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
       at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:143)


      How to reproduce the issue

      1. Use eDirectory and have an admin locked out Account or expired login account
      2. Access using LDAP decision node.
      Expected behaviour
      Expect say the flow goes to the "Locked" decision flow
      Current behaviour
      The flow goes to the "Failed" flow

      Work around



      301            } else if (e.getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
      302                logger.warn("Server error");
      303                throw new NodeProcessException(bundle.getString("ServerError"));
      304            } else {

      In the LDAP.java custom code, the state transition

                  } else if (ex.getResultCode().equals(ResultCode.UNWILLING_TO_PERFORM)) {
      428                if (debug.messageEnabled()) {
      429                    debug.message("Unwilling to perform. Account inactivated.");
      430                }
      432                currentState = LoginScreen.USER_INACTIVE.intValue();
      433                return currentState;


      A) Checking on the types of bind error for 49 and 53 for other LDAP implementation

      1) ADS: https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
      (although AD may also provide details like https://dotcms.com/docs/latest/active-directory-error-codes#701). So it seems we should not have issues with AD.

      2) Edirectory (NDS): https://ldapwiki.com/wiki/Common%20Edirectory%20Bind%20Errors
      It would seems for Bind Error NDS may return (53) with

      53	FFFFFF24	-220	ERROR_ACCOUNT_DISABLED	Administratively Disabled
      53	FFFFFF24	-220	ERROR_ACCOUNT_DISABLED	Account Restriction: LoginExpirationTime has been exceeded

      But it seems the LDAP Decision Node does not work with NDS to expect these errors. From the above it would seems we should be fine with AD (tested to be fine) and also OpenDJ (variant).




            chee-weng.chea C-Weng C
            chee-weng.chea C-Weng C
            0 Vote for this issue
            6 Start watching this issue