Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15216

LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception


    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.5.1
    • Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 65, AM Sustaining Sprint 66
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      If authenticating via LDAP Decision node fails with a NPE, this will also fail to continue executing the full tree via the failed route

      How to reproduce the issue

      Details steps outlining how to recreate the issue

      1. Vanilla AM install
      2.  Create a new tree called testtree
      3. Within the tree I have the following :
        Start > Username > Password > LDAP Decision > True / False > Success / Fail > If FAIL > Choice Collector with a single choice > Fail
        3.1. the Ldap Decision node has the following : 
        Attributes Used to Search for a User to be Authenticated = uid cn
      4.  I created two new users as follows :
        Login > Top Level Realm > Identities > Add Identity > 
        User ID = testone
        Password = password 
      5.  Create another user 
        Login > Top Level Realm > Identities > Add Identity > 
        User ID = testtwo
        Password = password 
        > Create > Full Name = testone
      6. Then attempt to login using the new testtree 
        http://openam.example.com:8080/openam/XUI/?service=testtree You should see that authentication fails but does not prompt for a choice. (using the choice collector node) 

      Authentication Logs have the following exception, which should be caught an continue the flow via the failed route. 

      ERROR: searchForUser : Multiple matches found for user 'eliottest'. Please modify search start DN/filter/scope to make sure unique match returned. Contact your administrator to fix the problem

      amAuth:07/11/2019 04:15:27:174 PM BST: Thread[http-nio-8080-exec-1,5,main]: TransactionId[93d625d7-6af4-48dd-aea8-7b953aa677f2-19813]

      ERROR: Node processing failed


       at org.forgerock.openam.auth.nodes.LdapDecisionNode.authenticateUser(LdapDecisionNode.java:333)

       at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:282)

       at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)

       at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:149)

       at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)

       at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)

       at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:253)

       at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:222)

       at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:164)

       at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) 

      Expected behaviour
      Flow should fall through the fail route of the LDAP decision node
      Current behaviour
      Flow fails completely after ldap decision node

      Work around

      Use authentication chains, LDAP module will fail and continue through chain to the next module


          Issue Links



              • Assignee:
                lawrence.yarham Lawrence Yarham
                eliot.kerslake Eliot Kerslake
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: