Technical Blog Post
Abstract
Binding mode vs non-Binding authentication policy in B2B Integrator
Body
Sterling B2B Integrator allows configuration for external authentication so that users would get authenticated against servers such as LDAP, Active Directory. Here is supporting documentation.
It is not uncommon for some clients to misconfigure authentication policies in authentication_policy.properties. That would lead to authentication errors or Java Exceptions some are hard to troubleshoot. I would like to discuss some common mistakes clients might make and few troubleshooting tips.
I am not discussing some obvious properties like server, port, principle, jndi_factory etc as those are self explanatory.
Firstly choose whether you are looking to configure Password binding mode or Password Direct Comparison mode. They work very different as in non-bindings mode actual password from server would be retrieved onto B2B, so B2B client compares it against user-entered-password. Where as in bindings mode user-entered-password is sent to server, so server validates correctness of password.
Mode is managed through "security.LDAP_AUTHENTICATE_WITH_USER_BIND" and "authentication_policy.authentication_#.with_user_bind". Default value for with_user_bind=false i.e., non-Binding mode.
Next, for both modes, we must define "search_root" and "search_filter" properties. These are used for looking up user record on server. Refer to links above to know how this user name would be used in both modes.
Next "password_attribute". By now you would have realized that password_attribute is mandatory for non-binding mode just for a simple reason B2B client must know attribute name to be used in order to retrieve password from server upon successful authorization. Yes, you are absolutely right! So make sure you define it with right name. It takes different values such as "userPassword" or "accountPassword" or "msSFUPassword" or something else. You should know this from LDAP server administrator.
If you use wrong value for "password_attribute" in non-bindings mode, you may encounter exception (in Authentication.log) similar to stack below.
java.lang.NullP
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.woodstock
at com.sterlingcommerce.neo.secur
at com.sterlingcommerce.neo.secur
You may ask now if "password_attribute" can be ignored for bindings mode? Logically that sounds like it and also documentation stated same. (refer screen from doc below)
 |
But you may encounter an error, as below in Authentication.log, when you skip password_attribute for authetication_policy with bindings mode. So I advise you to not to comment password_attribute but define it with some random text since actual attribute value is not important for bindings mode.
user:<username> authorization FAILED. LDAP Authentication Properties (<policy-name>) are not completed.
Another common mistake I have seen is having trailing spaces in properties. Errors from this are real hard to troubleshoot and time-consuming.
Say if you wanted to configure a policy for bindings mode and marked security.LDAP_AUTHENTICATE_WITH_USER_BIND as "true " (note it has a trailing spaces). Unfortunately B2B considers it false hence it will assume non-bindings mode so you will have hard-time troubleshooting resulting errors from this typo mistakes.
When you turn DEBUG on for Authentication.log, you will clearly see either of following. It will help you confirm what mode is in use for a policy.
...performing password comparison directly ...binding as user:
I want to stop here. Please feel free to post your questions/comments.
Here is my previous blog for troubleshooting errors when SSL is enabled for external authentication
UID
ibm11120581