IBM Support

Binding mode vs non-Binding authentication policy in B2B Integrator

Technical Blog Post


Abstract

Binding mode vs non-Binding authentication policy in B2B Integrator

Body

Sterling B2B Integrator allows configuration for external authentication so that users would get authenticated against servers such as LDAP, Active Directory. Here is supporting documentation.

 

It is not uncommon for some clients to misconfigure authentication policies in authentication_policy.properties. That would lead to authentication errors or Java Exceptions some are hard to troubleshoot. I would like to discuss some common mistakes clients might make and few troubleshooting tips.

 

I am not discussing some obvious properties like server, port, principle, jndi_factory etc as those are self explanatory. 

 

Firstly choose whether you are looking to configure Password binding mode or Password Direct Comparison mode. They work very different as in non-bindings mode actual password from server would be retrieved onto B2B, so B2B client compares it against user-entered-password. Where as in bindings mode user-entered-password is sent to server, so server validates correctness of password.

Mode is managed through "security.LDAP_AUTHENTICATE_WITH_USER_BIND" and "authentication_policy.authentication_#.with_user_bind". Default value for with_user_bind=false i.e., non-Binding mode.

 

Next, for both modes, we must define "search_root" and "search_filter" properties. These are used for looking up user record on server. Refer to links above to know how this user name would be used in both modes.

 

Next "password_attribute". By now you would have realized that password_attribute is mandatory for non-binding mode just for a simple reason B2B client must know attribute name to be used in order to retrieve password from server upon successful authorization. Yes, you are absolutely right! So make sure you define it with right name. It takes different values such as "userPassword" or "accountPassword" or "msSFUPassword" or something else. You should know this from LDAP server administrator.

If you use wrong value for "password_attribute" in non-bindings mode, you may encounter exception (in Authentication.log) similar to stack below.

 

java.lang.NullPointerException

       at com.sterlingcommerce.woodstock.security.LDAPAuthentication.isExternallyAuthenticatedViaPasswordComparison(LDAPAuthentication.java:388)

       at com.sterlingcommerce.woodstock.security.LDAPAuthentication.isAuthenticated(LDAPAuthentication.java:177)

       at com.sterlingcommerce.woodstock.security.AuthenticationService.isAuthenticated(AuthenticationService.java:560)

       at com.sterlingcommerce.woodstock.security.SecurityManager.isAuthenticated(SecurityManager.java:523)

       at com.sterlingcommerce.woodstock.security.User.isAuthenticated(User.java:463)

       at com.sterlingcommerce.woodstock.ui.UserAutho.isAuthenticated(UserAutho.java:110)

       at com.sterlingcommerce.woodstock.ui.EntityObject.isAuthorized(EntityObject.java:454)

       at com.sterlingcommerce.neo.security.GISAuthentication.loginWrapped(GISAuthentication.java:361)

       at com.sterlingcommerce.neo.security.GISAuthentication.login(GISAuthentication.java:238)

 

You may ask now if "password_attribute" can be ignored for bindings mode? Logically that sounds like it and also documentation stated same. (refer screen from doc below)

image

But you may encounter an error, as below in Authentication.log, when you skip password_attribute for authetication_policy with bindings mode. So I advise you to not to comment password_attribute but define it with some random text since actual attribute value is not important for bindings mode.

user:<username> authorization FAILED. LDAP Authentication Properties (<policy-name>) are not completed.

 

Another common mistake I have seen is having trailing spaces in properties. Errors from this are real hard to troubleshoot and time-consuming.

Say if you wanted to configure a policy for bindings mode and marked security.LDAP_AUTHENTICATE_WITH_USER_BIND as "true  " (note it has a trailing spaces). Unfortunately B2B considers it false hence it will assume non-bindings mode so you will have hard-time troubleshooting resulting errors from this typo mistakes.

 

When you turn DEBUG on for Authentication.log, you will clearly see either of following. It will help you confirm what mode is in use for a policy.

...performing password comparison directly 
...binding as user:

 

I want to stop here. Please feel free to post your questions/comments.

 

Here is my previous blog for troubleshooting errors when SSL is enabled for external authentication

/support/pages/node/1120971

 

[{"Business Unit":{"code":"BU012","label":"WCE"}, "Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11120581