[OPENAM-4856] HOTP auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store Created: 03/Nov/14  Updated: 26/Oct/17  Resolved: 22/Dec/14

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 10.0.0-EA, 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
Fix Version/s: 11.0.3, 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Bernhard Thalmayr
Resolution: Fixed Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Oracle java version "1.7.0_67"
Apache Tomcat 7.0.53
OpenAM 11.0.0

Issue Links:
relates to OPENAM-5429 OATH auth module can not be used in a... Resolved
relates to OPENAM-5598 Adaptive Risk auth module can not be ... Resolved
is related to OPENAM-10971 FR-OATH auth module can not be used i... Resolved
Support Ticket IDs:
Verified Version/s:


Steps to reproduce

  • configure LDAP data store with 'uid' as 'user search attribute'
  • configure ldap auth module with 'mail' as 'Attributes Used to Search for a User to be Authenticated'
  • configure HOTP auth module
  • configure auth chain with required modules LDAP + HOTP

'javax.security.auth.login.name' in shared state map will be set to email address entered for LDAP auth.
HOTP module with retrieve this value and tries to retrieve user attributes from data store to send Email or SMS.

Data store will not be able to find the entry as the search attribute is set to 'uid'.

Excerpt from access log

[03/Nov/2014:21:59:47 +0100] SEARCH REQ conn=7 op=277 msgID=278 base="dc=openam,dc=forgerock,dc=org" scope=wholeSubtree filter="(&(uid=demo@localhost)(objectclass=inetorgperson))" attrs="*"
[03/Nov/2014:21:59:47 +0100] SEARCH RES conn=7 op=277 msgID=278 result=0 nentries=0 etime=1

excerpt from OpenAM debug log

ERROR: HOTP.sendSMS() : error searching Identities with username : demo@localhost
Message:HTOP:sendSMS : More than one user found

        at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:193)
        at com.sun.identity.authentication.modules.hotp.HOTPService.sendHOTP(HOTPService.java:126)
        at com.sun.identity.authentication.modules.hotp.HOTP.process(HOTP.java:233)
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1000)
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1170)

HOTP auth module must offer a way to configure a search attribute, which will be used to retrieve profile attributes

Comment by Bernhard Thalmayr [ 04/Dec/14 ]

Fixed in 11.0.3 with R11666

Comment by Bernhard Thalmayr [ 17/Dec/14 ]

Fixed in 13.0.0 with R11952

Comment by Bernhard Thalmayr [ 22/Dec/14 ]

Fixed in 12.0.1 with R12002

Comment by Filip Kubáň [X] (Inactive) [ 24/Apr/15 ]

Verified fix on OpenAM 12.0.1

Comment by Michael Alexander [ 08/May/15 ]

Is this fixed? the i18n property value a513 isn't in the 11.0.3 release for the HOTPjar file.
When i try to use the LDAP auth module that searches by mail address i'm getting the failure.

After upgrading from 11.0.2 the new WAR file didn't add the a513 property either. I expected it would.

Generated at Sun Jan 17 15:40:30 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.