Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4856

HOTP auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0-EA, 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
    • Fix Version/s: 11.0.3, 12.0.1, 13.0.0
    • Component/s: authentication
    • Labels:
    • Environment:
      Oracle java version "1.7.0_67"
      Apache Tomcat 7.0.53
      OpenAM 11.0.0
    • Support Ticket IDs:

      Description

      Steps to reproduce

      • configure LDAP data store with 'uid' as 'user search attribute'
      • configure ldap auth module with 'mail' as 'Attributes Used to Search for a User to be Authenticated'
      • configure HOTP auth module
      • configure auth chain with required modules LDAP + HOTP

      'javax.security.auth.login.name' in shared state map will be set to email address entered for LDAP auth.
      HOTP module with retrieve this value and tries to retrieve user attributes from data store to send Email or SMS.

      Data store will not be able to find the entry as the search attribute is set to 'uid'.

      Excerpt from access log

      [03/Nov/2014:21:59:47 +0100] SEARCH REQ conn=7 op=277 msgID=278 base="dc=openam,dc=forgerock,dc=org" scope=wholeSubtree filter="(&(uid=demo@localhost)(objectclass=inetorgperson))" attrs="*"
      [03/Nov/2014:21:59:47 +0100] SEARCH RES conn=7 op=277 msgID=278 result=0 nentries=0 etime=1
      

      excerpt from OpenAM debug log

      ERROR: HOTP.sendSMS() : error searching Identities with username : demo@localhost
      Message:HTOP:sendSMS : More than one user found
      
              at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:193)
              at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:126)
              at com.sun.identity.authentication.modules.hotp.HOTP.process(HOTP.java:233)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1000)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1170)
      

      HOTP auth module must offer a way to configure a search attribute, which will be used to retrieve profile attributes

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bthalmayr Bernhard Thalmayr
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: