Ldap decision node

Maintenance
, , ,
#1

Hi,

I created authantication tree in AM which include ldap decision node. I set up “User Creation Attributes” . Howewer this tree not working corectly after ldap desicion node I have seen identity not found error in debug log . This auth node works diffrent from chain module?
if I login with ldap (active directory) module, users had login correctly and create datastore right value.

Regards

#2

Hi,

Many things can go wrong - and based on your description it’s hardly possible to find the cause. Would you be able to export the node configuration? Also, you could turn debug logging on, and examine the logs to see if there is any particular error/exception that can help you troubleshooting?

Regards
Patrick

#3

Hi,

Actually I have created simple auth tree node just added ldap decision node . you can find json config file below. Log files is including this message can not find username in datastore. But I expectation to tree create user after successfully ldap auth. LDAP source is ActiveDirectory.

regards

{
“metadata” : {
“realm” : “/mfa”,
“amsterVersion” : “7.3.0”,
“entityType” : “AuthTree”,
“entityId” : “treeAD”,
“pathParams” : { }
},
“data” : {
“_id” : “treeAD”,
“uiConfig” : { },
“entryNodeId” : “535fe82c-9835-42f3-97b2-8e360bc1bd8d”,
“nodes” : {
“518a735f-4b6f-4d51-9f6c-ac2c560efeb4” : {
“displayName” : “LDAP Decision”,
“nodeType” : “LdapDecisionNode”,
“x” : 481,
“y” : 226,
“connections” : {
“FALSE” : “e301438c-0bd0-429c-ab0c-66126501069a”,
“LOCKED” : “e301438c-0bd0-429c-ab0c-66126501069a”,
“CANCELLED” : “e301438c-0bd0-429c-ab0c-66126501069a”,
“EXPIRED” : “e301438c-0bd0-429c-ab0c-66126501069a”,
“TRUE” : “154d628f-d116-4bc1-9986-f3dc4dcc268f”
}
},
“535fe82c-9835-42f3-97b2-8e360bc1bd8d” : {
“displayName” : “Page Node”,
“nodeType” : “PageNode”,
“x” : 151,
“y” : 52,
“connections” : {
“outcome” : “518a735f-4b6f-4d51-9f6c-ac2c560efeb4”
}
},
“154d628f-d116-4bc1-9986-f3dc4dcc268f” : {
“displayName” : “Debug Node”,
“nodeType” : “DebugNode”,
“x” : 727,
“y” : 76.5999755859375,
“connections” : {
“outcome” : “70e691a5-1e33-4ac3-a356-e7b6d60d92e0”
}
}
},
“staticNodes” : {
“startNode” : {
“x” : 50,
“y” : 25
},
“70e691a5-1e33-4ac3-a356-e7b6d60d92e0” : {
“x” : 1030,
“y” : 78
},
“e301438c-0bd0-429c-ab0c-66126501069a” : {
“x” : 962,
“y” : 417
}

#4

Hi @aa1,

The JSON file is the journey configuration - it does not include the LDAP Decision node configuration. Please locate the node configuration with id=518a735f-4b6f-4d51-9f6c-ac2c560efeb4 in the Amster exported files .

In order to troubleshoot, verify that:

  • The LDAP server host:port is correct
  • The proper protocol is correct (e.g LDAP or LDAPS)
  • The base DN for user identities is correct
  • and of course, credentials are correct

Since the LDAP module is working as expected, you could look into the realm’s Identity Store configuration and compare with the LDAP decision node configuration.

Regards
Patrick

#5

Hi,

I am sorry misunderstanding. You can find the LDAP decision node export file. All configuration is correct in Decision node. if the user exists in the data store ldapdecision working correctly. if a user doesn’t exist, the decision passes ok to authentication but doesn’t create a user in the data store.

Regards

{
“metadata” : {
“realm” : “/mfa”,
“amsterVersion” : “7.3.0”,
“entityType” : “LDAPDecision”,
“entityId” : “518a735f-4b6f-4d51-9f6c-ac2c560efeb4”,
“pathParams” : { }
},
“data” : {
“_id” : “518a735f-4b6f-4d51-9f6c-ac2c560efeb4”,
“userProfileAttribute” : “sAMAccountName”,
“searchFilterAttributes” : [ “sAMAccountName” ],
“primaryServers” : [ “192.168.56.197:389” ],
“ldapConnectionMode” : “LDAP”,
“trustAllServerCertificates” : false,
“heartbeatInterval” : 10,
“returnUserDn” : false,
“searchScope” : “SUBTREE”,
“heartbeatTimeUnit” : “SECONDS”,
“secondaryServers” : [ ],
“ldapOperationsTimeout” : 0,
“userCreationAttrs” : [ “sn|sn”, “cn|cn”, “uid|sAMAccountName”, “mail|mail”, “givenName|givenName” ],
“minimumPasswordLength” : 8,
“accountSearchBaseDn” : [ “OU=Mylab Users,DC=testdomain,DC=local” ],
“adminPassword” : null,
“adminDn” : “CN=iam bind,CN=Users,DC=testdomain,DC=local”,
“beheraEnabled” : false,
“mixedCaseForPasswordChangeMessages” : false,
“_type” : {
“_id” : “LdapDecisionNode”,
“name” : “LDAP Decision”,
“collection” : true
},
“_outcomes” : [ {
“id” : “TRUE”,
“displayName” : “True”
}, {
“id” : “FALSE”,
“displayName” : “False”
}, {
“id” : “LOCKED”,
“displayName” : “Locked”
}, {
“id” : “CANCELLED”,
“displayName” : “Cancelled”
}, {
“id” : “EXPIRED”,
“displayName” : “Expired”
} ]
}
}

#6

Hi @aa1

Can you place a Debug node just after the LDAP Decision node, and show what’s displayed?

The creationUserAttributes,I think, is for dynamic provisioning, and I believe will only be triggered for an existing user. Have you checked that an existing user (in the directory configured for the LDAP Decision Node) is provisioned to the realm’s Identity Store?

Regards
Patrick

#7

Note that I think the LDAP Decision Node does not perform any user creation or update - just password change if needed. Then I am not certain wether that the shared state is updated with the user details (the creation user attributes) hence I am interesting to see the shared state displayed by the Debug Node.

#8

Hi,

Ldap Decision working correctly for exist user. I think same to you, LDAP decision just check password, However Why this node include user creation attribute settings in ? You can find debug output.

{
“transactionId”: “8dbc2467-1d28-44cc-a1d7-e7deeb64f4f6-637”,
“password”: “xxxxxxxx”,
“pageNodeCallbacks”: {
“0”: 0,
“1”: 1
},
“realm”: “/”,
“authLevel”: 0,
“username”: “”
}

Regards

#9

Hi @aa1,

Do you have shared state output from the Debug node?

https://backstage.forgerock.com/docs/auth-node-ref/7.3/am-only/auth-node-debug.html

And enable debug popup, place it just after the ldap decision node, and test for both an existing and non existing user,

Regards
Patrick

#10

Hi

Actually, UniversalId is different from existing and non-existing users. Existing users have UniversalId, while non-existing users do not. You can find a screenshot for the debug node. However, OpenAM creates a session for non-existing users, but after the LDAP decision node, error message are thrown to log file by system and the login page is down.

Regards

shareState
shareState942×672 23.1 KB

#11

Hi @aa1

What do you mean by:

  • Non existing user: where? Non existing in the directory server configured for the LDAP Decision node? Or in AM’s identity store?
  • Login page is “down”? What do you mean by “down”?

Regards
Patrick

#12

Hi,

I am sorry misunderstanding.

Non exist user is The user does not exist in the AM identity store.
The login page is down is wrong . The login page failed to load and cannot redirect to the success login page. I looked at the log files and the error message says that the username is not found in the identity store."

Regards

#13

Thank you @aa1, now I understand better.

So the LDAP decision Node will not provision anything, and as I understand now, only username should be set in shared state (as is indeed shown in the Debug node traces).

If you set AM console > Authentication > Settings > User Profile > User Profile = Ignored, can you confirm that the user is successfully authenticated even if not in the data store?

Otherwise, if you set it to “dynamic” AM might be able to create the user profile - can you check that as well, as I am not 100% certain about this - in this case only the username would be set - unless you’re able to retrieve the user attributes and update the user profile with a scripted decision node. You could use the LDAP Query Node [ ForgeRock Marketplace ] to retrieve the user attributes.

Regards
Patrick

#14

Hi,

Thank you for your interest. I agree with you, the LDAP decision node cannot send any user attribute from the user creation settings. I am wondering why these settings are in the node configuration. This causes misunderstanding. If I change the user profile settings to ignore, I can create a session but I cannot use any user attribute. I tried dynamic user profile, but it is not a solution. The only solution, as you said, is to use the script decision node.

Best Regards.

#15

As a followup, I have been told that the “dynamic” user profile should work with the LDAP Module, but will not work with the LDAP Decision Node. However I have been successful in crafting a solution using the Dynamic Provision Node coupled with a Scripted Decision node to format the shared state as expected by the node.

Basically:

[ LDAP Decision Node ] (success) —> [ Scripted Decision Node ] → [ Dynamic Provision Node ] —> [ SUCCESS ]

And the script (using hard coded values) :

var username = nodeState.get("username").asString()

nodeState.putShared("userInfo", {
  "userNames" : [username],
  "attributes":
    {
      "uid" : [username],
      "mail" : ["temp@example.com"],
      "sn" : [ "lastname" ],
      "givenName" : [ "firstname" ]
    }
});

The user entry from the directory server configured for the LDAP Decision Node can be captured by the market place node as I mentioned earlier, or just develop your own custom Java node that combines all in one.

Now, if you have IDM in the deployment (and this is then a platform install), then you could use a different strategy - establish a connector to the directory server with IDM, use a Pass-Trough authentication in the journey, then retrieve the user attributes with a scripted node using IDM’s system endpoint, store in shared state (as “objectAttributes”) and follow up with the Create Object Node.

Regards
Patrick

1 Like
#16

Hi,

Thanks for info. I will try this trees. Thaks a lot again .

Best regards

1 Like