LDAP authentication using sAMAccountName not working

mbm
Explorer

Our Apigee is setup to use externalized authentication, using LDAP to connect to Active Directory (AD). This setup is a direct binding.

It works fine, users can authenticate by logging in with the user e-mail, registered in Apigee, and the password controlled by Active Directory.

In the management.properties we have set up the following:

conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

We would like to allow users to login using their user id, which is also registered in AD, using the attribute sAMAccountName.

We change the management.properties as documented by Apigee:

conf_security_externalized.authentication.user.store.user.attribute=sAMAccountName

This does not work, however. The user cannot authenticate, neither with the user id, nor the email. I would expect this behaviour: Apigee uses the user id and password as entered in edge ui to authenticate (using the sAMAccountName attribute for lookup); resolve the user email attribute from LDAP via userPrincipalName, and then proceed to authorize using the e-mail for the user in Apigee.

We have tried this setup using direct binding as well as indirect binding, and neither works.

In an earlier post from 2017 in this forum, this was described and apparently identified as a known bug, please see https://community.apigee.com/questions/44516/apigee-edge-ldap-integration.html but having read through the release notes I cannot find evidence of this bug being fixed?

1. Is this (still) a known bug, affecting version 4.18.05?

2. If fixed, which version of Apigee has the fix?

3. Are there any workarounds for this?

2 1 1,171
1 REPLY 1

mbm
Explorer

Stacktrace:

pool-5-thread-5 ERROR SERVICES.RBAC - AuthenticationServiceImpl.authenticateAndGetRoleDetails() : Authentication Failed

java.lang.NullPointerException: null

at com.apigee.rbac.datastore.ldap.PasswordPolicyHelper.getString(PasswordPolicyHelper.java:70) ~[rbac-1.0.0.jar:na]

at com.apigee.rbac.datastore.LdapDataStore.getUserEmailByUserId(LdapDataStore.java:2258) ~[rbac-1.0.0.jar:na]

at com.apigee.rbac.impl.LdapAuthenticatorImpl.authenticate(LdapAuthenticatorImpl.java:87) ~[rbac-1.0.0.jar:na]

at com.apigee.rbac.impl.AuthenticationServiceImpl$ExecuteAuthentication.call(AuthenticationServiceImpl.java:537) ~[rbac-1.0.0.jar:na]

at com.apigee.rbac.impl.AuthenticationServiceImpl$ExecuteAuthentication.call(AuthenticationServiceImpl.java:515) ~[rbac-1.0.0.jar:na]

at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_171]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_171]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_171]

at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_171]

pool-5-thread-5 ERROR REST - CustomJAXRSInvoker.performInvocation() : CustomJAXRSInvoker.performInvocation : Method com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry threw an exception.

pool-5-thread-5 ERROR REST - ExceptionMapper.toResponse() : Error occurred : Invalid EmailId Password for authentication

com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry(SecurityServiceImpl.java:238)

sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

pool-5-thread-4 ERROR REST - CustomJAXRSInvoker.performInvocation() : CustomJAXRSInvoker.performInvocation : Method com.apigee.security.SecurityServiceImpl.authenticate threw an exception.

pool-5-thread-4 ERROR REST - ExceptionMapper.toResponse() : Error occurred : Invalid EmailId Password for authentication

com.apigee.security.SecurityServiceImpl.authenticate(SecurityServiceImpl.java:225)

sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)