IBM Support

WebSphere DataPower SOA Appliance: Unexpected AAA Authentication or Authorization failure despite successful LDAP search

Troubleshooting


Problem

Using a AAA policy or ldap-search() to authenticate and authorize, the LDAP server returned search result successfully, but "AAA Authentication Failure" or "AAA Authorization Failure" is logged.

Symptom

Examination of the DataPower log with debug level logging, the probe output, or a packet capture confirms that the LDAP server search returned successful results yet errors similar to the following are logged:

1,20101224T083332Z,default,aaa,warn,xmlfirewall,test-ssl-proxy,347344,1.2.3.4,0x83800015,,request,"ldap authentication failed with (wssec-username, username='CN=UserBob, O=BobsTeam, L=Orlando, ST=FL, C=US' password='********')"
1,20101224T083332Z,default,multistep,error,xmlfirewall,test-ssl-proxy,347344,1.2.3.4,0x1d30001,,request,"AAA Authentication Failure"

20111202T005037Z [aaa][warn] wsgw(WSP1):
tid(4827808)[request][1.2.3.4]: ldap authorization failed with
credential 'cn=thiscn,ou=THATDMZ Users,dc=otherdmz,dc=company,dc=com' for
resource 'CheckService'
20111202T005037Z [multistep][error] wsgw(WSP1):
tid(4827808)[request][1.2.3.4]: AAA Authorization Failure

"Searching LDAP server ldap.ibm.com for 'cn=datapower, ou=DP Groups, dc=l2, dc=ibm, dc=com' failed: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=DP Groups,DC=l2,DC=ibm,DC=com'"

"AAA Authorization Failure"

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;4.0;3.8.2;3.8.1;3.8;5.0.0","Edition":"Edition Independent","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
15 June 2018

UID

swg21575256

Page Feedback