7018658: Random login failures to ADLDS user store due to search request for CN on user connection

This document (7018658) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3

Situation

NAM Identity Server has LDAP user and admin connections … the LDAP admin connections are used to search for the users FDN and any attributes required by the user. The LDAP user connections are simply used to do the bind and validate users credentials.

With NAM 4.3, with a lot of logins in quick succession, we see requests for the user CN go over the user connection. With ADLDS, the user does not have any rights to read the cn attribute for themselves and this causes login failures.
Looking at LAN trace during the login failure, we see the problem search query on user connection for CN attribute with an LDAP rebind option. This LDAP rebind option seems to trigger the search request for the users CN attribute.

Resolution

Assign the user read rights to their own cn attribute.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply