Topic
  • 7 replies
  • Latest Post - ‏2014-06-25T14:33:57Z by kenhygh
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic LDAP authentication - custom error message

‏2013-02-05T04:20:10Z |
Is there a way to check if the username was correct, but the password wrong when doing an LDAP authentication?

I need to make this distinction for a back end system (not customer facing).

Thanks,

Jon.
Updated on 2013-02-08T12:24:30Z at 2013-02-08T12:24:30Z by HisNibs
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: LDAP authentication - custom error message

    ‏2013-02-05T18:43:46Z  
    Maybe, how are you doing LDAP authentication?

    You can't make that distinction using an LDAP bind (using a user's DN and password). If you have a separate bind DN and password, you can do an LDAP search to check if the username maps to a DN.
  • HisNibs
    HisNibs
    87 Posts

    Re: LDAP authentication - custom error message

    ‏2013-02-06T09:42:05Z  
    You have to infer this. You will have to use XSL to generate this as the AAA action log will not easily provide the detail you require (but can see it using debug probe).

    The way the LDAP call is made

    1. search for DN
    2. use DN with password to authenticate
    3. in addtion I do an authorise call to check the membership of a group

    <xsl:variable name="SearchUser" select="concat('(&amp;(objectclass=person)(uid=', $Username ,'))')" />

    <xsl:variable name="ldapResultsUser" select="dp:ldap-search('LDAPServerName','389','','','baseDN','dn', $SearchUser, 'sub', '', '','v3')" />

    This initial fragment sets the search string to be used in the dp:ldap-search function call and then in the following XSL we test for the DN and if one is returned we know the search was succesful so proceed on to do the dp:ldap-authen
    <xsl:choose>
    <xsl:when test="$ldapResultsUser/LDAP-search-results/result/DN/text() !=''">
    <!-- authenticate the user -->
    <xsl:choose>
    <xsl:when test="dp:ldap-authen($ldapResultsUser/LDAP-search-results/result/DN/text(),$Password,'LDAPServerName)">
    <xsl:choose>
    <xsl:when test="$ldapResultsGroup/LDAP-search-results/result/DN/text() !=''">
    <dp:accept />
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Authorization failure - you are not authorized to access this resource</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Username or Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Username or Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:if>
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: LDAP authentication - custom error message

    ‏2013-02-08T11:32:04Z  
    • HisNibs
    • ‏2013-02-06T09:42:05Z
    You have to infer this. You will have to use XSL to generate this as the AAA action log will not easily provide the detail you require (but can see it using debug probe).

    The way the LDAP call is made

    1. search for DN
    2. use DN with password to authenticate
    3. in addtion I do an authorise call to check the membership of a group

    <xsl:variable name="SearchUser" select="concat('(&amp;(objectclass=person)(uid=', $Username ,'))')" />

    <xsl:variable name="ldapResultsUser" select="dp:ldap-search('LDAPServerName','389','','','baseDN','dn', $SearchUser, 'sub', '', '','v3')" />

    This initial fragment sets the search string to be used in the dp:ldap-search function call and then in the following XSL we test for the DN and if one is returned we know the search was succesful so proceed on to do the dp:ldap-authen
    <xsl:choose>
    <xsl:when test="$ldapResultsUser/LDAP-search-results/result/DN/text() !=''">
    <!-- authenticate the user -->
    <xsl:choose>
    <xsl:when test="dp:ldap-authen($ldapResultsUser/LDAP-search-results/result/DN/text(),$Password,'LDAPServerName)">
    <xsl:choose>
    <xsl:when test="$ldapResultsGroup/LDAP-search-results/result/DN/text() !=''">
    <dp:accept />
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Authorization failure - you are not authorized to access this resource</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Username or Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Username or Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:if>
    Thanks! Very useful, this is what I ended up using -

    <xsl:variable name="ldapResultsUser"
    select="dp:ldap-search(...)/>

    <xsl:choose>
    <xsl:when test="$ldapResultsUser/LDAP-search-results/result/DN/text() !=''">
    <!-- user exists, so run authentication -->
    <xsl:choose>
    <xsl:when
    test="dp:ldap-authen($ldapResultsUser/LDAP-search-results/result/DN/text(),$password,'IP:PORT')">
    <dp:accept/>
    <result>true</result>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>User does not exist</dp:reject>
    </xsl:otherwise>
    </xsl:choose>

    Cheers,

    Jon.
  • kenhygh
    kenhygh
    2357 Posts

    Re: LDAP authentication - custom error message

    ‏2013-02-08T12:22:06Z  
    Thanks! Very useful, this is what I ended up using -

    <xsl:variable name="ldapResultsUser"
    select="dp:ldap-search(...)/>

    <xsl:choose>
    <xsl:when test="$ldapResultsUser/LDAP-search-results/result/DN/text() !=''">
    <!-- user exists, so run authentication -->
    <xsl:choose>
    <xsl:when
    test="dp:ldap-authen($ldapResultsUser/LDAP-search-results/result/DN/text(),$password,'IP:PORT')">
    <dp:accept/>
    <result>true</result>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>User does not exist</dp:reject>
    </xsl:otherwise>
    </xsl:choose>

    Cheers,

    Jon.
    Jon,
    Nice solution.

    I hope whoever gave you this requirement knows that it's a bad security practice to tell someone why their login failed :-)

    Ken
  • HisNibs
    HisNibs
    87 Posts

    Re: LDAP authentication - custom error message

    ‏2013-02-08T12:24:30Z  
    • kenhygh
    • ‏2013-02-08T12:22:06Z
    Jon,
    Nice solution.

    I hope whoever gave you this requirement knows that it's a bad security practice to tell someone why their login failed :-)

    Ken
    Absolutely agree but as the saying goes 'you can lead a horse to water but you cannot make it drink. Fortunately this is for internal users and this is what they wanted regardless of my protestations, my external clients get a generic error regardless of the issue and there is no debate!
  • muthupandik
    muthupandik
    1 Post

    Re: LDAP authentication - custom error message

    ‏2014-06-25T06:03:20Z  
    Thanks! Very useful, this is what I ended up using -

    <xsl:variable name="ldapResultsUser"
    select="dp:ldap-search(...)/>

    <xsl:choose>
    <xsl:when test="$ldapResultsUser/LDAP-search-results/result/DN/text() !=''">
    <!-- user exists, so run authentication -->
    <xsl:choose>
    <xsl:when
    test="dp:ldap-authen($ldapResultsUser/LDAP-search-results/result/DN/text(),$password,'IP:PORT')">
    <dp:accept/>
    <result>true</result>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>Invalid Password</dp:reject>
    </xsl:otherwise>
    </xsl:choose>
    </xsl:when>
    <xsl:otherwise>
    <dp:reject>User does not exist</dp:reject>
    </xsl:otherwise>
    </xsl:choose>

    Cheers,

    Jon.

    How to pass the username and an attribute value to a ldap query?

    <xsl:variable name="SearchUser" select="concat('(&amp;(objectclass=person)(uid=', $Username ,'))')" />

    i.e the above line how to pass the $Username , is the any Datapower variable avilable.

    I would like to retrieve username from the inputted message and pass it to ldap server and check if that user available in ldap server then I would like to authorize to pass the processing rule. how to achieve it.

     

    --Muthu

  • kenhygh
    kenhygh
    2357 Posts

    Re: LDAP authentication - custom error message

    ‏2014-06-25T14:33:57Z  

    How to pass the username and an attribute value to a ldap query?

    <xsl:variable name="SearchUser" select="concat('(&amp;(objectclass=person)(uid=', $Username ,'))')" />

    i.e the above line how to pass the $Username , is the any Datapower variable avilable.

    I would like to retrieve username from the inputted message and pass it to ldap server and check if that user available in ldap server then I would like to authorize to pass the processing rule. how to achieve it.

     

    --Muthu

    Muthu,

    DataPower comes with functionality to bind to LDAP in order to do exactly this. What's driving you to try to do it yourself in code?