Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4856

HOTP auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0-EA, 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
    • Fix Version/s: 11.0.3, 12.0.1, 13.0.0
    • Component/s: authentication
    • Labels:
    • Environment:
      Oracle java version "1.7.0_67"
      Apache Tomcat 7.0.53
      OpenAM 11.0.0
    • Support Ticket IDs:


      Steps to reproduce

      • configure LDAP data store with 'uid' as 'user search attribute'
      • configure ldap auth module with 'mail' as 'Attributes Used to Search for a User to be Authenticated'
      • configure HOTP auth module
      • configure auth chain with required modules LDAP + HOTP

      'javax.security.auth.login.name' in shared state map will be set to email address entered for LDAP auth.
      HOTP module with retrieve this value and tries to retrieve user attributes from data store to send Email or SMS.

      Data store will not be able to find the entry as the search attribute is set to 'uid'.

      Excerpt from access log

      [03/Nov/2014:21:59:47 +0100] SEARCH REQ conn=7 op=277 msgID=278 base="dc=openam,dc=forgerock,dc=org" scope=wholeSubtree filter="(&(uid=demo@localhost)(objectclass=inetorgperson))" attrs="*"
      [03/Nov/2014:21:59:47 +0100] SEARCH RES conn=7 op=277 msgID=278 result=0 nentries=0 etime=1

      excerpt from OpenAM debug log

      ERROR: HOTP.sendSMS() : error searching Identities with username : demo@localhost
      Message:HTOP:sendSMS : More than one user found
              at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:193)
              at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:126)
              at com.sun.identity.authentication.modules.hotp.HOTP.process(HOTP.java:233)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1000)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1170)

      HOTP auth module must offer a way to configure a search attribute, which will be used to retrieve profile attributes


          Issue Links



              • Assignee:
                bthalmayr Bernhard Thalmayr
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                6 Start watching this issue


                • Created: