[OPENAM-15216] LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.5.1
Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
Component/s: None
Labels:
- EDISON

Target Version/s:

6.5.3, 7.0.0

Sprint:
AM Sustaining Sprint 65, AM Sustaining Sprint 66
Story Points:
3
Needs backport:

No

Support Ticket IDs:

Needs QA verification:

No
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

If authenticating via LDAP Decision node fails with a NPE, this will also fail to continue executing the full tree via the failed route

How to reproduce the issue

Details steps outlining how to recreate the issue

Vanilla AM install
Create a new tree called testtree
Within the tree I have the following :
Start > Username > Password > LDAP Decision > True / False > Success / Fail > If FAIL > Choice Collector with a single choice > Fail
3.1. the Ldap Decision node has the following :
Attributes Used to Search for a User to be Authenticated = uid cn
I created two new users as follows :
Login > Top Level Realm > Identities > Add Identity >
User ID = testone
Password = password
Create
Create another user
Login > Top Level Realm > Identities > Add Identity >
User ID = testtwo
Password = password
> Create > Full Name = testone
Then attempt to login using the new testtree
http://openam.example.com:8080/openam/XUI/?service=testtree You should see that authentication fails but does not prompt for a choice. (using the choice collector node)

Authentication Logs have the following exception, which should be caught an continue the flow via the failed route.

ERROR: searchForUser : Multiple matches found for user 'eliottest'. Please modify search start DN/filter/scope to make sure unique match returned. Contact your administrator to fix the problem

amAuth:07/11/2019 04:15:27:174 PM BST: Thread[http-nio-8080-exec-1,5,main]: TransactionId[93d625d7-6af4-48dd-aea8-7b953aa677f2-19813]

ERROR: Node processing failed

java.lang.NullPointerException

at org.forgerock.openam.auth.nodes.LdapDecisionNode.authenticateUser(LdapDecisionNode.java:333)

at org.forgerock.openam.auth.nodes.LdapDecisionNode.process(LdapDecisionNode.java:282)

at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)

at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:149)

at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)

at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)

at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:253)

at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:222)

at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:164)

at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source)

Expected behaviour

Flow should fall through the fail route of the LDAP decision node

Current behaviour

Flow fails completely after ldap decision node

Work around

Use authentication chains, LDAP module will fail and continue through chain to the next module

Attachments

Issue Links

relates to

OPENAM-15160 LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

Resolved

Activity

People

Assignee:

Lawrence Yarham

Reporter:

Eliot Kerslake

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

16/Jul/19 9:02 AM

Updated:

12/Aug/19 5:18 PM

Resolved:

12/Aug/19 5:18 PM